Edit tour

Windows Analysis Report
elevation_service.exe

Overview

General Information

Sample Name:	elevation_service.exe
Analysis ID:	898887
MD5:	460b1c214753fd074b1199f39f4b16e7
SHA1:	e1141cf9de09895a09a9da9f765dfa45305d5733
SHA256:	acd0e444fdbcc6f55e5813ac188e6178af7164811772a5e4d16df39a990b02da
Tags:	exe
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Hides threads from debuggers

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to evade analysis by execution special instruction (VM detection)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect debuggers (CloseHandle check)

PE file contains section with special chars

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

May sleep (evasive loops) to hinder dynamic analysis

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

PE file contains sections with non-standard names

Contains capabilities to detect virtual machines

Sample execution stops while process was sleeping (likely an evasion)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Entry point lies outside standard sections

Classification

Process Tree

System is w10x64

elevation_service.exe (PID: 3188 cmdline: C:\Users\user\Desktop\elevation_service.exe MD5: 460B1C214753FD074B1199F39F4B16E7)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: elevation_service.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: elevation_service.exe	ReversingLabs: Detection: 48%
Source: elevation_service.exe	Virustotal: Detection: 59%			Perma Link

Source: global traffic	TCP traffic: 192.168.2.7:49698 -> 3.235.182.74:50550
Source: global traffic	TCP traffic: 192.168.2.7:49699 -> 3.235.182.75:50551
Source: global traffic	TCP traffic: 192.168.2.7:49704 -> 3.235.182.72:50550
Source: global traffic	TCP traffic: 192.168.2.7:49716 -> 3.235.182.71:50550
Source: global traffic	TCP traffic: 192.168.2.7:49720 -> 3.235.182.76:50550

Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.74
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.74
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.74
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.72
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.72
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.72
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75
Source: unknown	TCP traffic detected without corresponding DNS query: 3.235.182.75

Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: elevation_service.exe, 00000000.00000003.359688367.00000000049D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0abe99a8c0154
Source: elevation_service.exe, 00000000.00000003.368357029.0000000000554000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enz

System Summary

PE file contains section with special chars

Source: elevation_service.exe	Static PE information: section name: \buA
Source: elevation_service.exe	Static PE information: section name: S1]A
Source: elevation_service.exe	Static PE information: section name: tQV@
Source: elevation_service.exe	Static PE information: section name: :',T
Source: elevation_service.exe	Static PE information: section name: jx#X
Source: elevation_service.exe	Static PE information: section name: !#@I

Source: elevation_service.exe	ReversingLabs: Detection: 48%
Source: elevation_service.exe	Virustotal: Detection: 59%

Source: C:\Users\user\Desktop\elevation_service.exe

File read: C:\Users\user\Desktop\elevation_service.exe

Jump to behavior

Source: C:\Users\user\Desktop\elevation_service.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\elevation_service.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\A14510E53DB561E5357A8B1006783B5325616D2E

Jump to behavior

Source: classification engine

Classification label: mal84.evad.winEXE@1/4@0/5

Source: C:\Users\user\Desktop\elevation_service.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Users\user\Desktop\elevation_service.exe

File opened: C:\Users\user\Desktop\loader.cfg

Jump to behavior

Source: elevation_service.exe

Static file information: File size 7072768 > 1048576

Source: elevation_service.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: elevation_service.exe

Static PE information: Raw size of jx#X is bigger than: 0x100000 < 0x6bca00

Source: elevation_service.exe	Static PE information: section name: \buA
Source: elevation_service.exe	Static PE information: section name: S1]A
Source: elevation_service.exe	Static PE information: section name: 4MKc
Source: elevation_service.exe	Static PE information: section name: tQV@
Source: elevation_service.exe	Static PE information: section name: Klhc
Source: elevation_service.exe	Static PE information: section name: :',T
Source: elevation_service.exe	Static PE information: section name: jx#X
Source: elevation_service.exe	Static PE information: section name: !#@I

Source: initial sample

Static PE information: section where entry point is pointing to: jx#X

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\elevation_service.exe	Memory written: PID: 3188 base: 7FFE46A70008 value: E9 7B A9 EA FF	Jump to behavior
Source: C:\Users\user\Desktop\elevation_service.exe	Memory written: PID: 3188 base: 7FFE4691A980 value: E9 90 56 15 00	Jump to behavior
Source: C:\Users\user\Desktop\elevation_service.exe	Memory written: PID: 3188 base: 7FFE46A8000D value: E9 6B 9B EC FF	Jump to behavior
Source: C:\Users\user\Desktop\elevation_service.exe	Memory written: PID: 3188 base: 7FFE46949B70 value: E9 AA 64 13 00	Jump to behavior

Source: C:\Users\user\Desktop\elevation_service.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\Desktop\elevation_service.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT			Jump to behavior

Malware Analysis System Evasion

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Desktop\elevation_service.exe	Special instruction interceptor: First address: 0000000140D250C2 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\elevation_service.exe	Special instruction interceptor: First address: 0000000140D250DB instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\elevation_service.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\Desktop\elevation_service.exe	System information queried: FirmwareTableInformation			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: elevation_service.exe, 00000000.00000003.364246693.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000000.00000003.363846714.00000000049BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXELZ
Source: elevation_service.exe, 00000000.00000003.364246693.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000000.00000003.363846714.00000000049BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: elevation_service.exe, 00000000.00000003.364246693.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000000.00000003.363846714.00000000049BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDBG.EXE7
Source: elevation_service.exe, 00000000.00000003.364246693.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000000.00000003.363846714.00000000049BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE
Source: elevation_service.exe, 00000000.00000003.364246693.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000000.00000003.363846714.00000000049BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXEOT
Source: elevation_service.exe, 00000000.00000003.364246693.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000000.00000003.363846714.00000000049BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDBG.EXE
Source: elevation_service.exe, 00000000.00000003.364246693.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000000.00000003.363846714.00000000049BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IMPORTREC.EXE
Source: elevation_service.exe, 00000000.00000003.364246693.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000000.00000003.363846714.00000000049BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: elevation_service.exe, 00000000.00000003.364246693.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000000.00000003.363846714.00000000049BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDAQ.EXE
Source: elevation_service.exe, 00000000.00000003.364246693.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000000.00000003.363846714.00000000049BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSANALYZER.EXE
Source: elevation_service.exe, 00000000.00000003.364246693.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000000.00000003.363846714.00000000049BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE

Source: C:\Users\user\Desktop\elevation_service.exe	Window / User API: threadDelayed 3392			Jump to behavior
Source: C:\Users\user\Desktop\elevation_service.exe	Window / User API: threadDelayed 2620			Jump to behavior

Source: C:\Users\user\Desktop\elevation_service.exe TID: 3780

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\elevation_service.exe	File opened / queried: C:\Windows\System32\drivers\vmmemctl.sys	Jump to behavior
Source: C:\Users\user\Desktop\elevation_service.exe	File opened / queried: C:\Windows\System32\drivers\vmhgfs.sys	Jump to behavior
Source: C:\Users\user\Desktop\elevation_service.exe	File opened / queried: C:\Windows\System32\drivers\vmmouse.sys	Jump to behavior

Source: C:\Users\user\Desktop\elevation_service.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\elevation_service.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\elevation_service.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\elevation_service.exe

System information queried: ModuleInformation

Jump to behavior

Source: elevation_service.exe, 00000000.00000003.405853607.000000000511B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\drivers\vmmouse.sysK
Source: elevation_service.exe, 00000000.00000003.405853607.000000000511B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\drivers\vmmemctl.sys

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\elevation_service.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\elevation_service.exe	Thread information set: HideFromDebugger			Jump to behavior

Tries to detect debuggers (CloseHandle check)

Source: C:\Users\user\Desktop\elevation_service.exe

Handle closed: DEADC0DE

Source: C:\Users\user\Desktop\elevation_service.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\elevation_service.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\elevation_service.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\elevation_service.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\elevation_service.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\elevation_service.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: elevation_service.exe, 00000000.00000003.364246693.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000000.00000003.363846714.00000000049BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpview.exe
Source: elevation_service.exe, 00000000.00000003.364246693.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000000.00000003.363846714.00000000049BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lordpe.exe
Source: elevation_service.exe, 00000000.00000003.364246693.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000000.00000003.363846714.00000000049BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ollydbg.exe
Source: elevation_service.exe, 00000000.00000003.364246693.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000000.00000003.363846714.00000000049BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regmon.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Masquerading	1 Credential API Hooking	1 Query Registry	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Non-Standard Port	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	24 Virtualization/Sandbox Evasion	LSASS Memory	541 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	24 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
elevation_service.exe	49%	ReversingLabs	Win64.Trojan.Lazy
elevation_service.exe	59%	Virustotal		Browse
elevation_service.exe	100%	Avira	HEUR/AGEN.1363251

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
3.235.182.74	unknown	United States	14618	AMAZON-AESUS	false
3.235.182.76	unknown	United States	14618	AMAZON-AESUS	false
3.235.182.75	unknown	United States	14618	AMAZON-AESUS	false
3.235.182.72	unknown	United States	14618	AMAZON-AESUS	false
3.235.182.71	unknown	United States	14618	AMAZON-AESUS	false

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	898887
Start date and time:	2023-07-03 14:30:25 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	elevation_service.exe
Detection:	MAL
Classification:	mal84.evad.winEXE@1/4@0/5
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 93.184.221.240
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, login.live.com, store-images.s-microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:31:30	API Interceptor	2x Sleep call for process: elevation_service.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
3.235.182.74	b0GMOZ4PW2.exe	Get hash	malicious	RedLine	Browse
	4YUEwzd51R.exe	Get hash	malicious	RedLine	Browse
	AAiOcCWxl2.exe	Get hash	malicious	RedLine	Browse
3.235.182.75	b0GMOZ4PW2.exe	Get hash	malicious	RedLine	Browse
	4YUEwzd51R.exe	Get hash	malicious	RedLine	Browse
	AAiOcCWxl2.exe	Get hash	malicious	RedLine	Browse
3.235.182.72	4YUEwzd51R.exe	Get hash	malicious	RedLine	Browse
3.235.182.72	AAiOcCWxl2.exe	Get hash	malicious	RedLine	Browse
3.235.182.71	4YUEwzd51R.exe	Get hash	malicious	RedLine	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	7hKLHvx6DQ.elf	Get hash	malicious	Mirai	Browse	18.214.158.53
	b9yhATZQag.elf	Get hash	malicious	Mirai	Browse	54.140.144.86
	https://kuqgprhp.page.link/EwdR	Get hash	malicious	Unknown	Browse	34.206.145.97
	TeS97Heaps.exe	Get hash	malicious	RedLine	Browse	52.205.130.115
	TeS97Heaps.exe	Get hash	malicious	RedLine	Browse	52.73.64.126
	Harsha_Salesforce.docx.doc	Get hash	malicious	HTMLPhisher	Browse	52.6.206.253
	xd.arm7.elf	Get hash	malicious	Mirai	Browse	44.213.105.101
	xd.arm.elf	Get hash	malicious	Mirai	Browse	34.224.62.152
	ws1ZjQn4Z7.elf	Get hash	malicious	Mirai	Browse	23.22.210.74
	hotnet.arm7.elf	Get hash	malicious	Mirai	Browse	34.207.111.123
	sora.arm.elf	Get hash	malicious	Mirai	Browse	23.21.203.18
	ho76jTHVS2.elf	Get hash	malicious	Mirai	Browse	18.211.3.61
	JyNMl1Ygt5.elf	Get hash	malicious	Mirai	Browse	18.211.87.125
	mirai.x86.elf	Get hash	malicious	Mirai	Browse	107.22.72.160
	mirai.arm7.elf	Get hash	malicious	Mirai	Browse	54.33.108.159
	https://mail.kb4.io/XU1hkWVdXbFNUMGt2WkRGWVpGRXlSRGRYYjFWVFUweHpUMHRUVDNWM1VFNUJjRE5yTDBKbmFtczRZVkpCTWtsTGRrMUdjbUVyY1dseE4xa3ZhSFZvYW5wMlRFa3lja1pHTmtGQmMwdzVabXBSTm1kVGFVODBiVFZNVEc4NFdtbDVkbU5MZURkUkwwVnhUM2xsWkRWR1NsZFplVk5UVFVGb2MySnFWVzF2ZVRaaWFrMUhhbU5pWkcxaVpTOWlPRFExWVV4TVFVRlFOMVZsZFZSMlNUSXJZbXgwVXpWWVkwWTViMjFCUFMwdE9HTjRTbGxVZG5ZMWJrdEJhVVZqV2k5TmFHbEhVVDA5LS1lODhjY2RhODVjOTIzNTdiMWU2ZTAxNTQyMWEyNmZhN2YzNDhiZTUy?cid=1626895366	Get hash	malicious	Unknown	Browse	52.204.187.149
	https://mail.kb4.io/XU1hkWVdXbFNUMGt2WkRGWVpGRXlSRGRYYjFWVFUweHpUMHRUVDNWM1VFNUJjRE5yTDBKbmFtczRZVkpCTWtsTGRrMUdjbUVyY1dseE4xa3ZhSFZvYW5wMlRFa3lja1pHTmtGQmMwdzVabXBSTm1kVGFVODBiVFZNVEc4NFdtbDVkbU5MZURkUkwwVnhUM2xsWkRWR1NsZFplVk5UVFVGb2MySnFWVzF2ZVRaaWFrMUhhbU5pWkcxaVpTOWlPRFExWVV4TVFVRlFOMVZsZFZSMlNUSXJZbXgwVXpWWVkwWTViMjFCUFMwdE9HTjRTbGxVZG5ZMWJrdEJhVVZqV2k5TmFHbEhVVDA5LS1lODhjY2RhODVjOTIzNTdiMWU2ZTAxNTQyMWEyNmZhN2YzNDhiZTUy?cid=1626895366	Get hash	malicious	Unknown	Browse	52.204.187.149
	https://mail.kb4.io/XU1hkWVdXbFNUMGt2WkRGWVpGRXlSRGRYYjFWVFUweHpUMHRUVDNWM1VFNUJjRE5yTDBKbmFtczRZVkpCTWtsTGRrMUdjbUVyY1dseE4xa3ZhSFZvYW5wMlRFa3lja1pHTmtGQmMwdzVabXBSTm1kVGFVODBiVFZNVEc4NFdtbDVkbU5MZURkUkwwVnhUM2xsWkRWR1NsZFplVk5UVFVGb2MySnFWVzF2ZVRaaWFrMUhhbU5pWkcxaVpTOWlPRFExWVV4TVFVRlFOMVZsZFZSMlNUSXJZbXgwVXpWWVkwWTViMjFCUFMwdE9HTjRTbGxVZG5ZMWJrdEJhVVZqV2k5TmFHbEhVVDA5LS1lODhjY2RhODVjOTIzNTdiMWU2ZTAxNTQyMWEyNmZhN2YzNDhiZTUy?cid=1626895366	Get hash	malicious	Unknown	Browse	52.204.187.149
	mL4IEDQW6e.elf	Get hash	malicious	Mirai	Browse	54.46.149.129
	Dwy6h972nW.elf	Get hash	malicious	Mirai	Browse	44.199.68.240

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\c068ffb4df93dc0fffc51de71ab3eac4_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Download File

Process:	C:\Users\user\Desktop\elevation_service.exe
File Type:	data
Category:	dropped
Size (bytes):	2249
Entropy (8bit):	7.631644007308061
Encrypted:	false
SSDEEP:	48:HUap0gM7dsUqnSOVU6HqibualWYohdCOJ1o0pJzxVnx0XTQO9iMgbY:0dgM7dsZSQZDBUdCOEszzuXTfvoY
MD5:	8A956CEEC1011D712452017570ACAB89
SHA1:	2AAC41333F4F00F558243778E29237C1A230669F
SHA-256:	E3DA106F16ECE5EC7D9D9D0D3F547094AB72A716B1F70E2B83E811F2695D9F9B
SHA-512:	9CE199B55EF357E25175B93417FCED3F2F6620FC771B32E7E9BD2DE9093CEE2B36B6C4E7CEF1A577BC4FD888B077537F11B048463B2EE47D46123DF5D14071EB
Malicious:	false
Reputation:	low
Preview:	........%.......P.......................45198b4b-4377-474f-b2b4-71553e672f97.....................RSA1....................\;.....$........>9"0...k....R...z.\..g....0...1..?.]..M.4..d......$V)..mZ.2.03..d..F..fQ9..n..A.rU._R..h..Z..wO._O...k..+...: ..O.5...lJN.....{.tnk...M.(.Y5....v.g...>.6..nN5.RG[&...."..>$. ..9+.;QA...f....`..1i.y`....#._.h'...e..Q.kC.I......................z..O.........??O.._v..u.....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... .......M.....^3...L.t.... ..LcX.w............ ....}B.Z.>..kQB8..&#.Ly....>....P....-..=_.....`......\|7;.y.5Xe....j...H"..a....&.A.@..=;.R.....!.X..i>..<.e.."...z.."bM.e...0.r.r...`i'.B.w......g6....q.A.#f..8F..4F..D}m.$....:(.*.Z....F...0.ls...-a....Y...3.m./....z.A... ..A.m..VB.g7$_.I....Sk.pV...\|..b.l.:9..E.r.o.6.X>.AaOt_SF..-.D.......&c.....y.1.V..F....0.Y.....].4.'...].'.B.(.i.].f.M.v..$......'``......-3....X.K...B.\.E.jPR..cpU...4g.../.....vR...uG.>..z.F..-.;x.<(.n..u(u...D....\|

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\elevation_service.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 63843 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	63843
Entropy (8bit):	7.99568798138569
Encrypted:	true
SSDEEP:	1536:MRxM2u+06GOIVUvVmMKAfUfsrPa1jfCu18ZNMe3v:KMH+F3IacMZ2CPACu1GN7v
MD5:	3AC860860707BAAF32469FA7CC7C0192
SHA1:	C33C2ACDABA0E6FA41FD2F00F186804722477639
SHA-256:	D015145D551ECD14916270EFAD773BBC9FD57FAD2228D2C24559F696C961D904
SHA-512:	D62AD2408C969A95550FB87EFDA50F988770BA5E39972041BF85924275BAF156B8BEC309ECC6409E5ACDD37EC175DEA40EFF921AB58933B5B5B5D35A6147567C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF....c.......,...................I..................V. .authroot.stl....e/5..CK..8U....a..t2.1.P. J.".t..2F2e....&))$7I.4...e...+SJE...[.T/..{......c.k....?..Z....bz..qzq.l...,.{...i......39..a.ia....&.3.L2...CTf....I7. ....o.2.0a1m.PG.t.......GH.k.6#L.t2.4._.Y!B.h.....NP~..<Z.G..F#..x"f%...x.aF(.J.3...bf7y.j....)...3......y7UZ..7g~9......."._.t_"K.S...">..,.......V..}.K.Vv3[...A.9O..Ea\..+CEv...6CBKt...K..5qa....!..<./X.......r.. ?(.\[. ......y..... ..V.s.`...k@.`........p...GY..;.`....v..ou..........GH.6.l...P2.(8g.....".......-#...h.U.t..{o./e.wAST.f}0R.(.NM.{...{.=Ch.va'.?W...C....T.pw=.W~+......u.`D.)(..VdN. .py@...%...YY.>.`.....Y.U........}...9....\V~=..-...Q......_0.o.nZ....(6.....4.}.`...s.O.K5.W..4.....s,}...6.....'.8&}.{.....RlZ.?.D4).(.....O......V..V.pk.:]...,.f`D..e.SO.G.%.:).......eo.bU}.....g..$.gui..h.;-....he(.XoY;..6a..x..`lq....:.F!..l.X....!...Lg..53.._....S..G..`...N\|..Zx..o.#}Lnd1.V.eE....I.'..`.....KnN....3....{.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\elevation_service.exe
File Type:	data
Category:	modified
Size (bytes):	330
Entropy (8bit):	3.1069382162801005
Encrypted:	false
SSDEEP:	6:kKWoFN+SkQlPlEGYRMY9z+4KlDA3RUeg/U3lWQy:+o2kPlE99SNxAhUe7oQy
MD5:	B45D6BE7C0FC98530D13C38C16BC453B
SHA1:	04FA371B5EC71251E2AF84809D8A63347EC00D09
SHA-256:	E2D8F44A41E0D588861C686C7B8DAC4845E9A60E37D91ECCE5F2BA6C5CD3E6EF
SHA-512:	646A89416F70535C4F209827405AD827D7C3BEFFB851ED268ECC529DF66C11FC83963CF3778937A31356E46238911CAB61B70EB5536C1F5A99B93B0BCA64486D
Malicious:	false
Reputation:	low
Preview:	p...... .........]7.....(....................................................... ............w......(...........c...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".4.6.e.e.f.7.f.b.9.e.7.7.d.9.1.:.0."...

C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\A14510E53DB561E5357A8B1006783B5325616D2E

Download File

Process:	C:\Users\user\Desktop\elevation_service.exe
File Type:	data
Category:	dropped
Size (bytes):	988
Entropy (8bit):	6.886301784022494
Encrypted:	false
SSDEEP:	24:8fmQpZduchqyxlgvFIg775kT6vxxLEMDAgPDsn8RF+q:8995hzevDH5iexxDAgP4qP
MD5:	88F9F5DFC718C4A6A669AF76505AAC1B
SHA1:	1A2C59E624A1D7BDBF06FCC6757E8399CF98B5AB
SHA-256:	437CFC9C6A67FFF1F29A5FB834C3548ECBE353A19F89E71E361B9B3FB5101521
SHA-512:	264732FFBCC34914A2B7F2B78D59EC450F2696D8F7DFCF78305B3D19E8EE84F8391C933A26D06E6CDE37C817E45967B01F172C1E77F86C2444E3B13962993742
Malicious:	false
Reputation:	low
Preview:	.............D:.kNH.......B~bb..............d.d.d.d.d...............m.i.c.r.o.s.o.f.t...............0...+...............l............... ...............4.5.1.9.8.b.4.b.-.4.3.7.7.-.4.7.4.f.-.b.2.b.4.-.7.1.5.5.3.e.6.7.2.f.9.7......................E..=.a.5z...x;S%am. ...........0...0..........4&x....EM.5.z.0....H........0.1.0...U....user at 9281000...230703213138Z..280703213138Z0.1.0...U....user at 9281000.."0....H.............0..........I.Ck.Q..e...'h._.#....`y.i1..`....f...AQ;.+9.. .$>..".....&[GR.5Nn..6.>....g.v....5Y.(.M...knt..{.....NJl...5.O.. :...+.k..O_.Ow..Z..h...R_.Ur.A..n..9Qf..F....d..30.2.Zm..)V$.....d...4.M..].?..1...0....g..\..z...R...k.....0"9>........$.....;\.......0...*.H.............e.n..L..6<........r.a8..p.&.j.,.s......t4...d.V.........t3.....m..._.e?......B..JvX..6.........ti..3.u....KW......T7w\.~W.=..x.../y..x..l..WD...B..;..#....:)F.....$..j....X.C_JT.O..d..>(.....H.n.]..(d.J4..f.X!. ...3......b.D....&G.Ba

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.9784131499944895
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	elevation_service.exe
File size:	7'072'768 bytes
MD5:	460b1c214753fd074b1199f39f4b16e7
SHA1:	e1141cf9de09895a09a9da9f765dfa45305d5733
SHA256:	acd0e444fdbcc6f55e5813ac188e6178af7164811772a5e4d16df39a990b02da
SHA512:	2e9c8ee99cfa3036925c393c89f694316a51e8a3ba8b1064ae8ca57f46d376d326845fcabcb1a71f1690c57ffefc40920e16cb746203f9200eda832ee5671955
SSDEEP:	196608:iSDSze9+mJgHcPhwURN7VUb6MZH58iBK+JD0m1:iG8e9+Eo6N7VUbX8iBqe
TLSH:	8D663349F44CC8FEC20757F97D85052821942CBACDBCB9706CC6AA0D66DA4C632FA7D6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......d..........#......J...v.................@.............................0............ ................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x1408a087f
Entrypoint Section:	jx#X
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6490990D [Mon Jun 19 18:06:05 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	68357c739eedda1d4eeb09913f1c13ef

Entrypoint Preview

Instruction
call 00007F85C4DF2331h
imul esi, dword ptr [eax+4Fh], 7FED9618h
imul esi, dword ptr [edi+eax*4-43h], A1755579h
lea eax, dword ptr [A17555F1h]
sub eax, 75556195h
mov eax, dword ptr [557185EDh]
jne 00007F85C4E3BCB3h
fstp qword ptr [ebp-5E8AAA87h]
in eax, dx
lea ecx, dword ptr [ecx+4DA17555h]
add eax, A17555F1h
sbb eax, 0DA4023Dh
sub byte ptr [eax-0D21D6D0h], dh
xlatb
xchg eax, edx
pop edi
jno 00007F85C4E3BC9Ch
popfd
fisttp qword ptr [edx]
push edi
jc 00007F85C4E3BCCFh
retf
adc eax, 9D0D5502h
leave
sti
cmpsb
jnbe 00007F85C4E3BCF8h
mov esp, dword ptr [C7A72F52h+ebx]
and byte ptr [edi-21305D85h], dh
adc cl, dl
pop eax
or dword ptr [edi-10h], 0F55036Eh
popfd
xor dword ptr [ebx], edx
mov dword ptr [CA3F536Fh], eax
fstsw word ptr [edx+0AA49997h]
adc edi, dword ptr [BF1F9C69h]
pop edx
aas
clc
cmpsb
adc eax, 6A65B8C0h
adc al, 56h
out dx, al
or al, 28h
lds edi, ebp
jns 00007F85C4E3BCDBh
scasd
mov word ptr fs:[BCAFC979h], ds
js 00007F85C4E3BCE7h
jns 00007F85C4E3BCDBh
scasd
and byte ptr [40AFC979h+edi*8], bl
xchg eax, esp
jns 00007F85C4E3BCDCh
scasd
movsb
mov ah, 75h
jns 00007F85C4E3BCDBh
scasd
mov al, D0h
push ebp
jns 00007F85C4E3BCDBh
scasd
mov ah, D4h
jnp 00007F85C4E3BCE1h
dec eax
popad
cdq
test byte ptr [ebx+00000080h], bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73b778	0x2bc	jx#X
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xda2000	0x2e1	!#@I
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xd8f8c0	0x12024	jx#X
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x8a0640	0x28	jx#X
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xd8f780	0x138	jx#X
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6e3000	0x248	:',T
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
\buA	0x1000	0xf48ae	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
S1]A	0xf6000	0x824f6	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4MKc	0x179000	0xc4f10	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
tQV@	0x23e000	0xf4b0	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
Klhc	0x24e000	0x49471b	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
:',T	0x6e3000	0x18f8	0x1a00	False	0.034555288461538464	data	0.22908354468379413	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
jx#X	0x6e5000	0x6bc8e4	0x6bca00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
!#@I	0xda2000	0x2e1	0x400	False	0.3994140625	data	4.294080996765855	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xda2058	0x289	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5500770416024653

Imports

DLL	Import
KERNEL32.dll	ResumeThread
USER32.dll	SetLayeredWindowAttributes
GDI32.dll	DeleteObject
ADVAPI32.dll	GetUserNameW
SHELL32.dll	SHGetKnownFolderPath
ole32.dll	CoCreateGuid
OLEAUT32.dll	VariantClear
ntdll.dll	NtResumeThread
MSVCP140.dll	??0_Lockit@std@@QEAA@H@Z
SHLWAPI.dll	PathFindExtensionW
IMM32.dll	ImmGetContext
WS2_32.dll	closesocket
CRYPT32.dll	CertAddCertificateContextToStore
Secur32.dll	InitSecurityInterfaceW
d3d11.dll	D3D11CreateDeviceAndSwapChain
D3DCOMPILER_47.dll	D3DCompile
gdiplus.dll	GdipSaveImageToFile
DNSAPI.dll	DnsNameCompare_W
RPCRT4.dll	UuidCreate
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	memcmp
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode
api-ms-win-crt-runtime-l1-1-0.dll	exit
api-ms-win-crt-stdio-l1-1-0.dll	fread
api-ms-win-crt-string-l1-1-0.dll	isalnum
api-ms-win-crt-utility-l1-1-0.dll	qsort
api-ms-win-crt-convert-l1-1-0.dll	strtol
api-ms-win-crt-filesystem-l1-1-0.dll	_lock_file
api-ms-win-crt-time-l1-1-0.dll	_time64
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-environment-l1-1-0.dll	getenv
api-ms-win-crt-locale-l1-1-0.dll	___lc_codepage_func
KERNEL32.dll	GetSystemTimeAsFileTime
KERNEL32.dll	HeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 132
• 50551 undefined
• 50550 undefined

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2023 14:31:30.597173929 CEST	49698	50550	192.168.2.7	3.235.182.74
Jul 3, 2023 14:31:30.597449064 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:30.742381096 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:30.742512941 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:31.089508057 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:31.290014029 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:31.359725952 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:31.404283047 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:31.551101923 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:31.600106955 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:32.553284883 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:32.698157072 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:33.600275993 CEST	49698	50550	192.168.2.7	3.235.182.74
Jul 3, 2023 14:31:33.704619884 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:33.709623098 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:33.854357958 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:33.865304947 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:33.913711071 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:33.988461018 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:34.134092093 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:34.178889036 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:34.992259026 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:35.147378922 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:35.188891888 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:35.292190075 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:36.303673029 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:36.448745012 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:37.460007906 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:37.605185032 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:38.616298914 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:38.761224031 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:39.617151022 CEST	49698	50550	192.168.2.7	3.235.182.74
Jul 3, 2023 14:31:39.772654057 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:39.917635918 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:40.929073095 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:41.073945045 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:42.086055040 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:42.230946064 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:43.257349968 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:43.402297974 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:44.424334049 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:44.569297075 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:45.773195982 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:45.918108940 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:46.969638109 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:47.115120888 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:48.148348093 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:48.293143034 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:49.460973024 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:49.605737925 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:50.648586035 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:50.793452978 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:51.657790899 CEST	49704	50550	192.168.2.7	3.235.182.72
Jul 3, 2023 14:31:51.804935932 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:51.953469038 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:52.961333990 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:53.106431007 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:54.117821932 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:54.263448000 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:54.664621115 CEST	49704	50550	192.168.2.7	3.235.182.72
Jul 3, 2023 14:31:55.281227112 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:55.426029921 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:56.430350065 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:56.575150967 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:57.586646080 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:57.731514931 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:58.743009090 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:31:58.887893915 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:31:59.899456024 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:00.044322014 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:00.665059090 CEST	49704	50550	192.168.2.7	3.235.182.72
Jul 3, 2023 14:32:01.056057930 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:01.200858116 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:02.212251902 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:02.359525919 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:03.368618011 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:03.513473988 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:04.592962027 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:04.737869024 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:05.899991989 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:06.045228004 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:07.087480068 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:07.232316971 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:08.384654999 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:08.529582977 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:09.541423082 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:09.686275005 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:10.697273970 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:10.842112064 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:11.853641987 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:11.998518944 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:12.666959047 CEST	49716	50550	192.168.2.7	3.235.182.71
Jul 3, 2023 14:32:13.009941101 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:13.155199051 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:14.166253090 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:14.311067104 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:15.322572947 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:15.467289925 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:15.667200089 CEST	49716	50550	192.168.2.7	3.235.182.71
Jul 3, 2023 14:32:16.478934050 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:16.623780966 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:17.635284901 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:17.780086994 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:18.791707993 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:18.936599970 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:19.954545975 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:20.101963997 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:21.104481936 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:21.249509096 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:21.682528019 CEST	49716	50550	192.168.2.7	3.235.182.71
Jul 3, 2023 14:32:22.276314020 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:22.421109915 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:23.432677984 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:23.577459097 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:24.760898113 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:24.905781984 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:25.948677063 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:26.093993902 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:27.104958057 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:27.250049114 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:28.261199951 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:28.406074047 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:29.417520046 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:29.562446117 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:30.573879957 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:30.719019890 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:31.730283022 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:31.875570059 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:32.886543036 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:33.031264067 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:33.699908972 CEST	49720	50550	192.168.2.7	3.235.182.76
Jul 3, 2023 14:32:34.199172020 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:34.344228983 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:35.402409077 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:35.547482967 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:36.590097904 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:36.735049963 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:36.902786970 CEST	49720	50550	192.168.2.7	3.235.182.76
Jul 3, 2023 14:32:37.902589083 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:38.047393084 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:39.090533018 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:39.235416889 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:40.309083939 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:40.453876019 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:41.590445995 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:41.735244036 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:42.793658972 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:42.938416004 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:43.090575933 CEST	49720	50550	192.168.2.7	3.235.182.76
Jul 3, 2023 14:32:44.090698004 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:44.235670090 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:45.403253078 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:45.548165083 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:46.591125011 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:46.736131907 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:47.903440952 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:48.048183918 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:49.059783936 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:49.204690933 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:50.216197968 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:50.362689972 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:51.372558117 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:51.517221928 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:52.528848886 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:52.673568964 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:53.685142994 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:53.830022097 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:54.841540098 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:54.986773014 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:55.997917891 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:56.142911911 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:57.154293060 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:57.233958960 CEST	49728	50550	192.168.2.7	3.235.182.74
Jul 3, 2023 14:32:57.299263000 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:58.310564995 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:58.457300901 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:32:59.466949940 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:32:59.613682985 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:00.248224974 CEST	49728	50550	192.168.2.7	3.235.182.74
Jul 3, 2023 14:33:00.623274088 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:00.768069029 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:01.795264006 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:01.940133095 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:03.107817888 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:03.252976894 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:04.311049938 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:04.455802917 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:05.467439890 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:05.612351894 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:06.248790026 CEST	49728	50550	192.168.2.7	3.235.182.74
Jul 3, 2023 14:33:06.623811960 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:06.768722057 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:07.776482105 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:07.921520948 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:08.927824974 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:09.072602987 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:10.142143011 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:10.286922932 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:11.358277082 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:11.503168106 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:12.544303894 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:12.689317942 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:13.756696939 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:13.901652098 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:15.057492971 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:15.206538916 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:16.245424986 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:16.390361071 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:17.557723045 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:17.702574968 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:18.480819941 CEST	49740	50550	192.168.2.7	3.235.182.72
Jul 3, 2023 14:33:18.745377064 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:18.890728951 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:20.058459044 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:20.203267097 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:21.245552063 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:21.390718937 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:21.560168028 CEST	49740	50550	192.168.2.7	3.235.182.72
Jul 3, 2023 14:33:22.558239937 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:22.703197956 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:23.746525049 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:23.898246050 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:25.058357000 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:25.203119040 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:26.245902061 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:26.396981001 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:27.558634043 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:27.703636885 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:27.746144056 CEST	49740	50550	192.168.2.7	3.235.182.72
Jul 3, 2023 14:33:28.746325970 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:28.891211987 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:30.058777094 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:30.203779936 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:31.246390104 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:31.391170979 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:32.559052944 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:32.703924894 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:33.746628046 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:33.891510010 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:34.902929068 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:35.047759056 CEST	50551	49699	3.235.182.75	192.168.2.7
Jul 3, 2023 14:33:36.059258938 CEST	49699	50551	192.168.2.7	3.235.182.75
Jul 3, 2023 14:33:36.204490900 CEST	50551	49699	3.235.182.75	192.168.2.7

Statistics

CPU Usage

• elevation_service.exe

Click to jump to process

Memory Usage

• elevation_service.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

System Behavior

Analysis Process: elevation_service.exePID: 3188, Parent PID: 3320

Function Logs

General

Target ID:	0
Start time:	14:31:27
Start date:	03/07/2023
Path:	C:\Users\user\Desktop\elevation_service.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\elevation_service.exe
Imagebase:	0x140000000
File size:	7'072'768 bytes
MD5 hash:	460B1C214753FD074B1199F39F4B16E7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

File Opened

File Attributes Queried

Device IO

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Value Queried

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Execution Suspended

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Written

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Show Windows behavior

Network Activities

Socket bound

Socket connected

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report elevation_service.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\c068ffb4df93dc0fffc51de71ab3eac4_d06ed635-68f6-4e9a-955c-4899f5f57b9a

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\A14510E53DB561E5357A8B1006783B5325616D2E

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: elevation_service.exePID: 3188, Parent PID: 3320

General

File Activities

Windows Analysis Report
elevation_service.exe