Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
8082-x64.dll.dll

Overview

General Information

Sample Name:8082-x64.dll.dll
Analysis ID:780203
MD5:43616639411a590f022505998a6f567e
SHA1:416932059dc3488000b171beeac258fc792d4c71
SHA256:6a289f491c8d5d789e31e89c73ba06ef6fc075458a1106b7213b29da798f6c03
Tags:45139105143exeopendir
Infos:

Detection

CobaltStrike
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected CobaltStrike
C2 URLs / IPs found in malware configuration
Uses known network protocols on non-standard ports
Machine Learning detection for sample
Yara signature match
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
PE file contains more sections than normal
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 3648 cmdline: loaddll64.exe "C:\Users\user\Desktop\8082-x64.dll.dll" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6)
    • conhost.exe (PID: 2884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6104 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8082-x64.dll.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 4848 cmdline: rundll32.exe "C:\Users\user\Desktop\8082-x64.dll.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • regsvr32.exe (PID: 3480 cmdline: regsvr32.exe /s C:\Users\user\Desktop\8082-x64.dll.dll MD5: D78B75FC68247E8A63ACBA846182740E)
    • rundll32.exe (PID: 1304 cmdline: rundll32.exe C:\Users\user\Desktop\8082-x64.dll.dll,DllGetClassObject MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 1004 cmdline: rundll32.exe C:\Users\user\Desktop\8082-x64.dll.dll,DllMain MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 4532 cmdline: rundll32.exe C:\Users\user\Desktop\8082-x64.dll.dll,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTP"], "Port": 8082, "SleepTime": 38500, "MaxGetSize": 1399607, "Jitter": 27, "C2Server": "20.104.209.69,/broadcast", "HttpPostUri": "/1/events/com.amazon.csm.csa.prod", "Malleable_C2_Instructions": ["Remove 1308 bytes from the end", "Remove 1 bytes from the end", "Remove 194 bytes from the beginning", "Base64 decode"], "SpawnTo": "16nKFaB/gr/TtjAg2jiqFg==", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe", "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 1670873463, "bStageCleanup": "True", "bCFGCaution": "True", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 16700, "ProcInject_PrependAppend_x86": ["kJCQ", "Empty"], "ProcInject_PrependAppend_x64": ["kJCQ", "Empty"], "ProcInject_Execute": ["ntdll.dll:RtlUserThreadStart", "SetThreadContext", "NtQueueApcThread-s", "kernel32.dll:LoadLibraryA", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "False", "HostHeader": ""}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
8082-x64.dll.dllCobaltStrike_Resources_Artifact64_v3_14_to_v4_xCobalt Strike\'s resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.xgssincla@google.com
  • 0xa25:$fmtBuilder: 41 B8 5C 00 00 00 C7 44 24 50 5C 00 00 00 C7 44 24 48 65 00 00 00 C7 44 24 40 70 00 00 00 C7 44 24 38 69 00 00 00 C7 44 24 30 70 00 00 00 C7 44 24 28 5C 00 00 00 C7 44 24 20 2E 00 00 00 89 54 ...
  • 0x44a00:$fmtString: %c%c%c%c%c%c%c%c%cMSSE-%d-server
8082-x64.dll.dllJoeSecurity_CobaltStrike_4Yara detected CobaltStrikeJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.579279943.00000267603C6000.00000004.00000001.00020000.00000000.sdmpSUSP_PS1_FromBase64String_Content_IndicatorDetects suspicious base64 encoded PowerShell expressionsFlorian Roth
    • 0x7498:$: ::FromBase64String("H4s
    • 0x7498:$: ::FromBase64String("H4sIA
    00000000.00000002.579279943.00000267603C6000.00000004.00000001.00020000.00000000.sdmpCobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_xCobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.xgssincla@google.com
    • 0x7470:$ps1: $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(
    • 0x30379:$ps2: ));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
    00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmpCobaltStrike_Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6Cobalt Strike\'s sleeve/BeaconLoader.VA.x64.o (VirtualAlloc) Versions 4.3 through at least 4.6gssincla@google.com
    • 0x16ce5:$core_sig: C6 44 24 48 56 C6 44 24 49 69 C6 44 24 4A 72 C6 44 24 4B 74 C6 44 24 4C 75 C6 44 24 4D 61 C6 44 24 4E 6C C6 44 24 4F 41 C6 44 24 50 6C C6 44 24 51 6C C6 44 24 52 6F C6 44 24 53 63 C6 44 24 54 ...
    • 0x16755:$deobfuscator: 8B 04 24 FF C0 89 04 24 8B 44 24 28 39 04 24 73 20 8B 04 24 0F B6 4C 24 30 48 8B 54 24 20 0F BE 04 02 33 C1 8B 0C 24 48 8B 54 24 20 88 04 0A
    00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmpCobaltbaltstrike_Beacon_x64Detects CobaltStrike payloadsAvast Threat Intel Team
    • 0x3:$h01: 4D 5A 41 52 55 48 89 E5 48 81 EC 20 00 00 00 48 8D 1D EA FF FF FF 48 89
    • 0x3b633:$h13: 2E 2F 2E 2F 2E 2C 2E 2E 2E 2C 2E 2F 2E 2C 31 BC 2E
    00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmpCobaltStrike_C2_Encoded_XOR_Config_IndicatorDetects CobaltStrike C2 encoded profile configurationyara@s3c.za.net
    • 0x3b633:$s046: 2E 2F 2E 2F 2E 2C 2E 2E 2E 2C 2E 2F 2E 2C 31 BC 2E 2D 2E 2C 2E 2A 2E 2E B8 4A 2E 2A 2E 2C 2E 2A 2E 3B 75 19 2E 2B 2E 2F 2E 2C 2E 35
    Click to see the 10 entries

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: 8082-x64.dll.dllAvira: detected
    Multi AV Scanner detection for submitted file
    Source: 8082-x64.dll.dllReversingLabs: Detection: 78%
    Source: 8082-x64.dll.dllVirustotal: Detection: 63%Perma Link
    Machine Learning detection for sample
    Source: 8082-x64.dll.dllJoe Sandbox ML: detected
    Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmpMalware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTP"], "Port": 8082, "SleepTime": 38500, "MaxGetSize": 1399607, "Jitter": 27, "C2Server": "20.104.209.69,/broadcast", "HttpPostUri": "/1/events/com.amazon.csm.csa.prod", "Malleable_C2_Instructions": ["Remove 1308 bytes from the end", "Remove 1 bytes from the end", "Remove 194 bytes from the beginning", "Base64 decode"], "SpawnTo": "16nKFaB/gr/TtjAg2jiqFg==", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe", "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 1670873463, "bStageCleanup": "True", "bCFGCaution": "True", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 16700, "ProcInject_PrependAppend_x86": ["kJCQ", "Empty"], "ProcInject_PrependAppend_x64": ["kJCQ", "Empty"], "ProcInject_Execute": ["ntdll.dll:RtlUserThreadStart", "SetThreadContext", "NtQueueApcThread-s", "kernel32.dll:LoadLibraryA", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "False", "HostHeader": ""}

    Networking

    barindex
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: 20.104.209.69
    Uses known network protocols on non-standard ports
    Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 8082
    Source: unknownNetwork traffic detected: HTTP traffic on port 8082 -> 49699
    Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 8082
    Source: unknownNetwork traffic detected: HTTP traffic on port 8082 -> 49700
    Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 8082
    Source: unknownNetwork traffic detected: HTTP traffic on port 8082 -> 49701
    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 8082
    Source: unknownNetwork traffic detected: HTTP traffic on port 8082 -> 49707
    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 8082
    Source: unknownNetwork traffic detected: HTTP traffic on port 8082 -> 49709
    Source: global trafficHTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
    Source: global trafficHTTP traffic detected: POST /1/events/com.amazon.csm.csa.prod HTTP/1.1Accept: */*Origin: https://www.amazon.comx-amz-rid: MzM0ODIwMjEyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Content-Length: 14587Connection: Keep-AliveCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
    Source: global trafficTCP traffic: 192.168.2.5:49699 -> 20.104.209.69:8082
    Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
    Source: Joe Sandbox ViewIP Address: 20.104.209.69 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: unknownTCP traffic detected without corresponding DNS query: 20.104.209.69
    Source: loaddll64.exe, 00000000.00000002.579185009.0000026760353000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://20.104.209.69:8082/1/events/com.amazon.csm.csa.prod
    Source: loaddll64.exe, 00000000.00000002.579245580.00000267603A5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://20.104.209.69:8082/broadcast
    Source: loaddll64.exe, 00000000.00000003.395924452.00000267603A7000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.579245580.00000267603A5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://20.104.209.69:8082/broadcast((
    Source: loaddll64.exe, 00000000.00000003.395924452.00000267603A7000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.579245580.00000267603A5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://20.104.209.69:8082/broadcast2
    Source: loaddll64.exe, 00000000.00000003.395924452.00000267603A7000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.579245580.00000267603A5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://20.104.209.69:8082/broadcast?
    Source: loaddll64.exe, 00000000.00000002.579185009.0000026760353000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://20.104.209.69:8082/broadcastp
    Source: loaddll64.exe, 00000000.00000002.579668975.0000026760402000.00000004.00000001.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.579895773.00000267605C1000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.579889103.0000026760597000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d22u79neyj432a.cloudfront.net/bfc50dfa-8e10-44b5-ae59-ac26bfc71489/54857e6d-c060-4b3c-914a-8
    Source: loaddll64.exe, 00000000.00000002.579185009.0000026760353000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com
    Source: unknownHTTP traffic detected: POST /1/events/com.amazon.csm.csa.prod HTTP/1.1Accept: */*Origin: https://www.amazon.comx-amz-rid: MzM0ODIwMjEyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Content-Length: 14587Connection: Keep-AliveCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /broadcast HTTP/1.1Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Origin: https://www.amazon.comReferer: https://www.amazon.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteTe: trailersx-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 20.104.209.69:8082Connection: Keep-AliveCache-Control: no-cache

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
    Source: 8082-x64.dll.dll, type: SAMPLEMatched rule: CobaltStrike_Resources_Artifact64_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = decfcca0018f2cec4a200ea057c804bb357300a67c6393b097d52881527b1c44
    Source: 00000000.00000002.579279943.00000267603C6000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
    Source: 00000000.00000002.579279943.00000267603C6000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62
    Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6 date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s sleeve/BeaconLoader.VA.x64.o (VirtualAlloc) Versions 4.3 through at least 4.6, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = ac090a0707aa5ccd2c645b523bd23a25999990cf6895fce3bfa3b025e3e8a1c9
    Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Cobaltbaltstrike_Beacon_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
    Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
    Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher
    Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
    Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
    Source: Process Memory Space: loaddll64.exe PID: 3648, type: MEMORYSTRMatched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
    Source: Process Memory Space: loaddll64.exe PID: 3648, type: MEMORYSTRMatched rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62
    Source: Process Memory Space: loaddll64.exe PID: 3648, type: MEMORYSTRMatched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: 8082-x64.dll.dllStatic PE information: Number of sections : 11 > 10
    Source: 8082-x64.dll.dllReversingLabs: Detection: 78%
    Source: 8082-x64.dll.dllVirustotal: Detection: 63%
    Source: 8082-x64.dll.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x64.dll.dll",#1
    Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\8082-x64.dll.dll"
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8082-x64.dll.dll",#1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8082-x64.dll.dll
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x64.dll.dll",#1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x64.dll.dll,DllGetClassObject
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x64.dll.dll,DllMain
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x64.dll.dll,DllRegisterServer
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8082-x64.dll.dll",#1Jump to behavior
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8082-x64.dll.dllJump to behavior
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x64.dll.dll,DllGetClassObjectJump to behavior
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x64.dll.dll,DllMainJump to behavior
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\8082-x64.dll.dll,DllRegisterServerJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x64.dll.dll",#1Jump to behavior
    Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2884:120:WilError_01
    Source: classification engineClassification label: mal100.troj.winDLL@14/0@0/1
    Source: 8082-x64.dll.dllStatic PE information: Image base 0x6bac0000 > 0x60000000
    Source: C:\Windows\System32\loaddll64.exeCode function: 0_3_0000026760595E1A push ecx; ret 0_3_0000026760595E2D
    Source: C:\Windows\System32\loaddll64.exeCode function: 0_3_0000026760596786 push ebx; ret 0_3_0000026760596794
    Source: C:\Windows\System32\loaddll64.exeCode function: 0_3_0000026760596726 push ebx; ret 0_3_0000026760596794
    Source: C:\Windows\System32\loaddll64.exeCode function: 0_3_0000026760595795 push eax; ret 0_3_00000267605957A4
    Source: C:\Windows\System32\loaddll64.exeCode function: 0_3_00000267605957C3 push eax; ret 0_3_00000267605957A4
    Source: C:\Windows\System32\loaddll64.exeCode function: 0_3_00000267605978FA push ecx; ret 0_3_0000026760597918
    Source: C:\Windows\System32\loaddll64.exeCode function: 0_3_0000026760594167 push esi; ret 0_3_000002676059416C
    Source: C:\Windows\System32\loaddll64.exeCode function: 0_3_000002676059625F push ebp; ret 0_3_0000026760596263
    Source: C:\Windows\System32\loaddll64.exeCode function: 0_3_00000267605972C8 push ebx; ret 0_3_00000267605972E8
    Source: C:\Windows\System32\loaddll64.exeCode function: 0_3_0000026760594AC9 push esp; ret 0_3_0000026760594AD2
    Source: C:\Windows\System32\loaddll64.exeCode function: 0_3_0000026760595AEF push edx; ret 0_3_0000026760595AB8
    Source: C:\Windows\System32\loaddll64.exeCode function: 0_3_00000267605972EB push esp; ret 0_3_000002676059731C
    Source: C:\Windows\System32\loaddll64.exeCode function: 0_3_0000026760594C00 push esi; ret 0_3_0000026760594C09
    Source: C:\Windows\System32\loaddll64.exeCode function: 0_3_0000026760594480 push edx; ret 0_3_0000026760594498
    Source: C:\Windows\System32\loaddll64.exeCode function: 0_3_0000026760598469 push es; ret 0_3_0000026760598470
    Source: C:\Windows\System32\loaddll64.exeCode function: 0_3_0000026760598498 push ebp; ret 0_3_000002676059849F
    Source: 8082-x64.dll.dllStatic PE information: section name: .xdata
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\8082-x64.dll.dll

    Hooking and other Techniques for Hiding and Protection

    barindex
    Uses known network protocols on non-standard ports
    Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 8082
    Source: unknownNetwork traffic detected: HTTP traffic on port 8082 -> 49699
    Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 8082
    Source: unknownNetwork traffic detected: HTTP traffic on port 8082 -> 49700
    Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 8082
    Source: unknownNetwork traffic detected: HTTP traffic on port 8082 -> 49701
    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 8082
    Source: unknownNetwork traffic detected: HTTP traffic on port 8082 -> 49707
    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 8082
    Source: unknownNetwork traffic detected: HTTP traffic on port 8082 -> 49709
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\loaddll64.exe TID: 3724Thread sleep time: -120000s >= -30000sJump to behavior
    Source: C:\Windows\System32\loaddll64.exe TID: 5220Thread sleep time: -32461s >= -30000sJump to behavior
    Source: C:\Windows\System32\loaddll64.exe TID: 5220Thread sleep time: -37737s >= -30000sJump to behavior
    Source: C:\Windows\System32\loaddll64.exe TID: 5220Thread sleep time: -34501s >= -30000sJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
    Source: loaddll64.exe, 00000000.00000002.579279943.00000267603C6000.00000004.00000001.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000003.395951899.00000267603C6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWDO=:
    Source: loaddll64.exe, 00000000.00000002.579279943.00000267603C6000.00000004.00000001.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.579185009.0000026760353000.00000004.00000001.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000003.395951899.00000267603C6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\8082-x64.dll.dll",#1Jump to behavior
    Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Remote Access Functionality

    barindex
    Yara detected CobaltStrike
    Source: Yara matchFile source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: loaddll64.exe PID: 3648, type: MEMORYSTR
    Source: Yara matchFile source: 8082-x64.dll.dll, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management Instrumentation1
    DLL Side-Loading    		11
    Process Injection    		11
    Virtualization/Sandbox Evasion    		OS Credential Dumping1
    Security Software Discovery    		Remote ServicesData from Local SystemExfiltration Over Other Network Medium11
    Non-Standard Port    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		11
    Process Injection    		LSASS Memory1
    Process Discovery    		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
    Ingress Tool Transfer    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
    Obfuscated Files or Information    		Security Account Manager11
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
    Non-Application Layer Protocol    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
    Regsvr32    		NTDS2
    System Information Discovery    		Distributed Component Object ModelInput CaptureScheduled Transfer112
    Application Layer Protocol    		SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    Rundll32    		LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common1
    DLL Side-Loading    		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 780203 Sample: 8082-x64.dll.dll Startdate: 08/01/2023 Architecture: WINDOWS Score: 100 22 Malicious sample detected (through community Yara rule) 2->22 24 Antivirus / Scanner detection for submitted sample 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 4 other signatures 2->28 7 loaddll64.exe 11 2->7         started        process3 dnsIp4 20 20.104.209.69, 49699, 49700, 49701 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->20 10 cmd.exe 1 7->10         started        12 regsvr32.exe 7->12         started        14 conhost.exe 7->14         started        16 3 other processes 7->16 process5 process6 18 rundll32.exe 10->18         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    8082-x64.dll.dll78%ReversingLabsWin64.Backdoor.CobaltStrike
    8082-x64.dll.dll63%VirustotalBrowse
    8082-x64.dll.dll100%AviraHEUR/AGEN.1235510
    8082-x64.dll.dll100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://20.104.209.69:8082/broadcast((0%Avira URL Cloudsafe
    http://20.104.209.69:8082/broadcastp0%Avira URL Cloudsafe
    http://20.104.209.69:8082/broadcast?0%Avira URL Cloudsafe
    http://20.104.209.69:8082/broadcast0%VirustotalBrowse
    http://20.104.209.69:8082/broadcast0%Avira URL Cloudsafe
    20.104.209.690%Avira URL Cloudsafe
    http://20.104.209.69:8082/broadcast20%Avira URL Cloudsafe
    http://20.104.209.69:8082/1/events/com.amazon.csm.csa.prod0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://20.104.209.69:8082/broadcasttrue
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    20.104.209.69true
    • Avira URL Cloud: safe
    		unknown
    http://20.104.209.69:8082/1/events/com.amazon.csm.csa.prodtrue
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://20.104.209.69:8082/broadcast?loaddll64.exe, 00000000.00000003.395924452.00000267603A7000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.579245580.00000267603A5000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://20.104.209.69:8082/broadcastploaddll64.exe, 00000000.00000002.579185009.0000026760353000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://20.104.209.69:8082/broadcast((loaddll64.exe, 00000000.00000003.395924452.00000267603A7000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.579245580.00000267603A5000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://www.amazon.comloaddll64.exe, 00000000.00000002.579185009.0000026760353000.00000004.00000001.00020000.00000000.sdmpfalse
      		high
      http://20.104.209.69:8082/broadcast2loaddll64.exe, 00000000.00000003.395924452.00000267603A7000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.579245580.00000267603A5000.00000004.00000001.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://d22u79neyj432a.cloudfront.net/bfc50dfa-8e10-44b5-ae59-ac26bfc71489/54857e6d-c060-4b3c-914a-8loaddll64.exe, 00000000.00000002.579668975.0000026760402000.00000004.00000001.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.579895773.00000267605C1000.00000004.00001000.00020000.00000000.sdmp, loaddll64.exe, 00000000.00000002.579889103.0000026760597000.00000004.00001000.00020000.00000000.sdmpfalse
        		high

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        20.104.209.69
        		unknownUnited States
        		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue

        General Information

        Joe Sandbox Version:36.0.0 Rainbow Opal
        Analysis ID:780203
        Start date and time:2023-01-08 16:08:56 +01:00
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 6m 28s
        Hypervisor based Inspection enabled:false
        Report type:full
        Sample file name:8082-x64.dll.dll
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Run name:Run with higher sleep bypass
        Number of analysed new started processes analysed:11
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.troj.winDLL@14/0@0/1
        EGA Information:Failed
        HDC Information:Failed
        HCA Information:Failed
        Cookbook Comments:
        • Found application associated with file extension: .dll
        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
        • Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com
        • Execution Graph export aborted for target loaddll64.exe, PID 3648 because there are no executed function
        • Not all processes where analyzed, report is missing behavior information

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        20.104.209.698082-x86.dllGet hashmaliciousBrowse
        • 20.104.209.69:8082/broadcast
        8082-x86.exeGet hashmaliciousBrowse
        • 20.104.209.69:8082/broadcast
        8082-x64.ps1Get hashmaliciousBrowse
        • 20.104.209.69:8082/broadcast
        8082-x64.exeGet hashmaliciousBrowse
        • 20.104.209.69:8082/broadcast
        8082-x86.ps1Get hashmaliciousBrowse
        • 20.104.209.69:8082/broadcast

        Domains

        No context

        ASNs

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        MICROSOFT-CORP-MSN-AS-BLOCKUS8082-x86.dllGet hashmaliciousBrowse
        • 20.104.209.69
        8082-x86.exeGet hashmaliciousBrowse
        • 20.104.209.69
        8082-x64.ps1Get hashmaliciousBrowse
        • 20.104.209.69
        8082-x64.exeGet hashmaliciousBrowse
        • 20.104.209.69
        8082-x86.ps1Get hashmaliciousBrowse
        • 20.104.209.69
        YhfJ5sKIz3.elfGet hashmaliciousBrowse
        • 20.124.38.248
        file.exeGet hashmaliciousBrowse
        • 40.93.207.2
        XsP344f0F0.elfGet hashmaliciousBrowse
        • 40.91.21.6
        file.exeGet hashmaliciousBrowse
        • 40.93.207.0
        41bV0jyqt6.elfGet hashmaliciousBrowse
        • 40.65.177.74
        file.exeGet hashmaliciousBrowse
        • 40.93.207.2
        file.exeGet hashmaliciousBrowse
        • 104.47.54.36
        JzKeM0GpxV.elfGet hashmaliciousBrowse
        • 20.182.19.237
        file.exeGet hashmaliciousBrowse
        • 40.93.207.2
        file.exeGet hashmaliciousBrowse
        • 40.93.207.1
        12OMRfKxvu.elfGet hashmaliciousBrowse
        • 51.125.192.211
        7JE8iEYd60.elfGet hashmaliciousBrowse
        • 40.96.50.119
        U1lnaOUMhH.elfGet hashmaliciousBrowse
        • 20.208.28.125
        AP7H3dk8Ul.elfGet hashmaliciousBrowse
        • 20.223.104.8
        8jK7X0Nc8M.elfGet hashmaliciousBrowse
        • 20.84.217.81

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
        Entropy (8bit):7.250454733634642
        TrID:
        • Win64 Dynamic Link Library (generic) (102004/3) 86.41%
        • Win64 Executable (generic) (12005/4) 10.17%
        • Generic Win/DOS Executable (2004/3) 1.70%
        • DOS Executable Generic (2002/1) 1.70%
        • VXD Driver (31/22) 0.03%
        File name:8082-x64.dll.dll
        File size:287744
        MD5:43616639411a590f022505998a6f567e
        SHA1:416932059dc3488000b171beeac258fc792d4c71
        SHA256:6a289f491c8d5d789e31e89c73ba06ef6fc075458a1106b7213b29da798f6c03
        SHA512:9989fc8ee3a07db0a9f9a98395e75178507f20e9189f15c9b9dc51f55efe23c324388edc0032ded78db392f69ae9560505a979e165661a0fe46ca7c73c41139a
        SSDEEP:6144:49TczeYIVeH21LD3rMPwjEMSUEufxTUhYohcnxK7xERM5jy45yrjz:weAP3QPKEeEuShYohcnx+xEsUT
        TLSH:9954ADC0D6EEE60CEA36C5B72B9762679030F344FAD62BB124660B0696D647DD0D027F
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......^..........."..... ...`.................k.............................................. ............................

        File Icon

        Icon Hash:74f0e4ecccdce0e4

        Static PE Info

        General

        Entrypoint:0x6bac13f0
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x6bac0000
        Subsystem:windows cui
        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, DLL
        DLL Characteristics:
        Time Stamp:0x5EDED517 [Tue Jun 9 00:17:27 2020 UTC]
        TLS Callbacks:0x6bac1910
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:f73cb1b8999c7e79c50459b8e1f144f0

        Entrypoint Preview

        Instruction
        dec eax
        sub esp, 48h
        mov dword ptr [00047C22h], 00000000h
        cmp edx, 01h
        je 00007FE0409C534Fh
        dec eax
        add esp, 48h
        jmp 00007FE0409C51C9h
        nop dword ptr [eax+00h]
        mov dword ptr [esp+30h], edx
        dec eax
        mov dword ptr [esp+38h], ecx
        dec esp
        mov dword ptr [esp+28h], eax
        call 00007FE0409C5F62h
        call 00007FE0409C62CDh
        dec esp
        mov eax, dword ptr [esp+28h]
        dec eax
        mov ecx, dword ptr [esp+38h]
        mov edx, dword ptr [esp+30h]
        dec eax
        add esp, 48h
        jmp 00007FE0409C5196h
        nop
        push ebp
        push edi
        push esi
        push ebx
        dec eax
        sub esp, 58h
        inc ebp
        xor eax, eax
        inc ecx
        mov ecx, 00000001h
        dec eax
        mov edi, ecx
        mov esi, edx
        mov dword ptr [esp+4Ch], 00000000h
        dec eax
        mov dword ptr [esp+38h], 00000000h
        mov dword ptr [esp+30h], 00000000h
        mov edx, 00000002h
        mov dword ptr [esp+28h], 00000000h
        mov dword ptr [esp+20h], 00000000h
        dec eax
        lea ecx, dword ptr [00048475h]
        call dword ptr [00049D6Bh]
        dec eax
        mov ebx, eax
        dec eax
        lea eax, dword ptr [eax-01h]
        dec eax
        cmp eax, FFFFFFFDh
        jnbe 00007FE0409C5390h
        xor edx, edx
        dec eax
        mov ecx, ebx
        call dword ptr [00049D43h]
        test eax, eax
        dec eax
        mov ebp, dword ptr [00049E32h]
        jne 00007FE0409C536Ch
        jmp 00007FE0409C5378h
        dec eax

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x4a0000xb0.edata
        IMAGE_DIRECTORY_ENTRY_IMPORT0x4b0000x7bc.idata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x470000x27c.pdata
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x4e0000x2c4.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x4d0000x28.tls
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x4b1e40x1a8.idata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x1f100x2000False0.5732421875data6.021842385150596IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .data0x30000x424700x42600False0.5997381120527306data7.257802920028994IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .rdata0x460000x1700x200False0.416015625data3.5502048501802737IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
        .pdata0x470000x27c0x400False0.3515625data2.9537206983747IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
        .xdata0x480000x2000x200False0.380859375locale data table3.772885986330123IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
        .bss0x490000x9900x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .edata0x4a0000xb00x200False0.271484375data1.9824304709536775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
        .idata0x4b0000x7bc0x800False0.357421875data4.239308826637131IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .CRT0x4c0000x580x200False0.0546875data0.20153937813451883IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .tls0x4d0000x480x200False0.0546875data0.29046607431271465IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .reloc0x4e0000x2c40x400False0.626953125GLS_BINARY_LSB_FIRST4.699885638394994IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

        Imports

        DLLImport
        KERNEL32.dllCloseHandle, ConnectNamedPipe, CreateFileA, CreateNamedPipeA, CreateThread, DeleteCriticalSection, EnterCriticalSection, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetModuleHandleA, GetProcAddress, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryW, QueryPerformanceCounter, ReadFile, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualProtect, VirtualQuery, WriteFile
        msvcrt.dll__dllonexit, __iob_func, _amsg_exit, _initterm, _lock, _onexit, _unlock, abort, calloc, free, fwrite, malloc, memcpy, signal, sprintf, strlen, strncmp, vfprintf

        Exports

        NameOrdinalAddress
        DllGetClassObject10x6bac170b
        DllMain20x6bac16c7
        DllRegisterServer30x6bac1705
        DllUnregisterServer40x6bac1708
        StartW50x6bac1714

        Network Behavior

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        Jan 8, 2023 16:10:04.046937943 CET496998082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:04.161695004 CET80824969920.104.209.69192.168.2.5
        Jan 8, 2023 16:10:04.162079096 CET496998082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:04.162940025 CET496998082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:04.276777983 CET80824969920.104.209.69192.168.2.5
        Jan 8, 2023 16:10:04.281196117 CET80824969920.104.209.69192.168.2.5
        Jan 8, 2023 16:10:04.281222105 CET80824969920.104.209.69192.168.2.5
        Jan 8, 2023 16:10:04.281239986 CET80824969920.104.209.69192.168.2.5
        Jan 8, 2023 16:10:04.281378031 CET496998082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:04.292589903 CET496998082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:04.406682968 CET80824969920.104.209.69192.168.2.5
        Jan 8, 2023 16:10:36.778028965 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:36.892846107 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:36.893060923 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:36.902221918 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.016406059 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.028742075 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.028786898 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.028812885 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.028836012 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.028846979 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.028861046 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.028884888 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.028887033 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.028913021 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.028928995 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.028937101 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.028956890 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.028974056 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.029061079 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.143208981 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.143250942 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.143270016 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.143287897 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.143311977 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.143332958 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.143352032 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.143369913 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.143368959 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.143389940 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.143409967 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.143428087 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.143429041 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.143450975 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.143457890 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.143475056 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.143486023 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.143493891 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.143513918 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.143521070 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.143532991 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.143560886 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.143603086 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.143801928 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.143826008 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.143846035 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.143852949 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.143867970 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.143888950 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.143919945 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.257618904 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.257693052 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.257721901 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.257751942 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.257778883 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.257806063 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.257811069 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.257833958 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.257854939 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.257863045 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.257879972 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.257893085 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.257903099 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.257914066 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.257924080 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.257937908 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.257952929 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.257982016 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.257982016 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258012056 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258012056 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.258038044 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.258038998 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258059978 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.258065939 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258094072 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.258094072 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258122921 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258126974 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.258152008 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258162975 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.258178949 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258200884 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.258204937 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258210897 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.258219957 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.258234024 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258249998 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.258263111 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258279085 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.258291006 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258301020 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.258320093 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258342981 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.258349895 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258378983 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258389950 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.258405924 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258410931 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.258419991 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.258435011 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258454084 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.258465052 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258490086 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.258511066 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.258517027 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258548021 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258569956 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.258596897 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.258790016 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258820057 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258845091 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258865118 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258877993 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.258892059 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258904934 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.258920908 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258939028 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.258949995 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.258975983 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.258976936 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.259007931 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.259026051 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.259054899 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.259073973 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.376698017 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.376737118 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.376756907 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.376779079 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.376800060 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.376821041 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.376830101 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.376842976 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.376867056 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.376868010 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.376888037 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.376899004 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.376919031 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.376948118 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.376986027 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.377006054 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.377033949 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.377047062 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.377049923 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.377072096 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.377089977 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.377121925 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.377154112 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.377155066 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.377201080 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.377259016 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.377298117 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.377315998 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.377321005 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.377343893 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.377363920 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.377384901 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.377463102 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.377474070 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.377501011 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.377523899 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.377526999 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.377548933 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.377549887 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.377567053 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.377574921 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.377609015 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.377635002 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.377686024 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.377712011 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.377732992 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.377737999 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.377757072 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.377763987 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.377784014 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.377801895 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.378042936 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.378067970 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.378089905 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.378123999 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.378129959 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.378160954 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.378187895 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.378442049 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.378470898 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.378493071 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.378511906 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.378516912 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.378530025 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.378541946 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.378561020 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.378566980 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.378585100 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.378592968 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.378601074 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.378618956 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.378631115 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.378657103 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.378686905 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.378725052 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.378747940 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.378750086 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.378767967 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.378783941 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.378787994 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.378806114 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.378818989 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.378829002 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.378844023 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.378853083 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.378861904 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.378876925 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.378889084 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.378911972 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.379142046 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.379169941 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.379194021 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.379195929 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.379216909 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.379219055 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.379232883 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.379242897 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.379262924 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.379287004 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.379287004 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.379319906 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.379338980 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.379352093 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.379368067 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.379379034 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.379395962 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.379404068 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.379420042 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.379434109 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.379443884 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.379455090 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.379476070 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.379771948 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.379796982 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.379822016 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.379832983 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.379846096 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.379878044 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.379901886 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.380075932 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.380100965 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.380122900 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.380124092 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.380147934 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.380155087 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.380172014 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.380172968 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.380187035 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.380197048 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.380207062 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.380220890 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.380234957 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.380247116 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.380259991 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.380270958 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.380285025 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.380295992 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.380305052 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.380337954 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.380345106 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.380372047 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.380378962 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.380419016 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.380467892 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.380491972 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.380513906 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.380526066 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.380537033 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.380546093 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.380575895 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.491336107 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.491369963 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.491389990 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.491410017 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.491475105 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.491548061 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.491559029 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.491579056 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.491596937 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.491616011 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.491625071 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.491646051 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.491693020 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.492031097 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.492052078 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.492070913 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.492089987 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.492130995 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.492166996 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.492166996 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.492177010 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.492330074 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.492449045 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.492506027 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.492542982 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.492551088 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.492568016 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.492597103 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.492609024 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.492643118 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.492660999 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.492687941 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.492716074 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.492743969 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.492757082 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.492793083 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.492809057 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.492842913 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.492852926 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.492892981 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.492899895 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.492943048 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.492958069 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.492990971 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.493005991 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.493038893 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.493063927 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.493087053 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.493102074 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.493150949 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.493136883 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.493359089 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.493372917 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.493443012 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.493478060 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.493509054 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.493521929 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.493596077 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.493596077 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.493664026 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.493709087 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.493792057 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.493793011 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.493866920 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.494926929 CET497008082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.608933926 CET80824970020.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.739641905 CET497018082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.854197979 CET80824970120.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.854347944 CET497018082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.855025053 CET497018082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.855025053 CET497018082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.969065905 CET80824970120.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.969142914 CET80824970120.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.969223022 CET80824970120.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.969259024 CET80824970120.104.209.69192.168.2.5
        Jan 8, 2023 16:10:37.969324112 CET497018082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:37.969398022 CET80824970120.104.209.69192.168.2.5
        Jan 8, 2023 16:10:38.083689928 CET80824970120.104.209.69192.168.2.5
        Jan 8, 2023 16:10:38.088685989 CET80824970120.104.209.69192.168.2.5
        Jan 8, 2023 16:10:38.088747978 CET80824970120.104.209.69192.168.2.5
        Jan 8, 2023 16:10:38.088816881 CET497018082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:38.088886976 CET497018082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:38.093235970 CET497018082192.168.2.520.104.209.69
        Jan 8, 2023 16:10:38.093523979 CET497018082192.168.2.520.104.209.69
        Jan 8, 2023 16:11:08.033690929 CET497078082192.168.2.520.104.209.69
        Jan 8, 2023 16:11:08.148102999 CET80824970720.104.209.69192.168.2.5
        Jan 8, 2023 16:11:08.148253918 CET497078082192.168.2.520.104.209.69
        Jan 8, 2023 16:11:08.148991108 CET497078082192.168.2.520.104.209.69
        Jan 8, 2023 16:11:08.262916088 CET80824970720.104.209.69192.168.2.5
        Jan 8, 2023 16:11:08.267827034 CET80824970720.104.209.69192.168.2.5
        Jan 8, 2023 16:11:08.267864943 CET80824970720.104.209.69192.168.2.5
        Jan 8, 2023 16:11:08.267925978 CET497078082192.168.2.520.104.209.69
        Jan 8, 2023 16:11:08.267983913 CET497078082192.168.2.520.104.209.69
        Jan 8, 2023 16:11:08.268054008 CET80824970720.104.209.69192.168.2.5
        Jan 8, 2023 16:11:08.268134117 CET497078082192.168.2.520.104.209.69
        Jan 8, 2023 16:11:08.268418074 CET497078082192.168.2.520.104.209.69
        Jan 8, 2023 16:11:08.382499933 CET80824970720.104.209.69192.168.2.5
        Jan 8, 2023 16:11:47.059197903 CET497098082192.168.2.520.104.209.69
        Jan 8, 2023 16:11:47.174897909 CET80824970920.104.209.69192.168.2.5
        Jan 8, 2023 16:11:47.175028086 CET497098082192.168.2.520.104.209.69
        Jan 8, 2023 16:11:47.181302071 CET497098082192.168.2.520.104.209.69
        Jan 8, 2023 16:11:47.295644999 CET80824970920.104.209.69192.168.2.5
        Jan 8, 2023 16:11:47.299756050 CET80824970920.104.209.69192.168.2.5
        Jan 8, 2023 16:11:47.299848080 CET80824970920.104.209.69192.168.2.5
        Jan 8, 2023 16:11:47.299895048 CET497098082192.168.2.520.104.209.69
        Jan 8, 2023 16:11:47.299947023 CET497098082192.168.2.520.104.209.69
        Jan 8, 2023 16:11:47.300139904 CET80824970920.104.209.69192.168.2.5
        Jan 8, 2023 16:11:47.300220013 CET497098082192.168.2.520.104.209.69
        Jan 8, 2023 16:11:47.300646067 CET497098082192.168.2.520.104.209.69
        Jan 8, 2023 16:11:47.414453030 CET80824970920.104.209.69192.168.2.5

        HTTP Request Dependency Graph

        • https:
          • 20.104.209.69:8082

        HTTP Packets

        Session IDSource IPSource PortDestination IPDestination PortProcess
        0192.168.2.54969920.104.209.698082C:\Windows\System32\loaddll64.exe
        TimestampkBytes transferredDirectionData
        Jan 8, 2023 16:10:04.162940025 CET0OUTGET /broadcast HTTP/1.1
        Accept: application/json, text/plain, */*
        Accept-Language: en-US,en;q=0.5
        Origin: https://www.amazon.com
        Referer: https://www.amazon.com
        Sec-Fetch-Dest: empty
        Sec-Fetch-Mode: cors
        Sec-Fetch-Site: cross-site
        Te: trailers
        x-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Host: 20.104.209.69:8082
        Connection: Keep-Alive
        Cache-Control: no-cache
        Jan 8, 2023 16:10:04.281196117 CET1INHTTP/1.1 200 OK
        Date: Sun, 8 Jan 2023 15:09:55 GMT
        Content-Type: application/json
        Access-Control-Allow-Origin: https://www.amazon.com
        Access-Control-Allow-Methods: GET
        Access-Control-Allow-Credentials: true
        X-Amz-Version-Id: null
        Server: AmazonS3
        X-Cache: Hit from cloudfront
        Content-Length: 1591


        Session IDSource IPSource PortDestination IPDestination PortProcess
        1192.168.2.54970020.104.209.698082C:\Windows\System32\loaddll64.exe
        TimestampkBytes transferredDirectionData
        Jan 8, 2023 16:10:36.902221918 CET4OUTGET /broadcast HTTP/1.1
        Accept: application/json, text/plain, */*
        Accept-Language: en-US,en;q=0.5
        Origin: https://www.amazon.com
        Referer: https://www.amazon.com
        Sec-Fetch-Dest: empty
        Sec-Fetch-Mode: cors
        Sec-Fetch-Site: cross-site
        Te: trailers
        x-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Host: 20.104.209.69:8082
        Connection: Keep-Alive
        Cache-Control: no-cache
        Jan 8, 2023 16:10:37.028742075 CET4INHTTP/1.1 200 OK
        Date: Sun, 8 Jan 2023 15:10:28 GMT
        Content-Type: application/json
        Access-Control-Allow-Origin: https://www.amazon.com
        Access-Control-Allow-Methods: GET
        Access-Control-Allow-Credentials: true
        X-Amz-Version-Id: null
        Server: AmazonS3
        X-Cache: Hit from cloudfront
        Content-Length: 234807


        Session IDSource IPSource PortDestination IPDestination PortProcess
        2192.168.2.54970120.104.209.698082C:\Windows\System32\loaddll64.exe
        TimestampkBytes transferredDirectionData
        Jan 8, 2023 16:10:37.855025053 CET253OUTPOST /1/events/com.amazon.csm.csa.prod HTTP/1.1
        Accept: */*
        Origin: https://www.amazon.com
        x-amz-rid: MzM0ODIwMjEy
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Host: 20.104.209.69:8082
        Content-Length: 14587
        Connection: Keep-Alive
        Cache-Control: no-cache
        Jan 8, 2023 16:10:38.088685989 CET278INHTTP/1.1 200 OK
        Date: Sun, 8 Jan 2023 15:10:29 GMT
        Server: Server
        Content-Type: application/json
        Connection: close
        Access-Control-Allow-Origin: https://www.amazon.com
        Access-Control-Expose-Headers: x-amzn-RequestId,x-amzn-ErrorType,x-amzn-ErrorMessage,Date
        Access-Control-Allow-Credentials: true
        Vary: Origin,Content-Type,Accept-Encoding,X-Amzn-CDN-Cache,X-Amzn-AX-Treatment,User-Agent
        Permissions-Policy: interest-cohort=()
        Content-Length: 48


        Session IDSource IPSource PortDestination IPDestination PortProcess
        3192.168.2.54970720.104.209.698082C:\Windows\System32\loaddll64.exe
        TimestampkBytes transferredDirectionData
        Jan 8, 2023 16:11:08.148991108 CET306OUTGET /broadcast HTTP/1.1
        Accept: application/json, text/plain, */*
        Accept-Language: en-US,en;q=0.5
        Origin: https://www.amazon.com
        Referer: https://www.amazon.com
        Sec-Fetch-Dest: empty
        Sec-Fetch-Mode: cors
        Sec-Fetch-Site: cross-site
        Te: trailers
        x-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Host: 20.104.209.69:8082
        Connection: Keep-Alive
        Cache-Control: no-cache
        Jan 8, 2023 16:11:08.267827034 CET307INHTTP/1.1 200 OK
        Date: Sun, 8 Jan 2023 15:10:59 GMT
        Content-Type: application/json
        Access-Control-Allow-Origin: https://www.amazon.com
        Access-Control-Allow-Methods: GET
        Access-Control-Allow-Credentials: true
        X-Amz-Version-Id: null
        Server: AmazonS3
        X-Cache: Hit from cloudfront
        Content-Length: 1611


        Session IDSource IPSource PortDestination IPDestination PortProcess
        4192.168.2.54970920.104.209.698082C:\Windows\System32\loaddll64.exe
        TimestampkBytes transferredDirectionData
        Jan 8, 2023 16:11:47.181302071 CET317OUTGET /broadcast HTTP/1.1
        Accept: application/json, text/plain, */*
        Accept-Language: en-US,en;q=0.5
        Origin: https://www.amazon.com
        Referer: https://www.amazon.com
        Sec-Fetch-Dest: empty
        Sec-Fetch-Mode: cors
        Sec-Fetch-Site: cross-site
        Te: trailers
        x-amzn-RequestId: FHpLzZRFDaJcV3Y7qyufQOISTIObeVemP+NmdAYcRRIE3FV/EUpEubshH3rkXVtRwA0H5UqybBKz1PDmJULg1XGljnjPbkoWruec57yIzOL214VyxG9n4/paEbjVA0xB3WsFwgdNY86xsizSKv8fcjdoFgmVx/FrmUZeOA6bHh4=
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Host: 20.104.209.69:8082
        Connection: Keep-Alive
        Cache-Control: no-cache
        Jan 8, 2023 16:11:47.299756050 CET318INHTTP/1.1 200 OK
        Date: Sun, 8 Jan 2023 15:11:38 GMT
        Content-Type: application/json
        Access-Control-Allow-Origin: https://www.amazon.com
        Access-Control-Allow-Methods: GET
        Access-Control-Allow-Credentials: true
        X-Amz-Version-Id: null
        Server: AmazonS3
        X-Cache: Hit from cloudfront
        Content-Length: 1591


        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        Behavior

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:16:09:52
        Start date:08/01/2023
        Path:C:\Windows\System32\loaddll64.exe
        Wow64 process (32bit):false
        Commandline:loaddll64.exe "C:\Users\user\Desktop\8082-x64.dll.dll"
        Imagebase:0x7ff6c0910000
        File size:139776 bytes
        MD5 hash:C676FC0263EDD17D4CE7D644B8F3FCD6
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Yara matches:
        • Rule: SUSP_PS1_FromBase64String_Content_Indicator, Description: Detects suspicious base64 encoded PowerShell expressions, Source: 00000000.00000002.579279943.00000267603C6000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
        • Rule: CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x, Description: Cobalt Strike\'s resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x, Source: 00000000.00000002.579279943.00000267603C6000.00000004.00000001.00020000.00000000.sdmp, Author: gssincla@google.com
        • Rule: CobaltStrike_Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6, Description: Cobalt Strike\'s sleeve/BeaconLoader.VA.x64.o (VirtualAlloc) Versions 4.3 through at least 4.6, Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, Author: gssincla@google.com
        • Rule: Cobaltbaltstrike_Beacon_x64, Description: Detects CobaltStrike payloads, Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, Author: Avast Threat Intel Team
        • Rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator, Description: Detects CobaltStrike C2 encoded profile configuration, Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
        • Rule: CobaltStrike_MZ_Launcher, Description: Detects CobaltStrike MZ header ReflectiveLoader launcher, Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
        • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
        • Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
        • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
        • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000003.323615011.0000026760590000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
        Reputation:high

        General

        Target ID:1
        Start time:16:09:52
        Start date:08/01/2023
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7fcd70000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        General

        Target ID:2
        Start time:16:09:53
        Start date:08/01/2023
        Path:C:\Windows\System32\cmd.exe
        Wow64 process (32bit):false
        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\8082-x64.dll.dll",#1
        Imagebase:0x7ff627730000
        File size:273920 bytes
        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        General

        Target ID:3
        Start time:16:09:53
        Start date:08/01/2023
        Path:C:\Windows\System32\regsvr32.exe
        Wow64 process (32bit):false
        Commandline:regsvr32.exe /s C:\Users\user\Desktop\8082-x64.dll.dll
        Imagebase:0x7ff7ffce0000
        File size:24064 bytes
        MD5 hash:D78B75FC68247E8A63ACBA846182740E
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        General

        Target ID:4
        Start time:16:09:53
        Start date:08/01/2023
        Path:C:\Windows\System32\rundll32.exe
        Wow64 process (32bit):false
        Commandline:rundll32.exe "C:\Users\user\Desktop\8082-x64.dll.dll",#1
        Imagebase:0x7ff7a6a20000
        File size:69632 bytes
        MD5 hash:73C519F050C20580F8A62C849D49215A
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        General

        Target ID:5
        Start time:16:09:53
        Start date:08/01/2023
        Path:C:\Windows\System32\rundll32.exe
        Wow64 process (32bit):false
        Commandline:rundll32.exe C:\Users\user\Desktop\8082-x64.dll.dll,DllGetClassObject
        Imagebase:0x7ff7a6a20000
        File size:69632 bytes
        MD5 hash:73C519F050C20580F8A62C849D49215A
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        General

        Target ID:6
        Start time:16:09:56
        Start date:08/01/2023
        Path:C:\Windows\System32\rundll32.exe
        Wow64 process (32bit):false
        Commandline:rundll32.exe C:\Users\user\Desktop\8082-x64.dll.dll,DllMain
        Imagebase:0x7ff7a6a20000
        File size:69632 bytes
        MD5 hash:73C519F050C20580F8A62C849D49215A
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        General

        Target ID:7
        Start time:16:09:59
        Start date:08/01/2023
        Path:C:\Windows\System32\rundll32.exe
        Wow64 process (32bit):false
        Commandline:rundll32.exe C:\Users\user\Desktop\8082-x64.dll.dll,DllRegisterServer
        Imagebase:0x7ff7a6a20000
        File size:69632 bytes
        MD5 hash:73C519F050C20580F8A62C849D49215A
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        Disassembly

        No disassembly