| File name: | Nyx.exe |
| Full analysis: | https://app.any.run/tasks/6b0a869e-4abb-4ade-87d5-8bb5f74e8875 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | May 27, 2026, 23:15:03 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (console) x86-64, for MS Windows, 5 sections |
| MD5: | 64CA6916FEA1265B2345BC483C75701F |
| SHA1: | 4CFDCBC57CE68632393E317548239BE2EC9FC366 |
| SHA256: | 6AB463A750600F5C238AE5456B07C448FFDC98F5A440A5DC6677D2C328490A86 |
| SSDEEP: | 98304:N207nDzYc2y2tcCpS1wbbpz3hxPdUFVp5Hc9kdaB65hZA7qGRplv9CMfU:CM |
MALICIOUS
Changes the autorun value in the registry
- reg.exe (PID: 1552)
Steals Discord credentials and data (YARA)
- Nyx.exe (PID: 7000)
- WerFault.exe (PID: 6060)
SUSPICIOUS
Uses WMIC.EXE to obtain computer system information
- Nyx.exe (PID: 7000)
The process checks if it is being run in the virtual environment
- Nyx.exe (PID: 7000)
Executable content was dropped or overwritten
- Nyx.exe (PID: 7000)
Starts CMD.EXE with AutoRun commands disabled
- cmd.exe (PID: 1876)
Starts CMD.EXE for commands execution
- cmd.exe (PID: 1876)
Uses REG/REGEDIT.EXE to modify or delete registry entries
- cmd.exe (PID: 1876)
Executes application which crashes
- Nyx.exe (PID: 7000)
There is functionality for VM detection QEMU (YARA)
- WerFault.exe (PID: 6060)
There is functionality for VM detection VirtualBox (YARA)
- WerFault.exe (PID: 6060)
There is functionality for VM detection VMWare (YARA)
- WerFault.exe (PID: 6060)
There is functionality for VM detection antiVM strings (YARA)
- WerFault.exe (PID: 6060)
Possibly patching Antimalware Scan Interface function (YARA)
- WerFault.exe (PID: 6060)
INFO
Reads security settings of Internet Explorer
- WMIC.exe (PID: 7248)
Displays MAC addresses of computer network adapters
- getmac.exe (PID: 5584)
Checks supported languages
- Nyx.exe (PID: 7000)
- SecurityHealth.exe (PID: 8348)
Creates files or folders in the user directory
- Nyx.exe (PID: 7000)
- WerFault.exe (PID: 6060)
Create files in a temporary directory
- mofcomp.exe (PID: 9104)
Reads the computer name
- Nyx.exe (PID: 7000)
Launching a file from a Registry key
- reg.exe (PID: 1552)
Manual execution by a user
- SecurityHealth.exe (PID: 8348)
Application based on Rust
- WerFault.exe (PID: 6060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2026:05:27 23:05:48+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.51 |
| CodeSize: | 2314752 |
| InitializedDataSize: | 1236992 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x230470 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
Total processes
168
Monitored processes
12
Malicious processes
2
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1552 | reg add \"HKCU\Software\Microsoft\Windows\CurrentVersion\Run\" /v \"SecurityHealth\" /t REG_SZ /d \"C:\Users\admin\AppData\Roaming\Microsoft\Windows\SecurityHealth.exe\" /f | C:\Windows\System32\reg.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1876 | "cmd" /C "reg add \"HKCU\Software\Microsoft\Windows\CurrentVersion\Run\" /v \"SecurityHealth\" /t REG_SZ /d \"C:\Users\admin\AppData\Roaming\Microsoft\Windows\SecurityHealth.exe\" /f" | C:\Windows\System32\cmd.exe | — | Nyx.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5584 | "getmac" /NH | C:\Windows\System32\getmac.exe | — | Nyx.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Displays NIC MAC information Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6060 | C:\WINDOWS\system32\WerFault.exe -u -p 7000 -s 376 | C:\Windows\System32\WerFault.exe | Nyx.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6432 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SecurityHealth.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7000 | "C:\Users\admin\AppData\Local\Temp\Nyx.exe" | C:\Users\admin\AppData\Local\Temp\Nyx.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221225477 Modules
| |||||||||||||||
| 7248 | "wmic" computersystem get model,manufacturer | C:\Windows\System32\wbem\WMIC.exe | — | Nyx.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7428 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7580 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | Nyx.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 8348 | "C:\Users\admin\AppData\Roaming\Microsoft\Windows\SecurityHealth.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Windows\SecurityHealth.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
0
Read events
0
Write events
0
Delete events
0
Modification events
Executable files
2
Suspicious files
7
Text files
4
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6060 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Nyx.exe_bf8a8a337444d35cf0cb806f743cb7651de11e84_0ac06aac_49c6f6ca-2e06-4875-8840-6b96ba273372\Report.wer | — | |
MD5:— | SHA256:— | |||
| 7000 | Nyx.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\System32\sysinfocache.dat | text | |
MD5:7186D1B1F9CA3ABF428C54AC6EE965B1 | SHA256:61CB6F224772A01CBF837DC127DD0612BEAD1E654C10D3DB485EC6CA738C5290 | |||
| 7000 | Nyx.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\update.mof | text | |
MD5:C30246DAA6E9744DFF7208217EED19D4 | SHA256:AB15994E1409405447642BBF17621CE73F37A59133EBCCBA87D33BD722FBF5E7 | |||
| 7000 | Nyx.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\SecurityHealth.exe | executable | |
MD5:64CA6916FEA1265B2345BC483C75701F | SHA256:6AB463A750600F5C238AE5456B07C448FFDC98F5A440A5DC6677D2C328490A86 | |||
| 7000 | Nyx.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WinUpdateCore.exe | executable | |
MD5:64CA6916FEA1265B2345BC483C75701F | SHA256:6AB463A750600F5C238AE5456B07C448FFDC98F5A440A5DC6677D2C328490A86 | |||
| 9104 | mofcomp.exe | C:\Users\admin\AppData\Local\Temp\tmp9554.tmp | binary | |
MD5:5EDF3EA71CC0858582EE24B4D853C24B | SHA256:20D05C845EC5DCC0B33235F21DE320250224D0E6B3C1FBCBEFB1C324FC84DA65 | |||
| 6060 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER965E.tmp.dmp | binary | |
MD5:7ED35CCE60DE1FD1B1E9360B1925B229 | SHA256:93EF3C66D07089290195320C089DA843B9DE2A35D54A7DD4BDC48EFAD1EB7165 | |||
| 6060 | WerFault.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE | binary | |
MD5:FC2FAE9740FDDB59440B94E791FACC05 | SHA256:BE10C9C5BB492A124F62A253BFF6E45C3DE654E3A923F252039C4E70CC76B09A | |||
| 6060 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\Nyx.exe.7000.dmp | binary | |
MD5:8FDF5C910FDCE319D085CA3BB653E99F | SHA256:8D0A040588A38C0F5E05EFD5F3BD0DE18E7F70299C3F0EEDD9E9D09432784AC6 | |||
| 6060 | WerFault.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21253908F3CB05D51B1C2DA8B681A785 | binary | |
MD5:3D3FF10C7688B8DC7ED7A94E287F9F78 | SHA256:E6B93EB7DA331454E9663785E12A1605557E81AF338AE341BE9A81A10F1CE5DE | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
26
DNS requests
18
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5276 | MoUsoCoreWorker.exe | GET | 304 | 48.209.133.15:443 | https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30 | US | — | — | whitelisted |
9108 | svchost.exe | POST | 400 | 40.126.31.2:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 204 b | whitelisted |
6816 | SIHClient.exe | GET | 304 | 74.178.76.128:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | US | — | — | whitelisted |
6060 | WerFault.exe | GET | 200 | 23.52.181.212:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | US | binary | 814 b | whitelisted |
9108 | svchost.exe | GET | 200 | 23.11.40.157:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D | NL | binary | 471 b | whitelisted |
6816 | SIHClient.exe | GET | 200 | 135.233.95.135:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | US | — | — | whitelisted |
6816 | SIHClient.exe | GET | 200 | 74.178.76.128:443 | https://slscr.update.microsoft.com/sls/ping | US | — | — | whitelisted |
6816 | SIHClient.exe | GET | 304 | 74.178.76.128:443 | https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | US | — | — | whitelisted |
6060 | WerFault.exe | POST | 200 | 172.178.240.162:443 | https://watson.events.data.microsoft.com/Telemetry.Request | US | xml | 693 b | whitelisted |
9108 | svchost.exe | POST | 200 | 40.126.31.2:443 | https://login.live.com/RST2.srf | US | xml | 1.24 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3068 | svchost.exe | 48.209.138.189:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
5276 | MoUsoCoreWorker.exe | 48.209.138.189:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
— | — | 48.192.1.64:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
6060 | WerFault.exe | 172.178.240.162:443 | watson.events.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6060 | WerFault.exe | 23.216.77.28:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
6060 | WerFault.exe | 23.52.181.212:80 | www.microsoft.com | AKAMAI-AS | US | whitelisted |
3428 | svchost.exe | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
9108 | svchost.exe | 40.126.31.2:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
activation-v2.sls.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
watson.events.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
6060 | WerFault.exe | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |