Edit tour
Windows
Analysis Report
nsHwyCkyFr.exe
Overview
General Information
| Sample name: | nsHwyCkyFr.exerenamed because original name is a hash value |
| Original sample name: | 4a010c5abe2f5bb4dd6f31b03058bc1847e985a95a68d4e1bf0fb20c030c2307.exe |
| Analysis ID: | 1555000 |
| MD5: | c9c4ac12004cc6b946cb7d49b5eb5ee5 |
| SHA1: | 7e738b153194c9f54aac1b433f8e7efff3beafd5 |
| SHA256: | 4a010c5abe2f5bb4dd6f31b03058bc1847e985a95a68d4e1bf0fb20c030c2307 |
| Tags: | ConsolHQLTDexeuser-JAMESWT_MHT |
| Infos: | |
 | |
Detection
| Score: | 4 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 60% |
Signatures
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
nsHwyCkyFr.exe (PID: 7640 cmdline: "C:\Users\ user\Deskt op\nsHwyCk yFr.exe" MD5: C9C4AC12004CC6B946CB7D49B5EB5EE5) 
javaw.exe (PID: 7656 cmdline: "C:\Progra m Files (x 86)\Java\j re-1.8\bin \javaw.exe " -Dfile.e ncoding=UT F-8 -class path " org .develnext .jphp.ext. javafx.FXL auncher MD5: 6E0F4F812AE02FBCB744A929E74A04B8) 
icacls.exe (PID: 7744 cmdline: C:\Windows \system32\ icacls.exe C:\Progra mData\Orac le\Java\.o racle_jre_ usage /gra nt "everyo ne":(OI)(C I)M MD5: 2E49585E4E08565F52090B144062F97E) 
conhost.exe (PID: 7756 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_00405D30 | |
| Source: | Code function: | 0_2_004013B0 | |
| Source: | Code function: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00401ED0 | |
| Source: | Code function: | 0_2_00402CB0 | |
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 1_2_0279A225 | |
| Source: | Code function: | 1_2_0279A21A | |
| Source: | Code function: | 1_2_0279BB8D | |
| Source: | Code function: | 1_2_0279B3DD | |
| Source: | Code function: | 1_2_0279B96D | |
| Source: | Code function: | 1_2_0279C49D | |
| Source: | Process created: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00401150 | |
| Source: | Memory protected: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 1_2_027903C0 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 Services File Permissions Weakness | 1 Services File Permissions Weakness | 1 Services File Permissions Weakness | OS Credential Dumping | 1 Security Software Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 11 Process Injection | 1 Disable or Modify Tools | LSASS Memory | 22 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 11 Process Injection | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 2 Obfuscated Files or Information | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 5% | ReversingLabs | |||
| 3% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| s-part-0017.t-0009.t-msedge.net | 13.107.246.45 | true | false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
⊘No contacted IP infos
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1555000 |
| Start date and time: | 2024-11-13 10:11:07 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 2m 11s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | nsHwyCkyFr.exerenamed because original name is a hash value |
| Original Sample Name: | 4a010c5abe2f5bb4dd6f31b03058bc1847e985a95a68d4e1bf0fb20c030c2307.exe |
| Detection: | CLEAN |
| Classification: | clean4.winEXE@6/2@0/0 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
- Execution Graph export aborted for target javaw.exe, PID 7656 because it is empty
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtSetInformationFile calls found.
⊘No simulations
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| s-part-0017.t-0009.t-msedge.net | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher, Mamba2FA | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
|
⊘No context
⊘No context
⊘No context
| Process: | C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 52 |
| Entropy (8bit): | 4.803724516543196 |
| Encrypted: | false |
| SSDEEP: | 3:oFj4I5vpm4USdj5:oJ5bH |
| MD5: | 1C1C2F686D3CB33AE32A072792237050 |
| SHA1: | 1ADBFA9B9F7CB61E0B4E8CC5F1F662F43CAB89CB |
| SHA-256: | 6BF568D0EB022B4CC63148096B901C9DA0DD358C520B2D7F597D7CB4943110A0 |
| SHA-512: | 2BDD4D8059546B0A80274D548B8A45091B82860416C6669296F25AE08BC502DAB523A1EA289688B955D68ED2817310FC5326CCB9D831228BDBD0B2D5E1E03E36 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 1.235779558934585 |
| Encrypted: | false |
| SSDEEP: | 96:4y4r+F8GQvNbE5+Q6rOI28IQqSJYYBHG1bo1L:4yn8GQlbE5+Q67IsJ3HGd |
| MD5: | 72D109B4527B038C452A7271D06470C1 |
| SHA1: | B62EDADB250EF033942CCA5C5567F6C2BBA3F1D8 |
| SHA-256: | F6A3F0151E5D9AC87F2FEE122EE1105F3249C859AFA79D59D31E6AA50D150EB4 |
| SHA-512: | D03ED4484F6FA4C244362E6B1CCBBEF1268DA77B567F7D25FF6D6040800ED7176864ADA6D96D9A6361D3A10C4820D17E75712691FCDAD2E9BAF35E78E2DCBF09 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.4182780858750075 |
| TrID: |
|
| File name: | nsHwyCkyFr.exe |
| File size: | 80'968 bytes |
| MD5: | c9c4ac12004cc6b946cb7d49b5eb5ee5 |
| SHA1: | 7e738b153194c9f54aac1b433f8e7efff3beafd5 |
| SHA256: | 4a010c5abe2f5bb4dd6f31b03058bc1847e985a95a68d4e1bf0fb20c030c2307 |
| SHA512: | c324685c6a15299504c62724c3c465b28027e93269d1df325921ac3f9a531a60de4c6a0d1775ce0c4365717497146b7360b36b1b87c1d1bae6acc0e1adc68664 |
| SSDEEP: | 1536:RZ2FWSNhd/4131iae+a0jnLjujUi1QqJ6cF3PK:z2ddQ131iae+HjPujfJ6E3 |
| TLSH: | EC83CF43B50E50F1E62709B081DAEDFFCB30924981536506EF985E65DF2376ABC0E19B |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y:.f.................b........................@.................................|.....@... ............................ |
 | |
| Icon Hash: | bdb5bd98b3f3190d |
| Entrypoint: | 0x401290 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH |
| Time Stamp: | 0x66D73A79 [Tue Sep 3 16:34:01 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 6011984d7c1f1b97a34d7517a498bff8 |
| Signature Valid: | true |
| Signature Issuer: | CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US |
| Signature Validation Error: | The operation completed successfully |
| Error Number: | 0 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | E4ED28FFAC43E82D3DB5467DE244B770 |
| Thumbprint SHA-1: | 787863161875446360E7486D3CF5E34E15DC8009 |
| Thumbprint SHA-256: | CA814262219EF4B9EF1CC76050E02D41B34F87AEF05D34FA378DAE913F4C784C |
| Serial: | 740833F89CC52CAE8CEA1984A66DBB66 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| sub esp, 08h |
| mov dword ptr [esp], 00000002h |
| call dword ptr [00413290h] |
| call 00007F0BACAE5C5Dh |
| nop |
| lea esi, dword ptr [esi+00000000h] |
| push ebp |
| mov ecx, dword ptr [004132C8h] |
| mov ebp, esp |
| pop ebp |
| jmp ecx |
| lea esi, dword ptr [esi+00h] |
| push ebp |
| mov ecx, dword ptr [004132B4h] |
| mov ebp, esp |
| pop ebp |
| jmp ecx |
| nop |
| nop |
| nop |
| nop |
| push ebp |
| mov edx, 00000080h |
| mov ebp, esp |
| push edi |
| xor eax, eax |
| lea edi, dword ptr [ebp-00000118h] |
| push esi |
| push ebx |
| sub esp, 0000011Ch |
| mov dword ptr [esp+08h], edx |
| mov dword ptr [esp+04h], eax |
| mov dword ptr [esp], edi |
| call 00007F0BACAEB8C4h |
| mov dword ptr [esp+04h], edi |
| mov dword ptr [esp], 00000018h |
| call 00007F0BACAE6B6Ch |
| test eax, eax |
| je 00007F0BACAE5E32h |
| mov dword ptr [esp], 00000000h |
| xor ecx, ecx |
| xor ebx, ebx |
| mov dword ptr [esp+04h], ebx |
| xor esi, esi |
| mov dword ptr [esp+0Ch], ecx |
| mov dword ptr [esp+08h], esi |
| call 00007F0BACAEBA26h |
| sub esp, 10h |
| test eax, eax |
| mov ebx, eax |
| je 00007F0BACAE5E07h |
| lea esi, dword ptr [ebp-00000098h] |
| mov esi, esi |
| mov dword ptr [esp+04h], esi |
| mov eax, 0000007Fh |
| mov dword ptr [esp+08h], eax |
| mov dword ptr [esp], ebx |
| call 00007F0BACAEBA08h |
| sub esp, 0Ch |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x13000 | 0xaa8 | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x14000 | 0x9a0c | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x11600 | 0x2648 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x13200 | 0x188 | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x6080 | 0x6200 | 7a3818cabc9cf80103d368f58fbe48cf | False | 0.47401147959183676 | data | 5.982433201699597 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x8000 | 0x40 | 0x200 | 3d4489f93d799c2f1cd6cbf1959b8bcf | False | 0.052734375 | data | 0.1638075416558982 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x9000 | 0x510 | 0x600 | 0ba33aaa7c8de2d9ce0b1ff96bd9e64a | False | 0.46484375 | data | 5.01354615045612 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ |
| .bss | 0xa000 | 0x8e30 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0x13000 | 0xaa8 | 0xc00 | ef152b96063582fc8f2bd1e1fd8a5e6f | False | 0.3697916666666667 | data | 4.652641333274655 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x14000 | 0x9a0c | 0x9c00 | 62b491b7e63c32ffaf9ad85db79d7cc7 | False | 0.9676732772435898 | data | 7.914760707660448 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x14358 | 0x94d1 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | 0.9972963750426542 | ||
| RT_RCDATA | 0x1d82c | 0x4 | data | 3.0 | ||
| RT_RCDATA | 0x1d830 | 0x6 | data | 2.3333333333333335 | ||
| RT_RCDATA | 0x1d838 | 0x2 | data | 5.0 | ||
| RT_RCDATA | 0x1d83c | 0x16 | data | 1.3636363636363635 | ||
| RT_RCDATA | 0x1d854 | 0x29 | ASCII text, with no line terminators | 1.0975609756097562 | ||
| RT_RCDATA | 0x1d880 | 0x6 | data | 2.3333333333333335 | ||
| RT_RCDATA | 0x1d888 | 0x2 | data | 5.0 | ||
| RT_RCDATA | 0x1d88c | 0x3 | ASCII text, with no line terminators | 3.6666666666666665 | ||
| RT_RCDATA | 0x1d890 | 0x19 | ASCII text, with no line terminators | 1.32 | ||
| RT_RCDATA | 0x1d8ac | 0x2 | data | 5.0 | ||
| RT_RCDATA | 0x1d8b0 | 0x32 | data | 1.16 | ||
| RT_RCDATA | 0x1d8e4 | 0x73 | ASCII text, with no line terminators | 0.8695652173913043 | ||
| RT_RCDATA | 0x1d958 | 0x35 | ASCII text, with no line terminators | 1.1320754716981132 | ||
| RT_RCDATA | 0x1d990 | 0x68 | data | 0.875 | ||
| RT_GROUP_ICON | 0x1d9f8 | 0x14 | data | 1.1 |
| DLL | Import |
|---|---|
| ADVAPI32.DLL | RegCloseKey, RegEnumKeyExA, RegOpenKeyExA, RegQueryValueExA |
| KERNEL32.dll | CloseHandle, CreateMutexA, CreateProcessA, ExitProcess, FindResourceExA, FormatMessageA, GetCommandLineA, GetCurrentDirectoryA, GetCurrentProcess, GetEnvironmentVariableA, GetExitCodeProcess, GetLastError, GetModuleFileNameA, GetModuleHandleA, GetProcAddress, GetStartupInfoA, GlobalMemoryStatusEx, LoadResource, LocalFree, LockResource, SetEnvironmentVariableA, SetLastError, SetUnhandledExceptionFilter, WaitForSingleObject |
| msvcrt.dll | __getmainargs, __p__environ, __p__fmode, __set_app_type, _cexit, _chdir, _close, _findclose, _findfirst, _findnext, _iob, _itoa, _onexit, _open, _read, _setmode, _stat, atexit, atoi, fclose, fopen, fprintf, fwrite, memset, printf, puts, signal, strcat, strchr, strcmp, strcpy, strlen, strncat, strncpy, strpbrk, strrchr, strstr, strtok |
| SHELL32.DLL | ShellExecuteA |
| USER32.dll | CreateWindowExA, DispatchMessageA, EnumWindows, FindWindowExA, GetMessageA, GetSystemMetrics, GetWindowLongA, GetWindowRect, GetWindowTextA, GetWindowThreadProcessId, KillTimer, LoadImageA, MessageBoxA, PostQuitMessage, SendMessageA, SetForegroundWindow, SetTimer, SetWindowPos, ShowWindow, TranslateMessage, UpdateWindow |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Nov 13, 2024 10:11:55.404519081 CET | 1.1.1.1 | 192.168.2.9 | 0x1cd9 | No error (0) | s-part-0017.t-0009.t-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Nov 13, 2024 10:11:55.404519081 CET | 1.1.1.1 | 192.168.2.9 | 0x1cd9 | No error (0) | 13.107.246.45 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 04:11:59 |
| Start date: | 13/11/2024 |
| Path: | C:\Users\user\Desktop\nsHwyCkyFr.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 80'968 bytes |
| MD5 hash: | C9C4AC12004CC6B946CB7D49B5EB5EE5 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 04:11:59 |
| Start date: | 13/11/2024 |
| Path: | C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x210000 |
| File size: | 257'664 bytes |
| MD5 hash: | 6E0F4F812AE02FBCB744A929E74A04B8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 04:11:59 |
| Start date: | 13/11/2024 |
| Path: | C:\Windows\SysWOW64\icacls.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xc00000 |
| File size: | 29'696 bytes |
| MD5 hash: | 2E49585E4E08565F52090B144062F97E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 04:11:59 |
| Start date: | 13/11/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff70f010000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 27% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 26% |
| Total number of Nodes: | 688 |
| Total number of Limit Nodes: | 15 |
Graph
Callgraph
Function 00405D30 Relevance: 163.4, APIs: 70, Strings: 23, Instructions: 688librarystringloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004013B0 Relevance: 58.1, APIs: 27, Strings: 6, Instructions: 365stringtimewindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401150 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405390 Relevance: 121.2, APIs: 58, Strings: 11, Instructions: 479stringfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404740 Relevance: 89.8, APIs: 43, Strings: 8, Instructions: 553stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402920 Relevance: 52.7, APIs: 23, Strings: 7, Instructions: 218stringregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403D20 Relevance: 44.0, APIs: 18, Strings: 7, Instructions: 207stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403790 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 171stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406860 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 105stringprocesssynchronizationCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402690 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 73stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004027A0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 96registrystringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402829 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 64stringregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004013E9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 128windowstringtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040124A Relevance: 10.5, APIs: 7, Instructions: 41COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406A10 Relevance: 4.6, APIs: 3, Instructions: 95COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406A9C Relevance: 1.5, APIs: 1, Instructions: 38COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00406ACE Relevance: 1.5, APIs: 1, Instructions: 27COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401290 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401ED0 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 116stringwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004042B0 Relevance: 61.5, APIs: 29, Strings: 6, Instructions: 286stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403100 Relevance: 43.9, APIs: 16, Strings: 9, Instructions: 186stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004033F0 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 228stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401C30 Relevance: 36.9, APIs: 12, Strings: 9, Instructions: 108stringfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405B60 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 121stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004023B0 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 118stringregistryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403B77 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 111stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404040 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 155stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004051E0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 117stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004050D0 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 79stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004039F1 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 103synchronizationCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00404069 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 107stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401DC5 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401DD0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405CDC Relevance: 12.0, APIs: 6, Strings: 2, Instructions: 45stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00403659 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43stringCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401B87 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35stringfileCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401000 Relevance: 9.1, APIs: 6, Instructions: 89COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00405010 Relevance: 9.1, APIs: 6, Instructions: 53stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402620 Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 34stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402EE0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402EDE Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004052DE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35stringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00401FCC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32stringwindowCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004012D0 Relevance: 7.6, APIs: 5, Instructions: 68stringCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00402531 Relevance: 5.1, APIs: 4, Instructions: 51stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02790672 Relevance: .1, Instructions: 57COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02790667 Relevance: .1, Instructions: 55COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 02790722 Relevance: .0, Instructions: 22COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 027A4B78 Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0279DA35 Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 027A3C76 Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 027A45E9 Relevance: .0, Instructions: 18COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 027903C0 Relevance: .1, Instructions: 70COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|