Edit tour

Windows Analysis Report
GhwFStoMJX.exe

Overview

General Information

Sample name:GhwFStoMJX.exe
renamed because original name is a hash value
Original sample name:fd19e12aebfd870dcc7fe04359e6e7a53daeeb281c2dfc21f7740f8e65edd264.exe
Analysis ID:1587768
MD5:ed236267c78420804814d86de99b8850
SHA1:21bd6d19e5664158c3d4d77ca3a2b7889827d0d4
SHA256:fd19e12aebfd870dcc7fe04359e6e7a53daeeb281c2dfc21f7740f8e65edd264
Tags:exeuser-adrian__luca
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • GhwFStoMJX.exe (PID: 3876 cmdline: "C:\Users\user\Desktop\GhwFStoMJX.exe" MD5: ED236267C78420804814D86DE99B8850)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: GhwFStoMJX.exeAvira: detected
Source: GhwFStoMJX.exeReversingLabs: Detection: 65%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
Source: GhwFStoMJX.exeJoe Sandbox ML: detected
Source: GhwFStoMJX.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: GhwFStoMJX.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Joe Sandbox ViewIP Address: 5.253.86.15 5.253.86.15
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: oshi.at
Source: GhwFStoMJX.exeString found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: GhwFStoMJX.exeString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
Source: GhwFStoMJX.exeString found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: GhwFStoMJX.exeString found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: GhwFStoMJX.exeString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: GhwFStoMJX.exeString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: GhwFStoMJX.exeString found in binary or memory: http://ocsps.ssl.com0
Source: GhwFStoMJX.exeString found in binary or memory: http://ocsps.ssl.com0?
Source: GhwFStoMJX.exeString found in binary or memory: http://ocsps.ssl.com0_
Source: GhwFStoMJX.exe, 00000000.00000002.3614911039.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.3614911039.00000000032E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://oshi.at
Source: GhwFStoMJX.exe, 00000000.00000002.3614911039.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.3614911039.00000000032E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://oshi.atd
Source: GhwFStoMJX.exe, 00000000.00000002.3614911039.0000000003297000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: GhwFStoMJX.exeString found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: GhwFStoMJX.exeString found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: GhwFStoMJX.exe, 00000000.00000002.3614911039.0000000003297000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oshi.at
Source: GhwFStoMJX.exe, 00000000.00000002.3614911039.0000000003231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oshi.at/WtFH
Source: GhwFStoMJX.exe, 00000000.00000002.3614911039.0000000003297000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oshi.at/WtFH4nz
Source: GhwFStoMJX.exeString found in binary or memory: https://oshi.at/WtFHF
Source: GhwFStoMJX.exe, 00000000.00000002.3614911039.0000000003231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oshi.at/WtFHt
Source: GhwFStoMJX.exe, 00000000.00000002.3614911039.00000000032E8000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.3614911039.00000000032DA000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.3614911039.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.3614911039.00000000032C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oshi.atD
Source: GhwFStoMJX.exeString found in binary or memory: https://www.ssl.com/repository0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49986
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
Source: unknownNetwork traffic detected: HTTP traffic on port 49985 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49986 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49982 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: GhwFStoMJX.exeStatic PE information: invalid certificate
Source: GhwFStoMJX.exe, 00000000.00000000.1757659096.0000000000EA4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamereff.exe8 vs GhwFStoMJX.exe
Source: GhwFStoMJX.exe, 00000000.00000002.3614360686.000000000141E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs GhwFStoMJX.exe
Source: GhwFStoMJX.exeBinary or memory string: OriginalFilenamereff.exe8 vs GhwFStoMJX.exe
Source: GhwFStoMJX.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal64.winEXE@1/0@1/1
Source: C:\Users\user\Desktop\GhwFStoMJX.exeMutant created: NULL
Source: GhwFStoMJX.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: GhwFStoMJX.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\GhwFStoMJX.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: GhwFStoMJX.exeReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: rasman.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: GhwFStoMJX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: GhwFStoMJX.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeMemory allocated: 1830000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeMemory allocated: 3230000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeMemory allocated: 5230000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeWindow / User API: threadDelayed 848Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeWindow / User API: threadDelayed 414Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 6604Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 6604Thread sleep time: -100000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 7084Thread sleep count: 848 > 30Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 7084Thread sleep count: 414 > 30Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exe TID: 6604Thread sleep time: -85640s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeThread delayed: delay time: 100000Jump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeThread delayed: delay time: 85640Jump to behavior
Source: GhwFStoMJX.exe, 00000000.00000002.3614360686.0000000001451000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\GhwFStoMJX.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeQueries volume information: C:\Users\user\Desktop\GhwFStoMJX.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\GhwFStoMJX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
1
DLL Side-Loading
1
Disable or Modify Tools
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local System2
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts31
Virtualization/Sandbox Evasion
LSASS Memory31
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading
Security Account Manager1
Application Window Discovery
SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS12
System Information Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587768 Sample: GhwFStoMJX.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 64 9 oshi.at 2->9 13 Antivirus / Scanner detection for submitted sample 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 Machine Learning detection for sample 2->17 19 AI detected suspicious sample 2->19 6 GhwFStoMJX.exe 15 2 2->6         started        signatures3 process4 dnsIp5 11 oshi.at 5.253.86.15, 443, 49712, 49722 HOSTSLICK-GERMANYNL Cyprus 6->11

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
GhwFStoMJX.exe66%ReversingLabsWin32.Trojan.Leonem
GhwFStoMJX.exe100%AviraHEUR/AGEN.1362855
GhwFStoMJX.exe100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://ocsps.ssl.com0_0%Avira URL Cloudsafe
https://oshi.at/WtFHt0%Avira URL Cloudsafe
https://oshi.atD0%Avira URL Cloudsafe
https://oshi.at/WtFH4nz0%Avira URL Cloudsafe
https://oshi.at/WtFH0%Avira URL Cloudsafe
https://oshi.at/WtFHF0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
oshi.at
5.253.86.15
truefalse
    high
    NameSourceMaliciousAntivirus DetectionReputation
    http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0GhwFStoMJX.exefalse
      high
      https://oshi.at/WtFHFGhwFStoMJX.exefalse
      • Avira URL Cloud: safe
      unknown
      http://oshi.atdGhwFStoMJX.exe, 00000000.00000002.3614911039.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.3614911039.00000000032E0000.00000004.00000800.00020000.00000000.sdmpfalse
        high
        http://crls.ssl.com/ssl.com-rsa-RootCA.crl0GhwFStoMJX.exefalse
          high
          http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0GhwFStoMJX.exefalse
            high
            http://oshi.atGhwFStoMJX.exe, 00000000.00000002.3614911039.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.3614911039.00000000032E0000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              https://oshi.at/WtFH4nzGhwFStoMJX.exe, 00000000.00000002.3614911039.0000000003297000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              https://www.ssl.com/repository0GhwFStoMJX.exefalse
                high
                http://ocsps.ssl.com0?GhwFStoMJX.exefalse
                  high
                  http://ocsps.ssl.com0_GhwFStoMJX.exefalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0GhwFStoMJX.exefalse
                    high
                    https://oshi.atGhwFStoMJX.exe, 00000000.00000002.3614911039.0000000003297000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://oshi.at/WtFHGhwFStoMJX.exe, 00000000.00000002.3614911039.0000000003231000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0QGhwFStoMJX.exefalse
                        high
                        http://ocsps.ssl.com0GhwFStoMJX.exefalse
                          high
                          http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0GhwFStoMJX.exefalse
                            high
                            http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0GhwFStoMJX.exefalse
                              high
                              https://oshi.at/WtFHtGhwFStoMJX.exe, 00000000.00000002.3614911039.0000000003231000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              https://oshi.atDGhwFStoMJX.exe, 00000000.00000002.3614911039.00000000032E8000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.3614911039.00000000032DA000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.3614911039.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, GhwFStoMJX.exe, 00000000.00000002.3614911039.00000000032C0000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameGhwFStoMJX.exe, 00000000.00000002.3614911039.0000000003297000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0GhwFStoMJX.exefalse
                                  high
                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs
                                  IPDomainCountryFlagASNASN NameMalicious
                                  5.253.86.15
                                  oshi.atCyprus
                                  208046HOSTSLICK-GERMANYNLfalse
                                  Joe Sandbox version:42.0.0 Malachite
                                  Analysis ID:1587768
                                  Start date and time:2025-01-10 17:58:28 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 5m 53s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Run name:Run with higher sleep bypass
                                  Number of analysed new started processes analysed:6
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:GhwFStoMJX.exe
                                  renamed because original name is a hash value
                                  Original Sample Name:fd19e12aebfd870dcc7fe04359e6e7a53daeeb281c2dfc21f7740f8e65edd264.exe
                                  Detection:MAL
                                  Classification:mal64.winEXE@1/0@1/1
                                  EGA Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 14
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                  • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                  • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
                                  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Execution Graph export aborted for target GhwFStoMJX.exe, PID 3876 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                  • VT rate limit hit for: GhwFStoMJX.exe
                                  No simulations
                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  5.253.86.15IMG_10503677.exeGet hashmaliciousUnknownBrowse
                                    Holiday#3021.exeGet hashmaliciousUnknownBrowse
                                      Holiday#3021.exeGet hashmaliciousUnknownBrowse
                                        Ref#103052.exeGet hashmaliciousUnknownBrowse
                                          Ref#66001032.exeGet hashmaliciousAgentTeslaBrowse
                                            Ref#20203216.exeGet hashmaliciousAgentTeslaBrowse
                                              Ref_31020563.exeGet hashmaliciousUnknownBrowse
                                                Ref#60031796.exeGet hashmaliciousAgentTeslaBrowse
                                                  Ref#1550238.exeGet hashmaliciousUnknownBrowse
                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    oshi.atIMG_10503677.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 194.15.112.248
                                                    IMG_10503677.exeGet hashmaliciousUnknownBrowse
                                                    • 5.253.86.15
                                                    Holiday#3021.exeGet hashmaliciousUnknownBrowse
                                                    • 5.253.86.15
                                                    Holiday#3021.exeGet hashmaliciousUnknownBrowse
                                                    • 5.253.86.15
                                                    Ref#103052.exeGet hashmaliciousXWormBrowse
                                                    • 194.15.112.248
                                                    Ref#103052.exeGet hashmaliciousUnknownBrowse
                                                    • 5.253.86.15
                                                    9876567899.bat.exeGet hashmaliciousLokibotBrowse
                                                    • 194.15.112.248
                                                    Ref#66001032.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 5.253.86.15
                                                    Ref#20203216.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 5.253.86.15
                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    HOSTSLICK-GERMANYNLIMG_10503677.exeGet hashmaliciousUnknownBrowse
                                                    • 5.253.86.15
                                                    Holiday#3021.exeGet hashmaliciousUnknownBrowse
                                                    • 5.253.86.15
                                                    Holiday#3021.exeGet hashmaliciousUnknownBrowse
                                                    • 5.253.86.15
                                                    Ref#103052.exeGet hashmaliciousUnknownBrowse
                                                    • 5.253.86.15
                                                    Ref#66001032.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 5.253.86.15
                                                    Ref#20203216.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 5.253.86.15
                                                    Ref_31020563.exeGet hashmaliciousUnknownBrowse
                                                    • 5.253.86.15
                                                    Ref#60031796.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 5.253.86.15
                                                    Ref#1550238.exeGet hashmaliciousUnknownBrowse
                                                    • 5.253.86.15
                                                    No context
                                                    No context
                                                    No created / dropped files found
                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):4.8419219498993815
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                    • Win32 Executable (generic) a (10002005/4) 49.97%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    • DOS Executable Generic (2002/1) 0.01%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:GhwFStoMJX.exe
                                                    File size:31'712 bytes
                                                    MD5:ed236267c78420804814d86de99b8850
                                                    SHA1:21bd6d19e5664158c3d4d77ca3a2b7889827d0d4
                                                    SHA256:fd19e12aebfd870dcc7fe04359e6e7a53daeeb281c2dfc21f7740f8e65edd264
                                                    SHA512:7c28b89d1e7c4c429cc2528cc935839be61a5cb41c621ae48547c7cc64479df6a0254382eaab2fba52af3d4cbf261ccffdfc8d0d40043042bc6cb86f7be7af1a
                                                    SSDEEP:384:GSwPLqusAKYP/GKhwlJCXOxFm7bhCm/zH:xwz9HvK6XiFZKj
                                                    TLSH:00E22A424B3843A2D94F4A38E8D156F319BDDE845E4C569B2790FF0E5DB4B881BC71AC
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ig.....................J......r0... ...@....@.. ....................................`................................
                                                    Icon Hash:27d8dcd6d4d85007
                                                    Entrypoint:0x403072
                                                    Entrypoint Section:.text
                                                    Digitally signed:true
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x6769F7E0 [Mon Dec 23 23:53:04 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                    Signature Valid:false
                                                    Signature Issuer:CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
                                                    Signature Validation Error:The digital signature of the object did not verify
                                                    Error Number:-2146869232
                                                    Not Before, Not After
                                                    • 04/07/2024 06:35:32 15/05/2027 17:15:04
                                                    Subject Chain
                                                    • OID.1.3.6.1.4.1.311.60.2.1.3=VN, OID.2.5.4.15=Private Organization, CN="DUC FABULOUS CO.,LTD", SERIALNUMBER=0105838409, O="DUC FABULOUS CO.,LTD", L=Hanoi, C=VN
                                                    Version:3
                                                    Thumbprint MD5:FF0E889D2A73C3A679605952D35452DC
                                                    Thumbprint SHA-1:2C1D12F8BBE0827400A8440AF74FFFA8DCC8097C
                                                    Thumbprint SHA-256:A73352D67693AA16BCE2F182B15891F0F23EA0485CC18938686AAFDEE7B743E3
                                                    Serial:6DD2E3173995F51BFAC1D9FB4CB200C1
                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x30280x4a.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x4656.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x5e000x1de0.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000x10780x12004d7035380253ed363ae6317dc8c576b6False0.5501302083333334data5.239235838942246IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x40000x46560x480025fbfd232277978aeab9ab157c4dce6eFalse0.06179470486111111data2.4670696213657792IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0xa0000xc0x20078220c57bae77f0280715bd915a05a2aFalse0.04296875data0.07763316234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0x406c0x4028Device independent bitmap graphic, 64 x 128 x 32, image size 00.02368485143692158
                                                    RT_GROUP_ICON0x80d00x14data1.05
                                                    RT_VERSION0x81200x310data0.4477040816326531
                                                    RT_MANIFEST0x846c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Download Network PCAP: filteredfull

                                                    • Total Packets: 24
                                                    • 443 (HTTPS)
                                                    • 53 (DNS)
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 10, 2025 18:00:12.685635090 CET49712443192.168.2.105.253.86.15
                                                    Jan 10, 2025 18:00:12.685676098 CET443497125.253.86.15192.168.2.10
                                                    Jan 10, 2025 18:00:12.686553955 CET49712443192.168.2.105.253.86.15
                                                    Jan 10, 2025 18:00:12.699709892 CET49712443192.168.2.105.253.86.15
                                                    Jan 10, 2025 18:00:12.699727058 CET443497125.253.86.15192.168.2.10
                                                    Jan 10, 2025 18:00:55.436235905 CET443497125.253.86.15192.168.2.10
                                                    Jan 10, 2025 18:00:55.436305046 CET49712443192.168.2.105.253.86.15
                                                    Jan 10, 2025 18:00:55.443146944 CET49712443192.168.2.105.253.86.15
                                                    Jan 10, 2025 18:00:55.443164110 CET443497125.253.86.15192.168.2.10
                                                    Jan 10, 2025 18:00:55.452294111 CET49722443192.168.2.105.253.86.15
                                                    Jan 10, 2025 18:00:55.452338934 CET443497225.253.86.15192.168.2.10
                                                    Jan 10, 2025 18:00:55.452544928 CET49722443192.168.2.105.253.86.15
                                                    Jan 10, 2025 18:00:55.452944040 CET49722443192.168.2.105.253.86.15
                                                    Jan 10, 2025 18:00:55.452955008 CET443497225.253.86.15192.168.2.10
                                                    Jan 10, 2025 18:01:38.187880039 CET443497225.253.86.15192.168.2.10
                                                    Jan 10, 2025 18:01:38.187980890 CET49722443192.168.2.105.253.86.15
                                                    Jan 10, 2025 18:01:38.189039946 CET49722443192.168.2.105.253.86.15
                                                    Jan 10, 2025 18:01:38.189063072 CET443497225.253.86.15192.168.2.10
                                                    Jan 10, 2025 18:01:38.196461916 CET49982443192.168.2.105.253.86.15
                                                    Jan 10, 2025 18:01:38.196508884 CET443499825.253.86.15192.168.2.10
                                                    Jan 10, 2025 18:01:38.196569920 CET49982443192.168.2.105.253.86.15
                                                    Jan 10, 2025 18:01:38.196940899 CET49982443192.168.2.105.253.86.15
                                                    Jan 10, 2025 18:01:38.196959019 CET443499825.253.86.15192.168.2.10
                                                    Jan 10, 2025 18:02:20.972798109 CET443499825.253.86.15192.168.2.10
                                                    Jan 10, 2025 18:02:20.973002911 CET49982443192.168.2.105.253.86.15
                                                    Jan 10, 2025 18:02:20.974972963 CET49982443192.168.2.105.253.86.15
                                                    Jan 10, 2025 18:02:20.974998951 CET443499825.253.86.15192.168.2.10
                                                    Jan 10, 2025 18:02:20.976881027 CET49985443192.168.2.105.253.86.15
                                                    Jan 10, 2025 18:02:20.976919889 CET443499855.253.86.15192.168.2.10
                                                    Jan 10, 2025 18:02:20.977006912 CET49985443192.168.2.105.253.86.15
                                                    Jan 10, 2025 18:02:20.977484941 CET49985443192.168.2.105.253.86.15
                                                    Jan 10, 2025 18:02:20.977497101 CET443499855.253.86.15192.168.2.10
                                                    Jan 10, 2025 18:03:03.735485077 CET443499855.253.86.15192.168.2.10
                                                    Jan 10, 2025 18:03:03.735589027 CET49985443192.168.2.105.253.86.15
                                                    Jan 10, 2025 18:03:03.741291046 CET49985443192.168.2.105.253.86.15
                                                    Jan 10, 2025 18:03:03.741324902 CET443499855.253.86.15192.168.2.10
                                                    Jan 10, 2025 18:03:03.755677938 CET49986443192.168.2.105.253.86.15
                                                    Jan 10, 2025 18:03:03.755729914 CET443499865.253.86.15192.168.2.10
                                                    Jan 10, 2025 18:03:03.755853891 CET49986443192.168.2.105.253.86.15
                                                    Jan 10, 2025 18:03:03.789199114 CET49986443192.168.2.105.253.86.15
                                                    Jan 10, 2025 18:03:03.789217949 CET443499865.253.86.15192.168.2.10
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 10, 2025 18:00:12.664087057 CET5187653192.168.2.101.1.1.1
                                                    Jan 10, 2025 18:00:12.677225113 CET53518761.1.1.1192.168.2.10
                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Jan 10, 2025 18:00:12.664087057 CET192.168.2.101.1.1.10x4432Standard query (0)oshi.atA (IP address)IN (0x0001)false
                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Jan 10, 2025 18:00:12.677225113 CET1.1.1.1192.168.2.100x4432No error (0)oshi.at5.253.86.15A (IP address)IN (0x0001)false
                                                    Jan 10, 2025 18:00:12.677225113 CET1.1.1.1192.168.2.100x4432No error (0)oshi.at194.15.112.248A (IP address)IN (0x0001)false
                                                    050100150s020406080100

                                                    Click to jump to process

                                                    050100150s0.005101520MB

                                                    Click to jump to process

                                                    • File
                                                    • Registry
                                                    • Network

                                                    Click to dive into process behavior distribution

                                                    Target ID:0
                                                    Start time:12:00:11
                                                    Start date:10/01/2025
                                                    Path:C:\Users\user\Desktop\GhwFStoMJX.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\GhwFStoMJX.exe"
                                                    Imagebase:0xea0000
                                                    File size:31'712 bytes
                                                    MD5 hash:ED236267C78420804814D86DE99B8850
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:false

                                                    Executed Functions

                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3614803875.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1880000_GhwFStoMJX.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1e2cf0ea152b7bfe84b67c3ad62285876473f0d3e7b063f8d2165b6257d6753b
                                                    • Instruction ID: 2fe1bd18a3d315fe88fb0780760e6bdaca626ae906d616b31c5d50415b7f54c3
                                                    • Opcode Fuzzy Hash: 1e2cf0ea152b7bfe84b67c3ad62285876473f0d3e7b063f8d2165b6257d6753b
                                                    • Instruction Fuzzy Hash: DF21493170D3498FD316B678AC5452AFFB59E8136934542AAF507CF252EA649F0C8352
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3614803875.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1880000_GhwFStoMJX.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b9c2419c22a959f2a7e1a5f7246b2e81c057b1882b3f47a354f2197d179cacee
                                                    • Instruction ID: 4ab814312418551df3c717034dfb8dc042a79f81cf0239660ef8e32791119c70
                                                    • Opcode Fuzzy Hash: b9c2419c22a959f2a7e1a5f7246b2e81c057b1882b3f47a354f2197d179cacee
                                                    • Instruction Fuzzy Hash: BD313971D002499FDB24DFAAC584AEEBFF5EF48340F248419E509AB350DB349A46CFA0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3614803875.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1880000_GhwFStoMJX.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3023473962435610689a14ece49df7402b9c830cad12be65742dc7f600566bd5
                                                    • Instruction ID: d1c2247d48a2dd7ce9613c42ee850cb8e4404d23ed5d0e5b76eed0b2a07b90a3
                                                    • Opcode Fuzzy Hash: 3023473962435610689a14ece49df7402b9c830cad12be65742dc7f600566bd5
                                                    • Instruction Fuzzy Hash: EF311570D002489FDB24DFAAC584AEEBFF5EF48340F248419E809AB350DB749946CFA0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3614648443.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_179d000_GhwFStoMJX.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8b06c3108a47104b80ae024ad75012fda10433b2daacbc260e0020ee84fa00f2
                                                    • Instruction ID: 7332a74634977e45353cf42dc28ac6b81b6d8c4c4e6d861274d09aff9ddf20dc
                                                    • Opcode Fuzzy Hash: 8b06c3108a47104b80ae024ad75012fda10433b2daacbc260e0020ee84fa00f2
                                                    • Instruction Fuzzy Hash: 1321F471504240DFDF25DF94E9C0B16FF65FB88314F30C1A9E9090A256C336D45ACBA2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3614803875.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1880000_GhwFStoMJX.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3e088096c8c5192999be7138d9b9b28a4d10bf495f04f8087bc275aad489090e
                                                    • Instruction ID: 1962825299d9f3c2705aae6dc38422c3f2dfc498a4e608f75da890b97eaf7e2c
                                                    • Opcode Fuzzy Hash: 3e088096c8c5192999be7138d9b9b28a4d10bf495f04f8087bc275aad489090e
                                                    • Instruction Fuzzy Hash: D401D6223082484FD713B3389C2057D3BB6BEC6355359446AE456CB341EAAC9F4947D2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3614648443.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_179d000_GhwFStoMJX.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                    • Instruction ID: 604394677a020d392a4683f8d5de9b595f13b939e7b24dfb8ce7e403c2f2c1e0
                                                    • Opcode Fuzzy Hash: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                    • Instruction Fuzzy Hash: 7E119D76504240CFDF16CF54D5C4B16BF61FB84324F3485A9D9090B256C336D55ACBA2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3614803875.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1880000_GhwFStoMJX.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4e0d70c0de1bdfd7ab51b611c7e6f2855ee9197f2d422fe01bb0269f21377c38
                                                    • Instruction ID: 7f083ceb13d09ca1a28a93cb1cc0d6bba4b51946b4a584f65ccbe3b465df3820
                                                    • Opcode Fuzzy Hash: 4e0d70c0de1bdfd7ab51b611c7e6f2855ee9197f2d422fe01bb0269f21377c38
                                                    • Instruction Fuzzy Hash: 0C112130A48249CFDB15BF78C0656BDBBB1AF4931CF254469E002EB251DB794E49CB52
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3614803875.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1880000_GhwFStoMJX.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d4cbb4c0dcb5d0440cffb799480029dc1f51359d73073d0c1900adcfab9e9576
                                                    • Instruction ID: e3c49fc7f3b1d9e42e96664e4d38197dd1665646bfad2333d3c519a498a83dfd
                                                    • Opcode Fuzzy Hash: d4cbb4c0dcb5d0440cffb799480029dc1f51359d73073d0c1900adcfab9e9576
                                                    • Instruction Fuzzy Hash: 8B01E970B44209CFDB59BF6880656BDBAB2AB4930DF25456AE003EB350DB748E49CB52
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3614648443.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_179d000_GhwFStoMJX.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1b699cac58a50d2b0cb2e1a7cd34e80819ce0d0bdf13ede5949a02038d3aa8e6
                                                    • Instruction ID: 317400efd82c73a7dac3a7cfb612cda735a45f261b81788b1be6ddf14d48598d
                                                    • Opcode Fuzzy Hash: 1b699cac58a50d2b0cb2e1a7cd34e80819ce0d0bdf13ede5949a02038d3aa8e6
                                                    • Instruction Fuzzy Hash: A201DB315053849EFB318A65ECC4B6AFFE8EF41764F14C45AED090A282D37C9845CAB6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3614803875.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1880000_GhwFStoMJX.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 866306112f4d0449b074c47a934d9eeb5581a974a841823bd7f162693a8ce9ae
                                                    • Instruction ID: 2ad10fb315c0a392386dc64298d19f60b2e480538e3b067697ed684d1efc3b8a
                                                    • Opcode Fuzzy Hash: 866306112f4d0449b074c47a934d9eeb5581a974a841823bd7f162693a8ce9ae
                                                    • Instruction Fuzzy Hash: 30F0C8323006088BD726B22DA81053E72BABAC57953158429E416DB300FEBCDF4A47D5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3614648443.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_179d000_GhwFStoMJX.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 695d4b73ac7c1dac2fbb71fa1a9b5688538b71bed103908112635472c478c2a8
                                                    • Instruction ID: 459165c916dbb300dc12e70f41815966094965c2634661a1594f293ee661dc56
                                                    • Opcode Fuzzy Hash: 695d4b73ac7c1dac2fbb71fa1a9b5688538b71bed103908112635472c478c2a8
                                                    • Instruction Fuzzy Hash: 81F096714053849EEB208A1AECC4B66FFD8EB41734F18C45AFD484F697C2799845CBB1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3614803875.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1880000_GhwFStoMJX.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 306e09702d13718c560185ac407d1641db8686f692d4550f361a7d83a2b0846d
                                                    • Instruction ID: d55c0c0c89cc21d24bb3608fe63d6bb43059a7067d85d2a0fa40dcae8497ccdd
                                                    • Opcode Fuzzy Hash: 306e09702d13718c560185ac407d1641db8686f692d4550f361a7d83a2b0846d
                                                    • Instruction Fuzzy Hash: 31F09030D0D389EFCB01EB78AC4525C7FB1AA4A300B9541E6D585D7212E6341F48CB92
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3614803875.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1880000_GhwFStoMJX.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5103481472046cd5c7c9f56fbe0b94a987b1b649874d6bcd74c438976d59a108
                                                    • Instruction ID: e12e6a9f9dfae5adce7cccd26cb5eba7c5b0531baef8629e96221bcdd8a90e7d
                                                    • Opcode Fuzzy Hash: 5103481472046cd5c7c9f56fbe0b94a987b1b649874d6bcd74c438976d59a108
                                                    • Instruction Fuzzy Hash: 53E0E530D1820DEFCB40EFB8E94559CBBF5EB48344F6085A9D90AE3200E7716F489B91
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3614803875.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1880000_GhwFStoMJX.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 06b32392d19daa6de60e83739c5e1ed2d52205e9b27aecb072d7839a8fcdfca2
                                                    • Instruction ID: 071005e805a4b1b3bf380beb526ae8857f4af049a80aca820ca36acaed0cef1a
                                                    • Opcode Fuzzy Hash: 06b32392d19daa6de60e83739c5e1ed2d52205e9b27aecb072d7839a8fcdfca2
                                                    • Instruction Fuzzy Hash: 0DD012317400115B8F0D33BC5019B2CA5E75BE67457058118D007DFAC8DF711D990787