Edit tour

Windows Analysis Report
GhwFStoMJX.exe

Overview

General Information

Sample name:	GhwFStoMJX.exe renamed because original name is a hash value
Original sample name:	fd19e12aebfd870dcc7fe04359e6e7a53daeeb281c2dfc21f7740f8e65edd264.exe
Analysis ID:	1587768
MD5:	ed236267c78420804814d86de99b8850
SHA1:	21bd6d19e5664158c3d4d77ca3a2b7889827d0d4
SHA256:	fd19e12aebfd870dcc7fe04359e6e7a53daeeb281c2dfc21f7740f8e65edd264
Tags:	exeuser-adrian__luca
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

GhwFStoMJX.exe (PID: 1680 cmdline: "C:\Users\user\Desktop\GhwFStoMJX.exe" MD5: ED236267C78420804814D86DE99B8850)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: GhwFStoMJX.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: GhwFStoMJX.exe	Virustotal: Detection: 73%			Perma Link
Source: GhwFStoMJX.exe	ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: GhwFStoMJX.exe

Joe Sandbox ML: detected

Source: GhwFStoMJX.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: GhwFStoMJX.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Joe Sandbox View

IP Address: 5.253.86.15 5.253.86.15

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: oshi.at

Source: GhwFStoMJX.exe	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: GhwFStoMJX.exe	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
Source: GhwFStoMJX.exe	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: GhwFStoMJX.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: GhwFStoMJX.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: GhwFStoMJX.exe	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: GhwFStoMJX.exe	String found in binary or memory: http://ocsps.ssl.com0
Source: GhwFStoMJX.exe	String found in binary or memory: http://ocsps.ssl.com0?
Source: GhwFStoMJX.exe	String found in binary or memory: http://ocsps.ssl.com0_
Source: GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002B87000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002BA3000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C14000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C28000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://oshi.at
Source: GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002B87000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002BA3000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C14000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C28000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://oshi.atd
Source: GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002B87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: GhwFStoMJX.exe	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: GhwFStoMJX.exe	String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002B87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oshi.at
Source: GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oshi.at/WtFH
Source: GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002B87000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C28000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oshi.at/WtFH4n
Source: GhwFStoMJX.exe	String found in binary or memory: https://oshi.at/WtFHF
Source: GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oshi.at/WtFHt
Source: GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002B87000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C14000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C28000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oshi.atD
Source: GhwFStoMJX.exe	String found in binary or memory: https://www.ssl.com/repository0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: C:\Users\user\Desktop\GhwFStoMJX.exe

Process Stats: CPU usage > 49%

Source: GhwFStoMJX.exe

Static PE information: invalid certificate

Source: GhwFStoMJX.exe, 00000000.00000002.4694001906.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs GhwFStoMJX.exe
Source: GhwFStoMJX.exe, 00000000.00000000.2225932087.0000000000824000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamereff.exe8 vs GhwFStoMJX.exe
Source: GhwFStoMJX.exe	Binary or memory string: OriginalFilenamereff.exe8 vs GhwFStoMJX.exe

Source: GhwFStoMJX.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\GhwFStoMJX.exe

Mutant created: NULL

Source: GhwFStoMJX.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: GhwFStoMJX.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\GhwFStoMJX.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: GhwFStoMJX.exe	Virustotal: Detection: 73%
Source: GhwFStoMJX.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\GhwFStoMJX.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: GhwFStoMJX.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: GhwFStoMJX.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Memory allocated: E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Memory allocated: 2B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Memory allocated: 4B20000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\GhwFStoMJX.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Window / User API: threadDelayed 2577			Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Window / User API: threadDelayed 7261			Jump to behavior

Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -99870s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 6380	Thread sleep count: 2577 > 30	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 6380	Thread sleep count: 7261 > 30	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -99750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -99640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -99422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -99187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -99077s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -98968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -98859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -98747s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -98640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -98521s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -98406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -98297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -98130s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -98012s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -97821s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -97707s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -97578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -97468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -97359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -97250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -97140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -97031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -96922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -96797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -96687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -96578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -96468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -96359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -96249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -96140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -96031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -95922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -95797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -95679s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -95578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -95435s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -95065s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -94937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -94827s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -94718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -94609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -94500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -94389s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -94281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -94172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 5476	Thread sleep time: -94062s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 99870	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 99750	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 99640	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 99187	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 99077	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 98968	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 98859	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 98747	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 98640	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 98521	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 98406	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 98297	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 98130	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 98012	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 97821	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 97707	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 97578	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 97468	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 97359	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 97250	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 97140	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 97031	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 96922	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 96797	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 96687	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 96578	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 96468	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 96359	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 96249	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 96140	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 96031	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 95922	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 95797	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 95679	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 95578	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 95435	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 95065	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 94937	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 94827	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 94718	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 94609	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 94500	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 94389	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 94281	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 94172	Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe	Thread delayed: delay time: 94062	Jump to behavior

Source: GhwFStoMJX.exe, 00000000.00000002.4694001906.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\GhwFStoMJX.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\GhwFStoMJX.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\GhwFStoMJX.exe

Queries volume information: C:\Users\user\Desktop\GhwFStoMJX.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\GhwFStoMJX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	31 Virtualization/Sandbox Evasion	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
GhwFStoMJX.exe	74%	Virustotal		Browse
GhwFStoMJX.exe	66%	ReversingLabs	Win32.Trojan.Leonem
GhwFStoMJX.exe	100%	Avira	HEUR/AGEN.1362855
GhwFStoMJX.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://oshi.at/WtFH4n	0%	Avira URL Cloud	safe
https://oshi.at/WtFH	0%	Avira URL Cloud	safe
https://oshi.at/WtFHF	0%	Avira URL Cloud	safe
https://oshi.at/WtFHt	0%	Avira URL Cloud	safe
https://oshi.atD	0%	Avira URL Cloud	safe
http://ocsps.ssl.com0_	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
oshi.at	5.253.86.15	true	false		high
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0	GhwFStoMJX.exe	false		high
https://oshi.at/WtFHF	GhwFStoMJX.exe	false	Avira URL Cloud: safe	unknown
http://oshi.atd	GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002B87000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002BA3000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C14000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C28000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002BDC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crls.ssl.com/ssl.com-rsa-RootCA.crl0	GhwFStoMJX.exe	false		high
http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0	GhwFStoMJX.exe	false		high
http://oshi.at	GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002B87000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002BA3000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C14000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C28000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002BDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oshi.at/WtFH4n	GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002B87000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C28000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002BDC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ssl.com/repository0	GhwFStoMJX.exe	false		high
http://ocsps.ssl.com0?	GhwFStoMJX.exe	false		high
http://ocsps.ssl.com0_	GhwFStoMJX.exe	false	Avira URL Cloud: safe	unknown
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0	GhwFStoMJX.exe	false		high
https://oshi.at	GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002B87000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oshi.at/WtFH	GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q	GhwFStoMJX.exe	false		high
http://ocsps.ssl.com0	GhwFStoMJX.exe	false		high
http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0	GhwFStoMJX.exe	false		high
http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0	GhwFStoMJX.exe	false		high
https://oshi.at/WtFHt	GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://oshi.atD	GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002B87000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C14000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C28000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002BDC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	GhwFStoMJX.exe, 00000000.00000002.4694598728.0000000002B87000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0	GhwFStoMJX.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
5.253.86.15	oshi.at	Cyprus		208046	HOSTSLICK-GERMANYNL	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587768
Start date and time:	2025-01-10 17:51:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	GhwFStoMJX.exe renamed because original name is a hash value
Original Sample Name:	fd19e12aebfd870dcc7fe04359e6e7a53daeeb281c2dfc21f7740f8e65edd264.exe
Detection:	MAL
Classification:	mal64.winEXE@1/0@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 10 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.190.159.64, 13.107.246.45, 20.109.210.53, 40.126.32.134, 2.23.227.215
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, ocsps.ssl.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target GhwFStoMJX.exe, PID 1680 because it is empty
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:52:19	API Interceptor	11290512x Sleep call for process: GhwFStoMJX.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
5.253.86.15	IMG_10503677.exe	Get hash	malicious	Unknown	Browse
	Holiday#3021.exe	Get hash	malicious	Unknown	Browse
	Holiday#3021.exe	Get hash	malicious	Unknown	Browse
	Ref#103052.exe	Get hash	malicious	Unknown	Browse
	Ref#66001032.exe	Get hash	malicious	AgentTesla	Browse
	Ref#20203216.exe	Get hash	malicious	AgentTesla	Browse
	Ref_31020563.exe	Get hash	malicious	Unknown	Browse
	Ref#60031796.exe	Get hash	malicious	AgentTesla	Browse
	Ref#1550238.exe	Get hash	malicious	Unknown	Browse
	JuneOrder.exe	Get hash	malicious	AsyncRAT, Babadeda, PureLog Stealer, zgRAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
oshi.at	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	194.15.112.248
	IMG_10503677.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	Holiday#3021.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	Holiday#3021.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	Ref#103052.exe	Get hash	malicious	XWorm	Browse	194.15.112.248
	Ref#103052.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	9876567899.bat.exe	Get hash	malicious	Lokibot	Browse	194.15.112.248
	Ref#66001032.exe	Get hash	malicious	AgentTesla	Browse	5.253.86.15
	Ref#20203216.exe	Get hash	malicious	AgentTesla	Browse	5.253.86.15
	Ref_31020563.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
fp2e7a.wpc.phicdn.net	AudioCodesAppSuite.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	launcher.exe.bin.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	192.229.221.95
	Shipping Document.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	192.229.221.95
	https://marcuso-wq.github.io/home/	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	1.png	Get hash	malicious	Unknown	Browse	192.229.221.95
	atomxml.ps1	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	192.229.221.95
	TR98760H.exe	Get hash	malicious	AgentTesla	Browse	192.229.221.95
	Payment-Order #24560274 for 8,380 USD.exe	Get hash	malicious	XWorm	Browse	192.229.221.95
	invoice-1623385214.pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	192.229.221.95
	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HOSTSLICK-GERMANYNL	IMG_10503677.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	Holiday#3021.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	Holiday#3021.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	Ref#103052.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	Ref#66001032.exe	Get hash	malicious	AgentTesla	Browse	5.253.86.15
	Ref#20203216.exe	Get hash	malicious	AgentTesla	Browse	5.253.86.15
	Ref_31020563.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	Ref#60031796.exe	Get hash	malicious	AgentTesla	Browse	5.253.86.15
	Ref#1550238.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	an_api.exe	Get hash	malicious	Unknown	Browse	193.142.146.64

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.8419219498993815
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	GhwFStoMJX.exe
File size:	31'712 bytes
MD5:	ed236267c78420804814d86de99b8850
SHA1:	21bd6d19e5664158c3d4d77ca3a2b7889827d0d4
SHA256:	fd19e12aebfd870dcc7fe04359e6e7a53daeeb281c2dfc21f7740f8e65edd264
SHA512:	7c28b89d1e7c4c429cc2528cc935839be61a5cb41c621ae48547c7cc64479df6a0254382eaab2fba52af3d4cbf261ccffdfc8d0d40043042bc6cb86f7be7af1a
SSDEEP:	384:GSwPLqusAKYP/GKhwlJCXOxFm7bhCm/zH:xwz9HvK6XiFZKj
TLSH:	00E22A424B3843A2D94F4A38E8D156F319BDDE845E4C569B2790FF0E5DB4B881BC71AC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ig.....................J......r0... ...@....@.. ....................................`................................

File Icon


Icon Hash:	27d8dcd6d4d85007

Static PE Info

General

Entrypoint:	0x403072
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6769F7E0 [Mon Dec 23 23:53:04 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	04/07/2024 06:35:32 15/05/2027 17:15:04
Subject Chain	OID.1.3.6.1.4.1.311.60.2.1.3=VN, OID.2.5.4.15=Private Organization, CN="DUC FABULOUS CO.,LTD", SERIALNUMBER=0105838409, O="DUC FABULOUS CO.,LTD", L=Hanoi, C=VN
Version:	3
Thumbprint MD5:	FF0E889D2A73C3A679605952D35452DC
Thumbprint SHA-1:	2C1D12F8BBE0827400A8440AF74FFFA8DCC8097C
Thumbprint SHA-256:	A73352D67693AA16BCE2F182B15891F0F23EA0485CC18938686AAFDEE7B743E3
Serial:	6DD2E3173995F51BFAC1D9FB4CB200C1

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3028	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x4656	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5e00	0x1de0	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1078	0x1200	4d7035380253ed363ae6317dc8c576b6	False	0.5501302083333334	data	5.239235838942246	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x4656	0x4800	25fbfd232277978aeab9ab157c4dce6e	False	0.06179470486111111	data	2.4670696213657792	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa000	0xc	0x200	78220c57bae77f0280715bd915a05a2a	False	0.04296875	data	0.07763316234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x406c	0x4028	Device independent bitmap graphic, 64 x 128 x 32, image size 0	0.02368485143692158
RT_GROUP_ICON	0x80d0	0x14	data	1.05
RT_VERSION	0x8120	0x310	data	0.4477040816326531
RT_MANIFEST	0x846c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 17:52:20.070346117 CET	49723	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:52:20.070400953 CET	443	49723	5.253.86.15	192.168.2.5
Jan 10, 2025 17:52:20.070466042 CET	49723	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:52:20.082065105 CET	49723	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:52:20.082086086 CET	443	49723	5.253.86.15	192.168.2.5
Jan 10, 2025 17:53:02.849649906 CET	443	49723	5.253.86.15	192.168.2.5
Jan 10, 2025 17:53:02.849723101 CET	49723	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:53:02.858194113 CET	49723	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:53:02.858215094 CET	443	49723	5.253.86.15	192.168.2.5
Jan 10, 2025 17:53:02.893270016 CET	49985	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:53:02.893313885 CET	443	49985	5.253.86.15	192.168.2.5
Jan 10, 2025 17:53:02.893377066 CET	49985	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:53:02.893804073 CET	49985	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:53:02.893830061 CET	443	49985	5.253.86.15	192.168.2.5
Jan 10, 2025 17:53:45.679543972 CET	443	49985	5.253.86.15	192.168.2.5
Jan 10, 2025 17:53:45.679620028 CET	49985	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:53:45.680588007 CET	49985	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:53:45.680608988 CET	443	49985	5.253.86.15	192.168.2.5
Jan 10, 2025 17:53:45.687012911 CET	50003	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:53:45.687056065 CET	443	50003	5.253.86.15	192.168.2.5
Jan 10, 2025 17:53:45.687119007 CET	50003	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:53:45.687467098 CET	50003	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:53:45.687475920 CET	443	50003	5.253.86.15	192.168.2.5
Jan 10, 2025 17:53:48.333292007 CET	50003	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:53:48.370986938 CET	50004	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:53:48.371042967 CET	443	50004	5.253.86.15	192.168.2.5
Jan 10, 2025 17:53:48.371229887 CET	50004	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:53:48.371556044 CET	50004	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:53:48.371567965 CET	443	50004	5.253.86.15	192.168.2.5
Jan 10, 2025 17:53:48.379326105 CET	443	50003	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:05.665436983 CET	50004	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:05.667326927 CET	50007	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:05.667361021 CET	443	50007	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:05.667433023 CET	50007	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:05.667788982 CET	50007	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:05.667805910 CET	443	50007	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:05.707334995 CET	443	50004	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:07.058886051 CET	443	50003	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:07.058943033 CET	50003	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:08.463732004 CET	50007	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:08.464509010 CET	50008	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:08.464540958 CET	443	50008	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:08.464891911 CET	50008	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:08.465253115 CET	50008	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:08.465267897 CET	443	50008	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:08.507340908 CET	443	50007	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:09.746778965 CET	443	50004	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:09.751348972 CET	50004	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:14.571690083 CET	50008	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:14.575556993 CET	50009	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:14.575599909 CET	443	50009	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:14.575756073 CET	50009	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:14.579555988 CET	50009	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:14.579574108 CET	443	50009	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:14.615331888 CET	443	50008	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:14.837251902 CET	50009	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:14.839374065 CET	50010	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:14.839407921 CET	443	50010	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:14.839474916 CET	50010	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:14.839946032 CET	50010	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:14.839956999 CET	443	50010	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:14.879349947 CET	443	50009	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:16.634335995 CET	50010	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:16.635948896 CET	50011	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:16.635993958 CET	443	50011	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:16.636123896 CET	50011	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:16.638569117 CET	50011	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:16.638583899 CET	443	50011	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:16.675332069 CET	443	50010	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:27.048095942 CET	443	50007	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:27.048180103 CET	50007	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:29.863178968 CET	443	50008	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:29.863512039 CET	50008	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:35.969764948 CET	443	50009	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:35.969851971 CET	50009	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:36.215796947 CET	443	50010	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:36.215874910 CET	50010	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:48.618557930 CET	50011	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:48.618719101 CET	443	50011	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:48.618781090 CET	50011	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:48.621290922 CET	50014	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:48.621332884 CET	443	50014	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:48.623723030 CET	50014	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:48.624093056 CET	50014	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:48.624108076 CET	443	50014	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:52.431618929 CET	50014	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:52.432598114 CET	50015	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:52.432641029 CET	443	50015	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:52.432867050 CET	50015	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:52.433648109 CET	50015	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:52.433656931 CET	443	50015	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:52.475338936 CET	443	50014	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:54.805948973 CET	50015	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:54.809576988 CET	50016	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:54.809627056 CET	443	50016	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:54.809729099 CET	50016	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:54.810049057 CET	50016	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:54:54.810058117 CET	443	50016	5.253.86.15	192.168.2.5
Jan 10, 2025 17:54:54.847325087 CET	443	50015	5.253.86.15	192.168.2.5
Jan 10, 2025 17:55:01.134556055 CET	50016	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:01.137113094 CET	50017	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:01.137188911 CET	443	50017	5.253.86.15	192.168.2.5
Jan 10, 2025 17:55:01.137262106 CET	50017	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:01.137739897 CET	50017	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:01.137774944 CET	443	50017	5.253.86.15	192.168.2.5
Jan 10, 2025 17:55:01.175335884 CET	443	50016	5.253.86.15	192.168.2.5
Jan 10, 2025 17:55:10.014134884 CET	443	50014	5.253.86.15	192.168.2.5
Jan 10, 2025 17:55:10.014211893 CET	50014	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:13.811965942 CET	443	50015	5.253.86.15	192.168.2.5
Jan 10, 2025 17:55:13.812028885 CET	50015	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:16.216106892 CET	443	50016	5.253.86.15	192.168.2.5
Jan 10, 2025 17:55:16.219697952 CET	50016	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:19.634109974 CET	50017	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:19.636858940 CET	50019	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:19.636926889 CET	443	50019	5.253.86.15	192.168.2.5
Jan 10, 2025 17:55:19.637011051 CET	50019	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:19.637455940 CET	50019	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:19.637489080 CET	443	50019	5.253.86.15	192.168.2.5
Jan 10, 2025 17:55:19.675338030 CET	443	50017	5.253.86.15	192.168.2.5
Jan 10, 2025 17:55:22.530844927 CET	443	50017	5.253.86.15	192.168.2.5
Jan 10, 2025 17:55:22.531035900 CET	50017	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:24.041709900 CET	50019	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:24.041713953 CET	50020	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:24.041768074 CET	443	50020	5.253.86.15	192.168.2.5
Jan 10, 2025 17:55:24.043781996 CET	50020	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:24.044001102 CET	50020	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:24.044015884 CET	443	50020	5.253.86.15	192.168.2.5
Jan 10, 2025 17:55:24.083338976 CET	443	50019	5.253.86.15	192.168.2.5
Jan 10, 2025 17:55:31.301651001 CET	50020	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:31.341279984 CET	50021	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:31.341337919 CET	443	50021	5.253.86.15	192.168.2.5
Jan 10, 2025 17:55:31.341394901 CET	50021	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:31.343076944 CET	50021	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:31.343097925 CET	443	50021	5.253.86.15	192.168.2.5
Jan 10, 2025 17:55:31.343336105 CET	443	50020	5.253.86.15	192.168.2.5
Jan 10, 2025 17:55:41.269509077 CET	443	50019	5.253.86.15	192.168.2.5
Jan 10, 2025 17:55:41.269583941 CET	50019	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:45.437840939 CET	443	50020	5.253.86.15	192.168.2.5
Jan 10, 2025 17:55:45.437911034 CET	50020	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:48.243345976 CET	50021	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:48.251574993 CET	50022	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:48.251631021 CET	443	50022	5.253.86.15	192.168.2.5
Jan 10, 2025 17:55:48.255888939 CET	50022	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:48.256304979 CET	50022	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:48.256335974 CET	443	50022	5.253.86.15	192.168.2.5
Jan 10, 2025 17:55:48.287358999 CET	443	50021	5.253.86.15	192.168.2.5
Jan 10, 2025 17:55:52.721394062 CET	443	50021	5.253.86.15	192.168.2.5
Jan 10, 2025 17:55:52.721478939 CET	50021	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:59.602747917 CET	50022	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:59.604302883 CET	50025	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:59.604351997 CET	443	50025	5.253.86.15	192.168.2.5
Jan 10, 2025 17:55:59.604412079 CET	50025	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:59.604758978 CET	50025	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:55:59.604770899 CET	443	50025	5.253.86.15	192.168.2.5
Jan 10, 2025 17:55:59.643332005 CET	443	50022	5.253.86.15	192.168.2.5
Jan 10, 2025 17:56:03.243391991 CET	50025	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:56:03.245543003 CET	50027	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:56:03.245587111 CET	443	50027	5.253.86.15	192.168.2.5
Jan 10, 2025 17:56:03.245666027 CET	50027	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:56:03.246052027 CET	50027	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:56:03.246066093 CET	443	50027	5.253.86.15	192.168.2.5
Jan 10, 2025 17:56:03.291330099 CET	443	50025	5.253.86.15	192.168.2.5
Jan 10, 2025 17:56:03.712042093 CET	50027	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:56:03.713532925 CET	50028	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:56:03.713571072 CET	443	50028	5.253.86.15	192.168.2.5
Jan 10, 2025 17:56:03.713694096 CET	50028	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:56:03.714040041 CET	50028	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:56:03.714056015 CET	443	50028	5.253.86.15	192.168.2.5
Jan 10, 2025 17:56:03.759332895 CET	443	50027	5.253.86.15	192.168.2.5
Jan 10, 2025 17:56:09.642457008 CET	443	50022	5.253.86.15	192.168.2.5
Jan 10, 2025 17:56:09.642800093 CET	50022	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:56:20.969820023 CET	443	50025	5.253.86.15	192.168.2.5
Jan 10, 2025 17:56:20.969867945 CET	50025	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:56:24.643955946 CET	443	50027	5.253.86.15	192.168.2.5
Jan 10, 2025 17:56:24.644062042 CET	50027	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:56:26.794886112 CET	50028	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:56:26.795033932 CET	443	50028	5.253.86.15	192.168.2.5
Jan 10, 2025 17:56:26.795145035 CET	50028	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:56:26.796396017 CET	50030	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:56:26.796427011 CET	443	50030	5.253.86.15	192.168.2.5
Jan 10, 2025 17:56:26.796546936 CET	50030	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:56:26.797000885 CET	50030	443	192.168.2.5	5.253.86.15
Jan 10, 2025 17:56:26.797010899 CET	443	50030	5.253.86.15	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 17:52:20.018769026 CET	57983	53	192.168.2.5	1.1.1.1
Jan 10, 2025 17:52:20.043090105 CET	53	57983	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 17:52:20.018769026 CET	192.168.2.5	1.1.1.1	0x51c3	Standard query (0)	oshi.at	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 17:52:17.829133987 CET	1.1.1.1	192.168.2.5	0xbcd5	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 17:52:17.829133987 CET	1.1.1.1	192.168.2.5	0xbcd5	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:52:20.043090105 CET	1.1.1.1	192.168.2.5	0x51c3	No error (0)	oshi.at		5.253.86.15	A (IP address)	IN (0x0001)	false
Jan 10, 2025 17:52:20.043090105 CET	1.1.1.1	192.168.2.5	0x51c3	No error (0)	oshi.at		194.15.112.248	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: GhwFStoMJX.exePID: 1680, Parent PID: 1028

General

Target ID:	0
Start time:	11:52:19
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\GhwFStoMJX.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\GhwFStoMJX.exe"
Imagebase:	0x820000
File size:	31'712 bytes
MD5 hash:	ED236267C78420804814D86DE99B8850
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: GhwFStoMJX.exePID: 1680, Parent PID: 1028COMMON

Executed Functions

Function 00E60B80 Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

Te]q, xrefs: 00E60B80

Memory Dump Source

Source File: 00000000.00000002.4693942475.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_GhwFStoMJX.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 0827932462e3a388ce328114c3951651c1aad07f16c0f11699ed9f989e242352
Instruction ID: a3eed464e953f10033de25c425f0b8dd056fc8dfdf9864978fe2818518f75c88
Opcode Fuzzy Hash: 0827932462e3a388ce328114c3951651c1aad07f16c0f11699ed9f989e242352
Instruction Fuzzy Hash: 5F016D30A84325CFCB589F68A0546FF7AB2AB493C8F34A869C003BB350CB704D45EB91

Function 00E60848 Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

pN, xrefs: 00E6086A

Memory Dump Source

Source File: 00000000.00000002.4693942475.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_GhwFStoMJX.jbxd

Similarity

API ID:
String ID: pN
API String ID: 0-805884423
Opcode ID: 1d72c283be42632ea9b958794030ff62a2c71a37ba66afa85def73b0e9908fe2
Instruction ID: 5ab35c8993370f9f72483cbdcdc685a35e9b7cc3931b25543dbab0359973b398
Opcode Fuzzy Hash: 1d72c283be42632ea9b958794030ff62a2c71a37ba66afa85def73b0e9908fe2
Instruction Fuzzy Hash: 50E0E5B4D50208EFCB44EFB8F94159DBBF5EB48340F2095AAD809B7350E6306B449B90

Function 00E60990 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4693942475.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_GhwFStoMJX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fc0be59079ca0fa152699c0d5852aed41d6f4e14de208d494ae1d7b3c3cce48
Instruction ID: a202378176322ec6908fce8b5499bcc28580dfa7d51eedcf6d3e0dc3acd3aafc
Opcode Fuzzy Hash: 5fc0be59079ca0fa152699c0d5852aed41d6f4e14de208d494ae1d7b3c3cce48
Instruction Fuzzy Hash: 7F21F430789365CFC72697A5B8104BF7FA69EC23D4314A5ABD00AFB252EA148D04C351

Function 00E61438 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4693942475.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_GhwFStoMJX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355a6661dbd4a34a326dc3117ef033dbe75dc55782c2eeb9b690907bfb260639
Instruction ID: 78bd4809aa5c72a085f628cb32b2924977d5914c3ef775c1a658bf79c6d2c562
Opcode Fuzzy Hash: 355a6661dbd4a34a326dc3117ef033dbe75dc55782c2eeb9b690907bfb260639
Instruction Fuzzy Hash: 523126B1D002489FCB14CFAAD580ADEFFF5AF48344F248069E919BB250DB749945CFA0

Function 00E60AA0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4693942475.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_GhwFStoMJX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c520d434ab81875ea48179d8389861d1f4b00d3bbd04e32e124eca30fc65830
Instruction ID: 35f15d3e2e4518c467ba281470c46d9b946b10019299ca01914a356b8b93c6ab
Opcode Fuzzy Hash: 6c520d434ab81875ea48179d8389861d1f4b00d3bbd04e32e124eca30fc65830
Instruction Fuzzy Hash: 45116130A84325CFDB559F74E0146FE7BB1AB49398F34A869C003BB251CBB54C46DB51

Function 00E608B0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4693942475.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_GhwFStoMJX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8ce74e41d653b113fa648e9329eb2061c394e3b0cdc9aab4bd7a8542002292c
Instruction ID: a19eea4fcfd53920b56a74cb7adfdd76a3a9f6a9b89163cf047cab40568d6c91
Opcode Fuzzy Hash: f8ce74e41d653b113fa648e9329eb2061c394e3b0cdc9aab4bd7a8542002292c
Instruction Fuzzy Hash: 4501F7322802245FC22AEB29F4105BF36AAAFC43943119929D01AABB45FE28DD0687D1

Function 00E0D76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4693807455.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0d000_GhwFStoMJX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e43b7e905b26b28acffb9d6e04eca7ada23bb81d9d21e599c4d9e8b8376c747c
Instruction ID: 5690fe64f13294801f6a404313379a6b12ad8888dcb5cb4683f6be7dc793f33b
Opcode Fuzzy Hash: e43b7e905b26b28acffb9d6e04eca7ada23bb81d9d21e599c4d9e8b8376c747c
Instruction Fuzzy Hash: 3501A7311083449AD7208A55DD84B66FFD8EF45724F1CD42BED491A2C6C2799884CB75

Function 00E608C0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4693942475.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_GhwFStoMJX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a33143ed6862360d02321769ab290e740314d4b12ae6c652ed3e63a9d3d444c
Instruction ID: 617023ec18d04f91b09b66146bc2db39f6e191a30052ab12830370ffdb339de4
Opcode Fuzzy Hash: 4a33143ed6862360d02321769ab290e740314d4b12ae6c652ed3e63a9d3d444c
Instruction Fuzzy Hash: EFF028313C01244F822AA729F4104BF32DBBFC43943205939C41EAB704EE28DD0687D1

Function 00E0D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4693807455.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0d000_GhwFStoMJX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdc46e443bcec2402836785fc02bcb792a4562745aa62a6d390b00cbc9cbb49f
Instruction ID: 693e8782ca301c463f30566629db217a8d87242a8e550dea77d2c6cb3ba6b5d6
Opcode Fuzzy Hash: bdc46e443bcec2402836785fc02bcb792a4562745aa62a6d390b00cbc9cbb49f
Instruction Fuzzy Hash: 2BF062714083449EE7208A16DC84B66FFA8EF56725F18C45AFD485A2C6C2799C44CBB5

Function 00E60BBB Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4693942475.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_GhwFStoMJX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54ea0770bb98b87bb2f0b2bc14f8395e694747c619ba38050d1bc2db55cd6752
Instruction ID: 3580f71dccd6d769990be44d86081cf37ec19c13d61a4d203ca8cf4fe2f8f63d
Opcode Fuzzy Hash: 54ea0770bb98b87bb2f0b2bc14f8395e694747c619ba38050d1bc2db55cd6752
Instruction Fuzzy Hash: DBD022317000108BCA4D2BF8001722C21F74BC63407A18018E003EF3C1EE63DD810347

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report GhwFStoMJX.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: GhwFStoMJX.exePID: 1680, Parent PID: 1028

General

Chronological Activities

Disassembly

Windows Analysis Report
GhwFStoMJX.exe