Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
f_001f19#U007e.s

Overview

General Information

Sample name:f_001f19#U007e.s
(renamed file extension from none to s, renamed because original name is a hash value)
Original sample name:f_001f19~
Analysis ID:1541099
MD5:8baefc2d186d95312ac12e398cf6b842
SHA1:1b1ec28b2a9f913cff30374a3d0f8ee15668a7b3
SHA256:a7705be0abfacdd4007d5158b879221be350183df073cbe5bc8d73396137f876

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device

Classification

  • System is w10x64
  • OpenWith.exe (PID: 768 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: f_001f19#U007e.sString found in binary or memory: function isInsideYoutubeVideo(event){var elem=event.target;var isControl=false;if(document.URL.indexOf('www.youtube.com/watch')!=-1){do{isControl=(elem.classList&&elem.classList.contains('html5-video-controls'));if(isControl)break;}while(elem=elem.parentNode);} equals www.youtube.com (Youtube)
Source: f_001f19#U007e.sString found in binary or memory: http://api.jqueryui.com/category/effects-core/
Source: f_001f19#U007e.sString found in binary or memory: http://dreamerslab.com/)
Source: f_001f19#U007e.sString found in binary or memory: http://gambit.ph
Source: f_001f19#U007e.sString found in binary or memory: http://getbootstrap.com)
Source: f_001f19#U007e.sString found in binary or memory: http://hemantnegi.github.io/jquery.sumoselect
Source: f_001f19#U007e.sString found in binary or memory: http://isotope.metafizzy.co
Source: f_001f19#U007e.sString found in binary or memory: http://jquery.org/license
Source: f_001f19#U007e.sString found in binary or memory: http://jqueryui.com
Source: f_001f19#U007e.sString found in binary or memory: http://js-socials.com
Source: f_001f19#U007e.sString found in binary or memory: http://masonry.desandro.com
Source: f_001f19#U007e.sString found in binary or memory: http://nkdev.info
Source: f_001f19#U007e.sString found in binary or memory: https://github.com/carhartl/jquery-cookie
Source: f_001f19#U007e.sString found in binary or memory: https://github.com/imakewebthings/waypoints/blog/master/licenses.txt
Source: f_001f19#U007e.sString found in binary or memory: https://github.com/jquery/jquery-color
Source: f_001f19#U007e.sString found in binary or memory: https://github.com/nk-o/jarallax
Source: f_001f19#U007e.sString found in binary or memory: https://metropolitanderm.com/wp-content/plugins/bellows-accordion-menu/assets/js/bellows.min.js
Source: f_001f19#U007e.sString found in binary or memory: https://metropolitanderm.com/wp-content/plugins/ml-slider/assets/sliders/flexslider/jquery.flexslide
Source: f_001f19#U007e.sString found in binary or memory: https://metropolitanderm.com/wp-content/themes/jevelin/js/jquery.sumoselect.min.js
Source: f_001f19#U007e.sString found in binary or memory: https://metropolitanderm.com/wp-content/themes/jevelin/js/scripts.js
Source: f_001f19#U007e.sString found in binary or memory: https://metropolitanderm.com/wp-content/themes/jevelin/js/scripts.lib.js
Source: f_001f19#U007e.sString found in binary or memory: https://metropolitanderm.com/wp-includes/js/imagesloaded.min.js
Source: f_001f19#U007e.sString found in binary or memory: https://metropolitanderm.com/wp-includes/js/jquery/ui/effect.min.js
Source: f_001f19#U007e.sString found in binary or memory: https://metropolitanderm.com/wp-includes/js/masonry.min.js
Source: f_001f19#U007e.sString found in binary or memory: https://metropolitanderm.com/wp-includes/js/wp-embed.min.js
Source: f_001f19#U007e.sString found in binary or memory: https://nkdev.info
Source: classification engineClassification label: clean1.winS@1/0@0/0
Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:768:120:WilError_03
Source: C:\Windows\System32\OpenWith.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\OpenWith.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: OpenWith.exe, 00000000.00000002.2067136455.000001F3C2225000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
1
DLL Side-Loading
1
DLL Side-Loading
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
File and Directory Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager11
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
f_001f19#U007e.s8%ReversingLabsScript-JS.Trojan.Cryxos
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://jquery.org/license0%URL Reputationsafe
http://jqueryui.com0%URL Reputationsafe
http://api.jqueryui.com/category/effects-core/0%URL Reputationsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://metropolitanderm.com/wp-content/themes/jevelin/js/scripts.jsf_001f19#U007e.sfalse
    unknown
    http://jquery.org/licensef_001f19#U007e.sfalse
    • URL Reputation: safe
    unknown
    https://github.com/carhartl/jquery-cookief_001f19#U007e.sfalse
      unknown
      http://masonry.desandro.comf_001f19#U007e.sfalse
        unknown
        https://metropolitanderm.com/wp-content/themes/jevelin/js/jquery.sumoselect.min.jsf_001f19#U007e.sfalse
          unknown
          https://metropolitanderm.com/wp-includes/js/masonry.min.jsf_001f19#U007e.sfalse
            unknown
            http://jqueryui.comf_001f19#U007e.sfalse
            • URL Reputation: safe
            unknown
            http://hemantnegi.github.io/jquery.sumoselectf_001f19#U007e.sfalse
              unknown
              https://github.com/imakewebthings/waypoints/blog/master/licenses.txtf_001f19#U007e.sfalse
                unknown
                https://metropolitanderm.com/wp-content/plugins/bellows-accordion-menu/assets/js/bellows.min.jsf_001f19#U007e.sfalse
                  unknown
                  http://nkdev.infof_001f19#U007e.sfalse
                    unknown
                    http://js-socials.comf_001f19#U007e.sfalse
                      unknown
                      https://metropolitanderm.com/wp-includes/js/imagesloaded.min.jsf_001f19#U007e.sfalse
                        unknown
                        https://metropolitanderm.com/wp-includes/js/jquery/ui/effect.min.jsf_001f19#U007e.sfalse
                          unknown
                          https://github.com/jquery/jquery-colorf_001f19#U007e.sfalse
                            unknown
                            https://metropolitanderm.com/wp-content/plugins/ml-slider/assets/sliders/flexslider/jquery.flexslidef_001f19#U007e.sfalse
                              unknown
                              http://gambit.phf_001f19#U007e.sfalse
                                unknown
                                https://metropolitanderm.com/wp-content/themes/jevelin/js/scripts.lib.jsf_001f19#U007e.sfalse
                                  unknown
                                  http://isotope.metafizzy.cof_001f19#U007e.sfalse
                                    unknown
                                    http://getbootstrap.com)f_001f19#U007e.sfalse
                                      unknown
                                      http://api.jqueryui.com/category/effects-core/f_001f19#U007e.sfalse
                                      • URL Reputation: safe
                                      unknown
                                      https://github.com/nk-o/jarallaxf_001f19#U007e.sfalse
                                        unknown
                                        http://dreamerslab.com/)f_001f19#U007e.sfalse
                                          unknown
                                          https://metropolitanderm.com/wp-includes/js/wp-embed.min.jsf_001f19#U007e.sfalse
                                            unknown
                                            https://nkdev.infof_001f19#U007e.sfalse
                                              unknown
                                              No contacted IP infos
                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1541099
                                              Start date and time:2024-10-24 12:19:41 +02:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 3m 57s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:5
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • GSI enabled (Javascript)
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:f_001f19#U007e.s
                                              (renamed file extension from none to s, renamed because original name is a hash value)
                                              Original Sample Name:f_001f19~
                                              Detection:CLEAN
                                              Classification:clean1.winS@1/0@0/0
                                              EGA Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • VT rate limit hit for: f_001f19#U007e.s
                                              TimeTypeDescription
                                              06:20:32API Interceptor1x Sleep call for process: OpenWith.exe modified
                                              No context
                                              No context
                                              No context
                                              No context
                                              No context
                                              No created / dropped files found
                                              File type:ASCII text, with very long lines (28817), with CRLF, LF line terminators
                                              Entropy (8bit):5.303826072735692
                                              TrID:
                                              • Digital Micrograph Script (4001/1) 100.00%
                                              File name:f_001f19#U007e.s
                                              File size:407'109 bytes
                                              MD5:8baefc2d186d95312ac12e398cf6b842
                                              SHA1:1b1ec28b2a9f913cff30374a3d0f8ee15668a7b3
                                              SHA256:a7705be0abfacdd4007d5158b879221be350183df073cbe5bc8d73396137f876
                                              SHA512:5d04401bdad5a96eac6a09d254981c71b4a475366716dd4c6e0b1594c97cc87681904435f83892e1e7e37b831019bcaa19a78e9f026cf4b50e2ba98bc62ef74d
                                              SSDEEP:6144:/gKPIAQqAyTIdbu8xdgSUG1GsAMiqeCFDAbg7CM:/gKnAy4xN1ACFDAb3M
                                              TLSH:AC842948B310323182DB61F5A16F410FB23B9569E51A84BCB1B5CAE92CB8C0D9177FBD
                                              File Content Preview:// source --> https://metropolitanderm.com/wp-includes/js/jquery/ui/effect.min.js ./*!.. * jQuery UI Effects 1.11.4.. * http://jqueryui.com.. *.. * Copyright jQuery Foundation and other contributors.. * Released under the MIT license... * http://jquery.or
                                              Icon Hash:74f0e4e4e4e4e0e4
                                              No network behavior found

                                              Click to jump to process

                                              Click to jump to process

                                              Target ID:0
                                              Start time:06:20:32
                                              Start date:24/10/2024
                                              Path:C:\Windows\System32\OpenWith.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                                              Imagebase:0x7ff7b72e0000
                                              File size:123'984 bytes
                                              MD5 hash:E4A834784FA08C17D47A1E72429C5109
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              No disassembly