Source: elevation_service.exe |
Static PE information: certificate valid |
Source: elevation_service.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Source: |
Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe |
Source: |
Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdbOGP source: elevation_service.exe |
Source: elevation_service.exe |
String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff |
Source: elevation_service.exe |
String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7234F3070 |
6_2_00007FF7234F3070 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7234D4494 |
6_2_00007FF7234D4494 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7234D408C |
6_2_00007FF7234D408C |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7234FC88C |
6_2_00007FF7234FC88C |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF72343CC28 |
6_2_00007FF72343CC28 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF72343A820 |
6_2_00007FF72343A820 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7234D7050 |
6_2_00007FF7234D7050 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF72343BC40 |
6_2_00007FF72343BC40 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7234338E0 |
6_2_00007FF7234338E0 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7234B2110 |
6_2_00007FF7234B2110 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF723433D10 |
6_2_00007FF723433D10 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF723469510 |
6_2_00007FF723469510 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF72343B900 |
6_2_00007FF72343B900 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7234D24B0 |
6_2_00007FF7234D24B0 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7234D489C |
6_2_00007FF7234D489C |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF72343BB72 |
6_2_00007FF72343BB72 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF723433B70 |
6_2_00007FF723433B70 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF723431760 |
6_2_00007FF723431760 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7234F3358 |
6_2_00007FF7234F3358 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF723433780 |
6_2_00007FF723433780 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7234F3750 |
6_2_00007FF7234F3750 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF723432FE0 |
6_2_00007FF723432FE0 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7234D2FA0 |
6_2_00007FF7234D2FA0 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7234D4290 |
6_2_00007FF7234D4290 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7234FEA20 |
6_2_00007FF7234FEA20 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF72343CE50 |
6_2_00007FF72343CE50 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7234D1F00 |
6_2_00007FF7234D1F00 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7234D4AA0 |
6_2_00007FF7234D4AA0 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7234D4698 |
6_2_00007FF7234D4698 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF72343AEC0 |
6_2_00007FF72343AEC0 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF72343DEC0 |
6_2_00007FF72343DEC0 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF72343A560 |
6_2_00007FF72343A560 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF723431D60 |
6_2_00007FF723431D60 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7234D3538 |
6_2_00007FF7234D3538 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7234DF1DC |
6_2_00007FF7234DF1DC |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7234359E0 |
6_2_00007FF7234359E0 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7235145F0 |
6_2_00007FF7235145F0 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7234325D0 |
6_2_00007FF7234325D0 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: String function: 00007FF72351350C appears 71 times |
|
Source: elevation_service.exe |
Static PE information: Number of sections : 11 > 10 |
Source: elevation_service.exe |
Binary or memory string: OriginalFilename vs elevation_service.exe |
Source: classification engine |
Classification label: clean18.winEXE@9/2@0/0 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6356:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03 |
Source: C:\Windows\SysWOW64\sc.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: elevation_service.exe |
String found in binary or memory: partition_alloc/address_space |
Source: unknown |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc create OZgQJ binpath= "C:\Users\user\Desktop\elevation_service.exe" >> C:\servicereg.log 2>&1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\sc.exe sc create OZgQJ binpath= "C:\Users\user\Desktop\elevation_service.exe" |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc start OZgQJ >> C:\servicestart.log 2>&1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\sc.exe sc start OZgQJ |
|
Source: unknown |
Process created: C:\Users\user\Desktop\elevation_service.exe C:\Users\user\Desktop\elevation_service.exe |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\sc.exe sc create OZgQJ binpath= "C:\Users\user\Desktop\elevation_service.exe" |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\sc.exe sc start OZgQJ |
Jump to behavior |
Source: C:\Users\user\Desktop\elevation_service.exe |
Section loaded: dbghelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\elevation_service.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: elevation_service.exe |
Static PE information: certificate valid |
Source: initial sample |
Static PE information: Valid certificate with Microsoft Issuer |
Source: elevation_service.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: elevation_service.exe |
Static PE information: Image base 0x140000000 > 0x60000000 |
Source: elevation_service.exe |
Static file information: File size 1838024 > 1048576 |
Source: elevation_service.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x15c800 |
Source: elevation_service.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: elevation_service.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: elevation_service.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: elevation_service.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: elevation_service.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: elevation_service.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: elevation_service.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Source: elevation_service.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe |
Source: |
Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdbOGP source: elevation_service.exe |
Source: elevation_service.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: elevation_service.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: elevation_service.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: elevation_service.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: elevation_service.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: elevation_service.exe |
Static PE information: section name: .gxfg |
Source: elevation_service.exe |
Static PE information: section name: .retplne |
Source: elevation_service.exe |
Static PE information: section name: LZMADEC |
Source: elevation_service.exe |
Static PE information: section name: _RDATA |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\sc.exe sc create OZgQJ binpath= "C:\Users\user\Desktop\elevation_service.exe" |
Source: C:\Users\user\Desktop\elevation_service.exe |
API coverage: 9.1 % |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7234E1D9C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
6_2_00007FF7234E1D9C |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF723487204 _Init_thread_header,GetProcessHeap,_Init_thread_header, |
6_2_00007FF723487204 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7234CE438 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
6_2_00007FF7234CE438 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7234E1D9C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
6_2_00007FF7234E1D9C |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\sc.exe sc create OZgQJ binpath= "C:\Users\user\Desktop\elevation_service.exe" |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\sc.exe sc start OZgQJ |
Jump to behavior |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF723510928 IsValidSid,GetSecurityDescriptorDacl,SetSecurityDescriptorDacl, |
6_2_00007FF723510928 |
Source: C:\Users\user\Desktop\elevation_service.exe |
Code function: 6_2_00007FF7234CE6E4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
6_2_00007FF7234CE6E4 |