Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
8082-svc-x64.exe

Overview

General Information

Sample Name:8082-svc-x64.exe
Analysis ID:780212
MD5:89be3be20ca0dce73c12a5a015bcb9a5
SHA1:4f92b6f168ee8536278fa58a6df5c9b368421030
SHA256:37e828da01820aad58414d0b73c935a0e408c274cdd872cbbae25f9cbcba0b08
Tags:45139105143exeopendir
Infos:

Detection

CobaltStrike
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected CobaltStrike
Multi AV Scanner detection for submitted file
Found API chain indicative of debugger detection
Machine Learning detection for sample
Yara signature match
Found large amount of non-executed APIs
Program does not show much activity (idle)
PE file contains sections with non-standard names

Classification

Process Tree

  • System is w10x64
  • 8082-svc-x64.exe (PID: 6108 cmdline: C:\Users\user\Desktop\8082-svc-x64.exe MD5: 89BE3BE20CA0DCE73C12A5A015BCB9A5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
8082-svc-x64.exeCobaltStrike_Resources_Artifact64_v3_14_to_v4_xCobalt Strike\'s resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.xgssincla@google.com
  • 0xd75:$fmtBuilder: 41 B8 5C 00 00 00 C7 44 24 50 5C 00 00 00 C7 44 24 48 65 00 00 00 C7 44 24 40 70 00 00 00 C7 44 24 38 69 00 00 00 C7 44 24 30 70 00 00 00 C7 44 24 28 5C 00 00 00 C7 44 24 20 2E 00 00 00 89 54 ...
  • 0x44e50:$fmtString: %c%c%c%c%c%c%c%c%cMSSE-%d-server
8082-svc-x64.exeJoeSecurity_CobaltStrike_4Yara detected CobaltStrikeJoe Security

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.2.8082-svc-x64.exe.400000.0.unpackCobaltStrike_Resources_Artifact64_v3_14_to_v4_xCobalt Strike\'s resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.xgssincla@google.com
    • 0xd75:$fmtBuilder: 41 B8 5C 00 00 00 C7 44 24 50 5C 00 00 00 C7 44 24 48 65 00 00 00 C7 44 24 40 70 00 00 00 C7 44 24 38 69 00 00 00 C7 44 24 30 70 00 00 00 C7 44 24 28 5C 00 00 00 C7 44 24 20 2E 00 00 00 89 54 ...
    • 0x44e50:$fmtString: %c%c%c%c%c%c%c%c%cMSSE-%d-server
    0.2.8082-svc-x64.exe.400000.0.unpackJoeSecurity_CobaltStrike_4Yara detected CobaltStrikeJoe Security
      0.0.8082-svc-x64.exe.400000.0.unpackCobaltStrike_Resources_Artifact64_v3_14_to_v4_xCobalt Strike\'s resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.xgssincla@google.com
      • 0xd75:$fmtBuilder: 41 B8 5C 00 00 00 C7 44 24 50 5C 00 00 00 C7 44 24 48 65 00 00 00 C7 44 24 40 70 00 00 00 C7 44 24 38 69 00 00 00 C7 44 24 30 70 00 00 00 C7 44 24 28 5C 00 00 00 C7 44 24 20 2E 00 00 00 89 54 ...
      • 0x44e50:$fmtString: %c%c%c%c%c%c%c%c%cMSSE-%d-server
      0.0.8082-svc-x64.exe.400000.0.unpackJoeSecurity_CobaltStrike_4Yara detected CobaltStrikeJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: 8082-svc-x64.exeAvira: detected
        Multi AV Scanner detection for submitted file
        Source: 8082-svc-x64.exeReversingLabs: Detection: 80%
        Source: 8082-svc-x64.exeVirustotal: Detection: 68%Perma Link
        Machine Learning detection for sample
        Source: 8082-svc-x64.exeJoe Sandbox ML: detected
        Source: 8082-svc-x64.exe, type: SAMPLEMatched rule: CobaltStrike_Resources_Artifact64_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = decfcca0018f2cec4a200ea057c804bb357300a67c6393b097d52881527b1c44
        Source: 0.2.8082-svc-x64.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Resources_Artifact64_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = decfcca0018f2cec4a200ea057c804bb357300a67c6393b097d52881527b1c44
        Source: 0.0.8082-svc-x64.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Resources_Artifact64_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = decfcca0018f2cec4a200ea057c804bb357300a67c6393b097d52881527b1c44
        Source: 8082-svc-x64.exeReversingLabs: Detection: 80%
        Source: 8082-svc-x64.exeVirustotal: Detection: 68%
        Source: C:\Users\user\Desktop\8082-svc-x64.exeCode function: 0_2_00403390 StartServiceCtrlDispatcherA,
        Source: C:\Users\user\Desktop\8082-svc-x64.exeCode function: 0_2_00403382 StartServiceCtrlDispatcherA,
        Source: 8082-svc-x64.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\8082-svc-x64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Users\user\Desktop\8082-svc-x64.exeCode function: 0_2_00403390 StartServiceCtrlDispatcherA,
        Source: classification engineClassification label: mal72.troj.evad.winEXE@1/0@0/0
        Source: 8082-svc-x64.exeStatic PE information: section name: .xdata
        Source: C:\Users\user\Desktop\8082-svc-x64.exeCode function: 0_2_00403390 StartServiceCtrlDispatcherA,
        Source: C:\Users\user\Desktop\8082-svc-x64.exeAPI coverage: 7.2 %
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

        Anti Debugging

        barindex
        Found API chain indicative of debugger detection
        Source: C:\Users\user\Desktop\8082-svc-x64.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: C:\Users\user\Desktop\8082-svc-x64.exeCode function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,GetProcAddress,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit,
        Source: C:\Users\user\Desktop\8082-svc-x64.exeCode function: 0_2_00402DD0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,
        Source: C:\Users\user\Desktop\8082-svc-x64.exeCode function: 0_2_00402D00 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
        Source: C:\Users\user\Desktop\8082-svc-x64.exeCode function: 0_2_00401790 CreateNamedPipeA,ConnectNamedPipe,WriteFile,WriteFile,CloseHandle,

        Remote Access Functionality

        barindex
        Yara detected CobaltStrike
        Source: Yara matchFile source: 8082-svc-x64.exe, type: SAMPLE
        Source: Yara matchFile source: 0.2.8082-svc-x64.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.0.8082-svc-x64.exe.400000.0.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts2
        Service Execution        		3
        Windows Service        		3
        Windows Service        		1
        Virtualization/Sandbox Evasion        		OS Credential Dumping1
        System Time Discovery        		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
        Process Injection        		1
        Process Injection        		LSASS Memory1
        Security Software Discovery        		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager1
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS2
        System Information Discovery        		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        8082-svc-x64.exe80%ReversingLabsWin64.Backdoor.CobaltStrike
        8082-svc-x64.exe68%VirustotalBrowse
        8082-svc-x64.exe100%AviraHEUR/AGEN.1202022
        8082-svc-x64.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        No contacted domains info

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox Version:36.0.0 Rainbow Opal
        Analysis ID:780212
        Start date and time:2023-01-08 16:08:04 +01:00
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 2m 22s
        Hypervisor based Inspection enabled:false
        Report type:light
        Sample file name:8082-svc-x64.exe
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:1
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal72.troj.evad.winEXE@1/0@0/0
        EGA Information:
        • Successful, ratio: 100%
        HDC Information:
        • Successful, ratio: 95.8% (good quality ratio 59.2%)
        • Quality average: 48%
        • Quality standard deviation: 42.8%
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Stop behavior analysis, all processes terminated

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
        Entropy (8bit):7.355879244825435
        TrID:
        • Win64 Executable (generic) (12005/4) 74.80%
        • Generic Win/DOS Executable (2004/3) 12.49%
        • DOS Executable Generic (2002/1) 12.47%
        • VXD Driver (31/22) 0.19%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
        File name:8082-svc-x64.exe
        File size:289280
        MD5:89be3be20ca0dce73c12a5a015bcb9a5
        SHA1:4f92b6f168ee8536278fa58a6df5c9b368421030
        SHA256:37e828da01820aad58414d0b73c935a0e408c274cdd872cbbae25f9cbcba0b08
        SHA512:d8490691ad53b026586dad57bb8bc59c8c3c7c9433305d317ad9aa203d9998b4fcf0e514cc562285565a1763dca7f96cfc0c62336a98cea62026dc114908b8a7
        SSDEEP:6144:6p2TnO+/tCo4wsn5PO/ziUZmUhS6b2m+7HUDnivKMpurzC37gmdqDqq7rvxAiS7Y:6onVGia9dqD5uO6lW
        TLSH:4654BF0AE855E917CB4DE07857630F7A27FB9FFEC42519A6313944236F9BA3B98C5200
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......^........../......$...B................@.....................................:......... ............................

        File Icon

        Icon Hash:00828e8e8686b000

        Static PE Info

        General

        Entrypoint:0x4014b0
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
        DLL Characteristics:
        Time Stamp:0x5EDED518 [Tue Jun 9 00:17:28 2020 UTC]
        TLS Callbacks:0x401af0
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:bed5688a4a2b5ea6984115b458755e90

        Entrypoint Preview

        Instruction
        dec eax
        sub esp, 28h
        mov dword ptr [00048BB2h], 00000001h
        call 00007FF6849E9B02h
        call 00007FF6849E7F7Dh
        nop
        nop
        dec eax
        add esp, 28h
        ret
        nop
        dec eax
        sub esp, 28h
        mov dword ptr [00048B92h], 00000000h
        call 00007FF6849E9AE2h
        call 00007FF6849E7F5Dh
        nop
        nop
        dec eax
        add esp, 28h
        ret
        nop
        dec eax
        sub esp, 18h
        mov eax, dword ptr [00002B12h]
        test eax, eax
        jle 00007FF6849E82EAh
        cmp dword ptr [00002B0Bh], 00000000h
        jle 00007FF6849E82E1h
        dec eax
        mov edx, dword ptr [00049E42h]
        dec eax
        cwde
        dec eax
        mov dword ptr [ecx+eax], edx
        dec eax
        arpl word ptr [00002AF5h], ax
        dec eax
        mov edx, dword ptr [00049E36h]
        dec eax
        mov dword ptr [ecx+eax], edx
        dec eax
        add esp, 18h
        ret
        push ebx
        dec eax
        sub esp, 00000500h
        dec eax
        mov ebx, dword ptr [edx+08h]
        mov dword ptr [esp+60h], 00100002h
        dec esp
        mov dword ptr [esp+28h], eax
        dec eax
        lea edx, dword ptr [esp+30h]
        dec eax
        mov ecx, ebx
        call dword ptr [00049E1Eh]
        test eax, eax
        dec esp
        mov eax, dword ptr [esp+28h]
        je 00007FF6849E82E6h
        dec esp
        mov dword ptr [esp+000000B0h], eax
        dec eax
        lea edx, dword ptr [esp+30h]
        dec eax
        mov ecx, ebx
        call dword ptr [00049E5Fh]
        test eax, eax
        je 00007FF6849E82CCh
        dec eax
        mov ecx, ebx

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x4b0000xb74.idata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x480000x2ac.pdata
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x4d0000x28.tls
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x4b2c00x270.idata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x24000x2400False0.5936414930555556data6.129764070813093IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .data0x40000x424900x42600False0.6019781367702448data7.3657766804633775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .rdata0x470000x3100x400False0.4541015625data4.1965610649629825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
        .pdata0x480000x2ac0x400False0.3740234375data3.1610117624320244IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
        .xdata0x490000x2680x400False0.2587890625data2.847508632820401IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
        .bss0x4a0000xa600x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .idata0x4b0000xb740xc00False0.3372395833333333data4.3479190304641575IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .CRT0x4c0000x680x200False0.0703125data0.2694448386073115IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .tls0x4d0000x480x200False0.052734375data0.21776995545804623IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

        Imports

        DLLImport
        ADVAPI32.dllRegisterServiceCtrlHandlerA, SetServiceStatus, StartServiceCtrlDispatcherA
        KERNEL32.dllCloseHandle, ConnectNamedPipe, CreateFileA, CreateNamedPipeA, CreateProcessA, CreateThread, DeleteCriticalSection, EnterCriticalSection, ExitProcess, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentVariableA, GetLastError, GetModuleHandleA, GetProcAddress, GetStartupInfoA, GetSystemTimeAsFileTime, GetThreadContext, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryW, QueryPerformanceCounter, ReadFile, ResumeThread, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetThreadContext, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualAllocEx, VirtualProtect, VirtualProtectEx, VirtualQuery, WriteFile, WriteProcessMemory
        msvcrt.dll__C_specific_handler, __dllonexit, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _fmode, _initterm, _lock, _onexit, _snprintf, _unlock, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, signal, sprintf, strlen, strncmp, vfprintf

        Network Behavior

        No network behavior found

        Statistics

        No statistics

        System Behavior

        General

        Target ID:0
        Start time:16:08:59
        Start date:08/01/2023
        Path:C:\Users\user\Desktop\8082-svc-x64.exe
        Wow64 process (32bit):false
        Commandline:C:\Users\user\Desktop\8082-svc-x64.exe
        Imagebase:0x400000
        File size:289280 bytes
        MD5 hash:89BE3BE20CA0DCE73C12A5A015BCB9A5
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low

        Disassembly

        No disassembly