Edit tour

Windows Analysis Report
NisSrv.exe

Overview

General Information

Sample name:NisSrv.exe
Analysis ID:1657480
MD5:3cf93d16b6017b5d0a31e384d48eb89c
SHA1:29eb619c155feaa277e8d71a14607b3917e909e5
SHA256:dfdf0c9bb0d99e10e9b956c300b0b490ff4c9fc869e60b1e199b5d2106762a4c
Tags:exesideloadinguser-vertos
Infos:

Detection

Score:16
Range:0 - 100
Confidence:80%

Signatures

Sigma detected: Potential Mpclient.DLL Sideloading Via Defender Binaries
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • NisSrv.exe (PID: 7372 cmdline: "C:\Users\user\Desktop\NisSrv.exe" MD5: 3CF93D16B6017B5D0A31E384D48EB89C)
    • conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Bhabesh Raj: Data: Command: "C:\Users\user\Desktop\NisSrv.exe", CommandLine: "C:\Users\user\Desktop\NisSrv.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\NisSrv.exe, NewProcessName: C:\Users\user\Desktop\NisSrv.exe, OriginalFileName: C:\Users\user\Desktop\NisSrv.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: "C:\Users\user\Desktop\NisSrv.exe", ProcessId: 7372, ProcessName: NisSrv.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results
Source: NisSrv.exeStatic PE information: certificate valid
Source: NisSrv.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: NisSrv.pdb source: NisSrv.exe
Source: NisSrv.exeString found in binary or memory: http://canonicalizer.ucsuri.tcs/68007400740070003a002f002f00https://F
Source: NisSrv.exeString found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
Source: NisSrv.exeString found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
Source: NisSrv.exeString found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
Source: NisSrv.exeBinary or memory string: OriginalFilename vs NisSrv.exe
Source: classification engineClassification label: clean16.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:120:WilError_03
Source: NisSrv.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\NisSrv.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\NisSrv.exe "C:\Users\user\Desktop\NisSrv.exe"
Source: C:\Users\user\Desktop\NisSrv.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NisSrv.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Users\user\Desktop\NisSrv.exeSection loaded: dnsapi.dllJump to behavior
Source: NisSrv.exeStatic PE information: certificate valid
Source: initial sampleStatic PE information: Valid certificate with Microsoft Issuer
Source: NisSrv.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: NisSrv.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: NisSrv.exeStatic file information: File size 4464024 > 1048576
Source: NisSrv.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2ce000
Source: NisSrv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: NisSrv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: NisSrv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: NisSrv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: NisSrv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: NisSrv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: NisSrv.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: NisSrv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: NisSrv.pdb source: NisSrv.exe
Source: NisSrv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: NisSrv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: NisSrv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: NisSrv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: NisSrv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: NisSrv.exeStatic PE information: section name: .didat
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\NisSrv.exeCode function: 0_2_00007FF76E19C850 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF76E19C850
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
1
Process Injection
1
Process Injection
OS Credential Dumping1
System Time Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
DLL Side-Loading
LSASS Memory2
System Information Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1657480 Sample: NisSrv.exe Startdate: 06/04/2025 Architecture: WINDOWS Score: 16 10 Sigma detected: Potential Mpclient.DLL Sideloading Via Defender Binaries 2->10 6 NisSrv.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
NisSrv.exe0%ReversingLabs
NisSrv.exe0%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://canonicalizer.ucsuri.tcs/68007400740070003a002f002f00https://F0%Avira URL Cloudsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://unitedstates1.ss.wd.microsoft.us/NisSrv.exefalse
    high
    http://canonicalizer.ucsuri.tcs/68007400740070003a002f002f00https://FNisSrv.exefalse
    • Avira URL Cloud: safe
    unknown
    https://unitedstates2.ss.wd.microsoft.us/NisSrv.exefalse
      high
      https://unitedstates4.ss.wd.microsoft.us/NisSrv.exefalse
        high
        No contacted IP infos
        Joe Sandbox version:42.0.0 Malachite
        Analysis ID:1657480
        Start date and time:2025-04-06 01:43:25 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 4m 27s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:12
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:NisSrv.exe
        Detection:CLEAN
        Classification:clean16.winEXE@2/0@0/0
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 1
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 184.31.69.3, 131.253.33.254, 52.149.20.212
        • Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
        • Execution Graph export aborted for target NisSrv.exe, PID 7372 because there are no executed function
        • Not all processes where analyzed, report is missing behavior information
        No simulations
        No context
        No context
        No context
        No context
        No context
        No created / dropped files found
        File type:PE32+ executable (console) x86-64, for MS Windows
        Entropy (8bit):6.454526587237915
        TrID:
        • Win64 Executable Console (202006/5) 92.65%
        • Win64 Executable (generic) (12005/4) 5.51%
        • Generic Win/DOS Executable (2004/3) 0.92%
        • DOS Executable Generic (2002/1) 0.92%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:NisSrv.exe
        File size:4'464'024 bytes
        MD5:3cf93d16b6017b5d0a31e384d48eb89c
        SHA1:29eb619c155feaa277e8d71a14607b3917e909e5
        SHA256:dfdf0c9bb0d99e10e9b956c300b0b490ff4c9fc869e60b1e199b5d2106762a4c
        SHA512:73cb294c8102bead16519307c6dff73f75404c114cb3c85be048d7a9b806f359df8fae1e9f9b90f50ba489aff0b026295d5514df1e535e26de915cb49494c447
        SSDEEP:49152:t2Fs2Wjg5CAc1J0Y2412yd33uFITQ81ZfZeUjCMdQUhIfKId4wbrrb0KhQ:oc/4y5ZTwTk
        TLSH:C4265B16B25841D9C0B9E0B49E07CD4BE772BC15033467DB12E6D7A61F976A0AEBF320
        File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...................................................................................................................k............S.....
        Icon Hash:90cececece8e8eb0
        Entrypoint:0x14028c1c0
        Entrypoint Section:.text
        Digitally signed:true
        Imagebase:0x140000000
        Subsystem:windows cui
        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
        Time Stamp:0x6029A04E [Sun Feb 14 22:12:30 2021 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:10
        OS Version Minor:0
        File Version Major:10
        File Version Minor:0
        Subsystem Version Major:10
        Subsystem Version Minor:0
        Import Hash:bc85e0cb532ab955ea1c7283fd00b0d9
        Signature Valid:true
        Signature Issuer:CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
        Signature Validation Error:The operation completed successfully
        Error Number:0
        Not Before, Not After
        • 14/11/2024 23:56:46 12/11/2025 23:56:46
        Subject Chain
        • CN=Microsoft Windows Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
        Version:3
        Thumbprint MD5:08D42E39BA357588E8330A0E9D046097
        Thumbprint SHA-1:48B2486F389C9927957299BDFD24C2ABEF9D15DB
        Thumbprint SHA-256:B788F393B79D36CE5E87CB36B2EB5044788AE2E4B61FE081EC2B109361D0C831
        Serial:33000004C8517D2E95BDD588BE0000000004C8
        Instruction
        dec eax
        sub esp, 28h
        call 00007F8A488286CCh
        dec eax
        add esp, 28h
        jmp 00007F8A48827EAFh
        int3
        int3
        dec eax
        sub esp, 28h
        call 00007F8A48827700h
        jmp 00007F8A48828044h
        xor eax, eax
        dec eax
        add esp, 28h
        ret
        int3
        int3
        jmp 00007F8A488276F0h
        int3
        int3
        int3
        dec eax
        sub esp, 28h
        dec ebp
        mov eax, dword ptr [ecx+38h]
        dec eax
        mov ecx, edx
        dec ecx
        mov edx, ecx
        call 00007F8A48828052h
        mov eax, 00000001h
        dec eax
        add esp, 28h
        ret
        int3
        int3
        int3
        inc eax
        push ebx
        inc ebp
        mov ebx, dword ptr [eax]
        dec eax
        mov ebx, edx
        inc ecx
        and ebx, FFFFFFF8h
        dec esp
        mov ecx, ecx
        inc ecx
        test byte ptr [eax], 00000004h
        dec esp
        mov edx, ecx
        je 00007F8A48828055h
        inc ecx
        mov eax, dword ptr [eax+08h]
        dec ebp
        arpl word ptr [eax+04h], dx
        neg eax
        dec esp
        add edx, ecx
        dec eax
        arpl ax, cx
        dec esp
        and edx, ecx
        dec ecx
        arpl bx, ax
        dec edx
        mov edx, dword ptr [eax+edx]
        dec eax
        mov eax, dword ptr [ebx+10h]
        mov ecx, dword ptr [eax+08h]
        dec eax
        mov eax, dword ptr [ebx+08h]
        test byte ptr [ecx+eax+03h], 0000000Fh
        je 00007F8A4882804Dh
        movzx eax, byte ptr [ecx+eax+03h]
        and eax, FFFFFFF0h
        dec esp
        add ecx, eax
        dec esp
        xor ecx, edx
        dec ecx
        mov ecx, ecx
        pop ebx
        jmp 00007F8A4882752Ah
        int3
        dec eax
        mov eax, esp
        dec eax
        mov dword ptr [eax+08h], ebx
        dec eax
        mov dword ptr [eax+10h], ebp
        dec eax
        mov dword ptr [eax+18h], esi
        dec eax
        mov dword ptr [eax+20h], edi
        inc ecx
        push esi
        dec eax
        sub esp, 20h
        dec ecx
        mov ebx, dword ptr [ecx+00h]
        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x374f200x8c.rdata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x4430000x8b8.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x4280000x194a0.pdata
        IMAGE_DIRECTORY_ENTRY_SECURITY0x4360000xbd98
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x4440000x6800.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x2fed000x8c.rdata
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x2fef000x28.rdata
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2e1e200x140.rdata
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x2cf0000x7d8.rdata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3744600x160.rdata
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x2cd8ac0x2ce00010269414bc4e701b24fdbfe7c32b9a2bunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rdata0x2cf0000xa7b020xa8000bb657c0f55e76664be898c2e3c7ca4e5False0.35851905459449407SysEx File -4.9552422031375505IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0x3770000xb0f3c0x9c0008f0a70827227be3370716508bc6dd8c9False0.08099991235977565DIY-Thermocam raw data (Lepton 3.x), scale 28798-11584, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 0.0130775.004333189303513IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .pdata0x4280000x194a00x1a000d9bc8caa47e9e0541d220fee18a37ef0False0.48617788461538464data6.058445714623236IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .didat0x4420000x1f00x1000c0839647f372b7373930d4bbeb3a99faFalse0.047607421875data0.5916261922176167IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .rsrc0x4430000x8b80x1000dc5ac082f1177e6924182bd876d5e2bbFalse0.260498046875data3.035924662902366IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0x4440000x68000x7000e9be992d5431031e89267895dded3574False0.18300083705357142data5.308315749634968IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
        NameRVASizeTypeLanguageCountryZLIB Complexity
        RT_VERSION0x4430a00x458dataEnglishUnited States0.46672661870503596
        RT_MANIFEST0x4434f80x3baXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (894), with CRLF line terminatorsEnglishUnited States0.510482180293501
        DLLImport
        MpClient.dllMpFreeMemory, MpManagerOpen, MpNotificationRegister, MpHandleClose, MpConfigGetValueAlloc, MpConfigClose, MpConfigOpen, MpClientUtilExportFunctions, MpConfigInitialize, MpUtilsExportFunctions, MpConfigUninitialize
        ntdll.dllRtlIpv4StringToAddressExW, RtlIpv6StringToAddressExW, VerSetConditionMask, RtlPcToFileHeader, RtlCaptureContext, RtlUnwind, RtlLookupFunctionEntry, RtlVirtualUnwind, RtlUnwindEx
        KERNEL32.dllDeleteFiber, GetModuleFileNameA, CreateSemaphoreExW, HeapFree, SetLastError, ReleaseSemaphore, ReleaseMutex, OpenSemaphoreW, HeapAlloc, DecodePointer, CreateMutexExW, GetCurrentProcessId, DebugBreak, GetSystemTimeAsFileTime, CreateFileW, GetLocaleInfoW, DeviceIoControl, FindFirstFileW, FindNextFileW, FindClose, GetFileAttributesW, GetProcessTimes, QueryProcessCycleTime, GetLongPathNameW, GetProcessId, DuplicateHandle, OpenProcess, QueryFullProcessImageNameW, QueryUnbiasedInterruptTime, StartThreadpoolIo, CreateThreadpoolIo, WaitForThreadpoolIoCallbacks, CancelThreadpoolIo, CancelIoEx, GetOverlappedResult, CloseThreadpoolIo, InitializeSRWLock, TryAcquireSRWLockExclusive, ReleaseSRWLockExclusive, ConvertFiberToThread, ReleaseSRWLockShared, AcquireSRWLockShared, GetExitCodeProcess, InitializeCriticalSection, ResetEvent, GetModuleHandleA, GlobalFree, VerifyVersionInfoW, ExpandEnvironmentStringsW, Sleep, LocalFree, SwitchToThread, FormatMessageA, GetTickCount64, GetSystemDirectoryW, VirtualQuery, GetProcessMitigationPolicy, SetProcessMitigationPolicy, InitializeCriticalSectionAndSpinCount, CreateFiberEx, WriteFile, SetFilePointerEx, GetFileSizeEx, ReadFile, FindFirstFileExW, CreateDirectoryW, SetEnvironmentVariableW, CreateFileMappingW, MapViewOfFile, GetFileInformationByHandle, QueryPerformanceFrequency, FlsAlloc, WideCharToMultiByte, SwitchToFiber, GetCurrentProcess, TerminateProcess, WaitForSingleObject, WaitForSingleObjectEx, SetEvent, CreateEventW, GetProcessHeap, HeapSetInformation, DeleteCriticalSection, InitializeCriticalSectionEx, LoadLibraryExW, FindResourceW, LoadResource, SizeofResource, EnterCriticalSection, LeaveCriticalSection, lstrcmpiW, GetModuleHandleW, GetProcAddress, FreeLibrary, CloseHandle, RaiseException, SystemTimeToFileTime, GetSystemTime, SubmitThreadpoolWork, CreateThreadpoolWork, SetThreadpoolThreadMaximum, CreateThreadpool, CloseThreadpoolWork, WaitForThreadpoolWorkCallbacks, CloseThreadpool, MultiByteToWideChar, GetLastError, IsDebuggerPresent, GetCurrentThreadId, OutputDebugStringW, CreateThreadpoolTimer, CloseThreadpoolTimer, WaitForThreadpoolTimerCallbacks, SetThreadpoolTimer, FormatMessageW, SetUnhandledExceptionFilter, AddVectoredExceptionHandler, SetErrorMode, GetModuleFileNameW, GetModuleHandleExW, RemoveVectoredExceptionHandler, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, HeapSize, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadConsoleW, SetEndOfFile, WriteConsoleW, UnmapViewOfFile, GetSystemInfo, VirtualProtect, LoadLibraryExA, ConvertThreadToFiber, IsThreadAFiber, GetVersionExW, CreateMutexW, AcquireSRWLockExclusive, HeapReAlloc, GetFileType, GetCommandLineW, GetCommandLineA, GetStdHandle, ExitProcess, GetOEMCP, GetACP, IsValidCodePage, FreeLibraryAndExitThread, ExitThread, CreateThread, SetConsoleCtrlHandler, GetLocaleInfoEx, GetThreadPreferredUILanguages, GetUserPreferredUILanguages, GetSystemPreferredUILanguages, QueryPerformanceCounter, SleepConditionVariableSRW, WakeConditionVariable, WakeAllConditionVariable, InitOnceComplete, InitOnceBeginInitialize, GetFileAttributesExW, SetFileInformationByHandle, AreFileApisANSI, CopyFileW, MoveFileExW, GetFileInformationByHandleEx, GetStringTypeW, EncodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, UnhandledExceptionFilter, IsProcessorFeaturePresent, GetStartupInfoW, InitializeSListHead, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree
        ADVAPI32.dllRegSetKeyValueW, RegOpenCurrentUser, RegGetValueW, ImpersonateLoggedOnUser, CloseServiceHandle, OpenSCManagerW, StartServiceW, OpenServiceW, RevertToSelf, SetThreadToken, DuplicateTokenEx, RegQueryValueExW, SetServiceStatus, RegisterServiceCtrlHandlerExW, StartServiceCtrlDispatcherW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegOpenKeyExW, RegEnumKeyExW, RegQueryInfoKeyW, RegCloseKey, RegDeleteKeyW, UnregisterTraceGuids, RegisterTraceGuidsW, GetTraceEnableFlags, GetTraceEnableLevel, GetTraceLoggerHandle, TraceMessage, EventWriteTransfer, EventRegister, EventUnregister
        USER32.dllCharNextW
        DNSAPI.dllDnsQuery_W, DnsFree
        DescriptionData
        CompanyNameMicrosoft Corporation
        FileDescriptionMicrosoft Network Realtime Inspection Service
        InternalNameNisSrv.exe
        LegalCopyright Microsoft Corporation. All rights reserved.
        OriginalFilenameNisSrv.exe
        ProductNameMicrosoft Windows Operating System
        FileVersion4.18.25020.1009 (f9825cc40e26f897bbd18abcfcc53873f7599597)
        ProductVersion4.18.25020.1009
        PrivateBuildGitEnlistment(ContainerAdministrator)
        Translation0x0409 0x04b0
        Language of compilation systemCountry where language is spokenMap
        EnglishUnited States
        No network behavior found
        050100s020406080100

        Click to jump to process

        050100s0.0051015MB

        Click to jump to process

        Click to jump to process

        Target ID:0
        Start time:19:44:23
        Start date:05/04/2025
        Path:C:\Users\user\Desktop\NisSrv.exe
        Wow64 process (32bit):false
        Commandline:"C:\Users\user\Desktop\NisSrv.exe"
        Imagebase:0x7ff76df10000
        File size:4'464'024 bytes
        MD5 hash:3CF93D16B6017B5D0A31E384D48EB89C
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:false

        Target ID:1
        Start time:19:44:23
        Start date:05/04/2025
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff62fc20000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        Non-executed Functions

        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.2430439125.00007FF76DF11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF76DF10000, based on PE: true
        • Associated: 00000000.00000002.2430385762.00007FF76DF10000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2431073043.00007FF76E1DF000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2431131261.00007FF76E1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2431339410.00007FF76E287000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2431394853.00007FF76E288000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2431394853.00007FF76E28A000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2431592120.00007FF76E338000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_7ff76df10000_NisSrv.jbxd
        Similarity
        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
        • String ID:
        • API String ID: 2933794660-0
        • Opcode ID: a044f0603a8f5416b15d4ffb813421693a560343504ca302c5c88d397e059e2d
        • Instruction ID: 1be77c47f31072461c2f64f569b000e2ff5be2b55b3aebe601cad407faa352e6
        • Opcode Fuzzy Hash: a044f0603a8f5416b15d4ffb813421693a560343504ca302c5c88d397e059e2d
        • Instruction Fuzzy Hash: 2F112122B14F01C9EB10DF60E8542B973A4FB19768F841E31EA6D867A8DF7CD1948360