Edit tour

Windows Analysis Report
oHchwlxMNG.exe

Overview

General Information

Sample name:	oHchwlxMNG.exe renamed because original name is a hash value
Original sample name:	771049ea28dc7d93076d1019ff573d8ad9a8c47ca8dec2a8c64be18aec259d03.exe
Analysis ID:	1465287
MD5:	cb45d49e68b2c594f6c9bcf7edd6481a
SHA1:	fa05b81dc9b816e4e8dd51349271e8af273b799b
SHA256:	771049ea28dc7d93076d1019ff573d8ad9a8c47ca8dec2a8c64be18aec259d03
Tags:	exeSnakeKeylogger
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code references suspicious native API functions

AI detected suspicious sample

Machine Learning detection for sample

Self deletion via cmd or bat file

Tries to detect the country of the analysis system (by using the IP)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

oHchwlxMNG.exe (PID: 6632 cmdline: "C:\Users\user\Desktop\oHchwlxMNG.exe" MD5: CB45D49E68B2C594F6C9BCF7EDD6481A)

oHchwlxMNG.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\oHchwlxMNG.exe" MD5: CB45D49E68B2C594F6C9BCF7EDD6481A)

cmd.exe (PID: 5852 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\oHchwlxMNG.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 1868 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "rightlut@valleycountysar.org", "Password": "fY,FLoadtsiF", "Host": "valleycountysar.org", "Port": "26"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2182986237.0000000000542000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2182986237.0000000000542000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.2182986237.0000000000542000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1483e:$a1: get_encryptedPassword 0x14b2a:$a2: get_encryptedUsername 0x1464a:$a3: get_timePasswordChanged 0x14745:$a4: get_passwordField 0x14854:$a5: set_encryptedPassword 0x15e72:$a7: get_logins 0x15dd5:$a10: KeyLoggerEventArgs 0x15a6e:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.2182986237.0000000000542000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x180c4:$x1: $%SMTPDV$ 0x1812a:$x2: $#TheHashHere%& 0x19721:$x3: %FTPDV$ 0x19815:$x4: $%TelegramDv$ 0x15a6e:$x5: KeyLoggerEventArgs 0x15dd5:$x5: KeyLoggerEventArgs 0x19745:$m2: Clipboard Logs ID 0x19965:$m2: Screenshot Logs ID 0x19a75:$m2: keystroke Logs ID 0x19d4f:$m3: SnakePW 0x1993d:$m4: \SnakeKeylogger\
00000000.00000002.2074884087.0000000005BD0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4ac6b:$x1: In$J$ct0r
00000000.00000002.2073930745.0000000004489000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2073930745.0000000004489000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2073930745.0000000004489000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf384e:$a1: get_encryptedPassword 0x11427e:$a1: get_encryptedPassword 0x134a9e:$a1: get_encryptedPassword 0xf3b3a:$a2: get_encryptedUsername 0x11456a:$a2: get_encryptedUsername 0x134d8a:$a2: get_encryptedUsername 0xf365a:$a3: get_timePasswordChanged 0x11408a:$a3: get_timePasswordChanged 0x1348aa:$a3: get_timePasswordChanged 0xf3755:$a4: get_passwordField 0x114185:$a4: get_passwordField 0x1349a5:$a4: get_passwordField 0xf3864:$a5: set_encryptedPassword 0x114294:$a5: set_encryptedPassword 0x134ab4:$a5: set_encryptedPassword 0xf4e82:$a7: get_logins 0x1158b2:$a7: get_logins 0x1360d2:$a7: get_logins 0xf4de5:$a10: KeyLoggerEventArgs 0x115815:$a10: KeyLoggerEventArgs 0x136035:$a10: KeyLoggerEventArgs
00000000.00000002.2073930745.0000000004489000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xf70d4:$x1: $%SMTPDV$ 0x117b04:$x1: $%SMTPDV$ 0x138324:$x1: $%SMTPDV$ 0xf713a:$x2: $#TheHashHere%& 0x117b6a:$x2: $#TheHashHere%& 0x13838a:$x2: $#TheHashHere%& 0xf8731:$x3: %FTPDV$ 0x119161:$x3: %FTPDV$ 0x139981:$x3: %FTPDV$ 0xf8825:$x4: $%TelegramDv$ 0x119255:$x4: $%TelegramDv$ 0x139a75:$x4: $%TelegramDv$ 0xf4a7e:$x5: KeyLoggerEventArgs 0xf4de5:$x5: KeyLoggerEventArgs 0x1154ae:$x5: KeyLoggerEventArgs 0x115815:$x5: KeyLoggerEventArgs 0x135cce:$x5: KeyLoggerEventArgs 0x136035:$x5: KeyLoggerEventArgs 0xf8755:$m2: Clipboard Logs ID 0xf8975:$m2: Screenshot Logs ID 0xf8a85:$m2: keystroke Logs ID
00000001.00000002.2185084446.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: oHchwlxMNG.exe PID: 6632	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: oHchwlxMNG.exe PID: 6632	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: oHchwlxMNG.exe PID: 6632	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: oHchwlxMNG.exe PID: 6632	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2ad63:$a1: get_encryptedPassword 0x2afae:$a2: get_encryptedUsername 0x2ab92:$a3: get_timePasswordChanged 0x2ac74:$a4: get_passwordField 0x2ad79:$a5: set_encryptedPassword 0x2cb5d:$a7: get_logins 0x2cade:$a10: KeyLoggerEventArgs 0x2c87a:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: oHchwlxMNG.exe PID: 6632	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2c87a:$x5: KeyLoggerEventArgs 0x2cade:$x5: KeyLoggerEventArgs 0x2d03d:$x5: KeyLoggerEventArgs 0x2d371:$x5: KeyLoggerEventArgs 0x2eb66:$m2: Clipboard Logs ID 0x2ec5d:$m2: Screenshot Logs ID 0x2ecb3:$m2: keystroke Logs ID 0x2ede8:$m3: SnakePW 0x2ec49:$m4: \SnakeKeylogger\
Process Memory Space: oHchwlxMNG.exe PID: 6644	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: oHchwlxMNG.exe PID: 6644	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: oHchwlxMNG.exe PID: 6644	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x227a3:$a1: get_encryptedPassword 0x22a85:$a2: get_encryptedUsername 0x225b9:$a3: get_timePasswordChanged 0x226b4:$a4: get_passwordField 0x227b9:$a5: set_encryptedPassword 0x24ba4:$a7: get_logins 0x24b07:$a10: KeyLoggerEventArgs 0x247a0:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: oHchwlxMNG.exe PID: 6644	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x247a0:$x5: KeyLoggerEventArgs 0x24b07:$x5: KeyLoggerEventArgs 0x250c4:$x5: KeyLoggerEventArgs 0x253f8:$x5: KeyLoggerEventArgs 0x26cda:$m2: Clipboard Logs ID 0x26dd1:$m2: Screenshot Logs ID 0x26e27:$m2: keystroke Logs ID 0x26f5c:$m3: SnakePW 0x26dbd:$m4: \SnakeKeylogger\
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.oHchwlxMNG.exe.5bd0000.5.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x48e6b:$x1: In$J$ct0r
0.2.oHchwlxMNG.exe.44d7d70.4.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x48e6b:$x1: In$J$ct0r
0.2.oHchwlxMNG.exe.5bd0000.5.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4ac6b:$x1: In$J$ct0r
0.2.oHchwlxMNG.exe.4588840.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.oHchwlxMNG.exe.4588840.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.oHchwlxMNG.exe.4588840.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c3e:$a1: get_encryptedPassword 0x12f2a:$a2: get_encryptedUsername 0x12a4a:$a3: get_timePasswordChanged 0x12b45:$a4: get_passwordField 0x12c54:$a5: set_encryptedPassword 0x14272:$a7: get_logins 0x141d5:$a10: KeyLoggerEventArgs 0x13e6e:$a11: KeyLoggerEventArgsEventHandler
0.2.oHchwlxMNG.exe.4588840.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a51f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19751:$a3: \Google\Chrome\User Data\Default\Login Data 0x19b84:$a4: \Orbitum\User Data\Default\Login Data 0x1abc3:$a5: \Kometa\User Data\Default\Login Data
0.2.oHchwlxMNG.exe.4588840.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x137c7:$s1: UnHook 0x137ce:$s2: SetHook 0x137d6:$s3: CallNextHook 0x137e3:$s4: _hook
0.2.oHchwlxMNG.exe.4588840.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x164c4:$x1: $%SMTPDV$ 0x1652a:$x2: $#TheHashHere%& 0x17b21:$x3: %FTPDV$ 0x17c15:$x4: $%TelegramDv$ 0x13e6e:$x5: KeyLoggerEventArgs 0x141d5:$x5: KeyLoggerEventArgs 0x17b45:$m2: Clipboard Logs ID 0x17d65:$m2: Screenshot Logs ID 0x17e75:$m2: keystroke Logs ID 0x1814f:$m3: SnakePW 0x17d3d:$m4: \SnakeKeylogger\
1.2.oHchwlxMNG.exe.540000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.oHchwlxMNG.exe.540000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.oHchwlxMNG.exe.540000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.oHchwlxMNG.exe.540000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a3e:$a1: get_encryptedPassword 0x14d2a:$a2: get_encryptedUsername 0x1484a:$a3: get_timePasswordChanged 0x14945:$a4: get_passwordField 0x14a54:$a5: set_encryptedPassword 0x16072:$a7: get_logins 0x15fd5:$a10: KeyLoggerEventArgs 0x15c6e:$a11: KeyLoggerEventArgsEventHandler
1.2.oHchwlxMNG.exe.540000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c31f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b551:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b984:$a4: \Orbitum\User Data\Default\Login Data 0x1c9c3:$a5: \Kometa\User Data\Default\Login Data
1.2.oHchwlxMNG.exe.540000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155c7:$s1: UnHook 0x155ce:$s2: SetHook 0x155d6:$s3: CallNextHook 0x155e3:$s4: _hook
1.2.oHchwlxMNG.exe.540000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182c4:$x1: $%SMTPDV$ 0x1832a:$x2: $#TheHashHere%& 0x19921:$x3: %FTPDV$ 0x19a15:$x4: $%TelegramDv$ 0x15c6e:$x5: KeyLoggerEventArgs 0x15fd5:$x5: KeyLoggerEventArgs 0x19945:$m2: Clipboard Logs ID 0x19b65:$m2: Screenshot Logs ID 0x19c75:$m2: keystroke Logs ID 0x19f4f:$m3: SnakePW 0x19b3d:$m4: \SnakeKeylogger\
0.2.oHchwlxMNG.exe.4567e10.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.oHchwlxMNG.exe.4567e10.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.oHchwlxMNG.exe.4567e10.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c3e:$a1: get_encryptedPassword 0x12f2a:$a2: get_encryptedUsername 0x12a4a:$a3: get_timePasswordChanged 0x12b45:$a4: get_passwordField 0x12c54:$a5: set_encryptedPassword 0x14272:$a7: get_logins 0x141d5:$a10: KeyLoggerEventArgs 0x13e6e:$a11: KeyLoggerEventArgsEventHandler
0.2.oHchwlxMNG.exe.4567e10.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a51f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19751:$a3: \Google\Chrome\User Data\Default\Login Data 0x19b84:$a4: \Orbitum\User Data\Default\Login Data 0x1abc3:$a5: \Kometa\User Data\Default\Login Data
0.2.oHchwlxMNG.exe.4567e10.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x137c7:$s1: UnHook 0x137ce:$s2: SetHook 0x137d6:$s3: CallNextHook 0x137e3:$s4: _hook
0.2.oHchwlxMNG.exe.4567e10.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x164c4:$x1: $%SMTPDV$ 0x1652a:$x2: $#TheHashHere%& 0x17b21:$x3: %FTPDV$ 0x17c15:$x4: $%TelegramDv$ 0x13e6e:$x5: KeyLoggerEventArgs 0x141d5:$x5: KeyLoggerEventArgs 0x17b45:$m2: Clipboard Logs ID 0x17d65:$m2: Screenshot Logs ID 0x17e75:$m2: keystroke Logs ID 0x1814f:$m3: SnakePW 0x17d3d:$m4: \SnakeKeylogger\
0.2.oHchwlxMNG.exe.4588840.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.oHchwlxMNG.exe.4588840.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.oHchwlxMNG.exe.4588840.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.oHchwlxMNG.exe.34d7100.1.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa48d8:$x1: In$J$ct0r 0xa57f4:$a1: WriteProcessMemory 0xa5880:$a1: WriteProcessMemory 0xa5954:$a4: VirtualAllocEx 0xa5b78:$a4: VirtualAllocEx 0xa5bf8:$a4: VirtualAllocEx
0.2.oHchwlxMNG.exe.4588840.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a3e:$a1: get_encryptedPassword 0x3525e:$a1: get_encryptedPassword 0x14d2a:$a2: get_encryptedUsername 0x3554a:$a2: get_encryptedUsername 0x1484a:$a3: get_timePasswordChanged 0x3506a:$a3: get_timePasswordChanged 0x14945:$a4: get_passwordField 0x35165:$a4: get_passwordField 0x14a54:$a5: set_encryptedPassword 0x35274:$a5: set_encryptedPassword 0x16072:$a7: get_logins 0x36892:$a7: get_logins 0x15fd5:$a10: KeyLoggerEventArgs 0x367f5:$a10: KeyLoggerEventArgs 0x15c6e:$a11: KeyLoggerEventArgsEventHandler 0x3648e:$a11: KeyLoggerEventArgsEventHandler
0.2.oHchwlxMNG.exe.4588840.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c31f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cb3f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b551:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bd71:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b984:$a4: \Orbitum\User Data\Default\Login Data 0x3c1a4:$a4: \Orbitum\User Data\Default\Login Data 0x1c9c3:$a5: \Kometa\User Data\Default\Login Data 0x3d1e3:$a5: \Kometa\User Data\Default\Login Data
0.2.oHchwlxMNG.exe.4588840.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155c7:$s1: UnHook 0x35de7:$s1: UnHook 0x155ce:$s2: SetHook 0x35dee:$s2: SetHook 0x155d6:$s3: CallNextHook 0x35df6:$s3: CallNextHook 0x155e3:$s4: _hook 0x35e03:$s4: _hook
0.2.oHchwlxMNG.exe.4588840.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182c4:$x1: $%SMTPDV$ 0x38ae4:$x1: $%SMTPDV$ 0x1832a:$x2: $#TheHashHere%& 0x38b4a:$x2: $#TheHashHere%& 0x19921:$x3: %FTPDV$ 0x3a141:$x3: %FTPDV$ 0x19a15:$x4: $%TelegramDv$ 0x3a235:$x4: $%TelegramDv$ 0x15c6e:$x5: KeyLoggerEventArgs 0x15fd5:$x5: KeyLoggerEventArgs 0x3648e:$x5: KeyLoggerEventArgs 0x367f5:$x5: KeyLoggerEventArgs 0x19945:$m2: Clipboard Logs ID 0x19b65:$m2: Screenshot Logs ID 0x19c75:$m2: keystroke Logs ID 0x3a165:$m2: Clipboard Logs ID 0x3a385:$m2: Screenshot Logs ID 0x3a495:$m2: keystroke Logs ID 0x19f4f:$m3: SnakePW 0x3a76f:$m3: SnakePW 0x19b3d:$m4: \SnakeKeylogger\
0.2.oHchwlxMNG.exe.34d9940.0.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xa2098:$x1: In$J$ct0r 0xa2fb4:$a1: WriteProcessMemory 0xa3040:$a1: WriteProcessMemory 0xa3114:$a4: VirtualAllocEx 0xa3338:$a4: VirtualAllocEx 0xa33b8:$a4: VirtualAllocEx
0.2.oHchwlxMNG.exe.4567e10.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.oHchwlxMNG.exe.4567e10.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.oHchwlxMNG.exe.4567e10.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.oHchwlxMNG.exe.4567e10.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a3e:$a1: get_encryptedPassword 0x3546e:$a1: get_encryptedPassword 0x55c8e:$a1: get_encryptedPassword 0x14d2a:$a2: get_encryptedUsername 0x3575a:$a2: get_encryptedUsername 0x55f7a:$a2: get_encryptedUsername 0x1484a:$a3: get_timePasswordChanged 0x3527a:$a3: get_timePasswordChanged 0x55a9a:$a3: get_timePasswordChanged 0x14945:$a4: get_passwordField 0x35375:$a4: get_passwordField 0x55b95:$a4: get_passwordField 0x14a54:$a5: set_encryptedPassword 0x35484:$a5: set_encryptedPassword 0x55ca4:$a5: set_encryptedPassword 0x16072:$a7: get_logins 0x36aa2:$a7: get_logins 0x572c2:$a7: get_logins 0x15fd5:$a10: KeyLoggerEventArgs 0x36a05:$a10: KeyLoggerEventArgs 0x57225:$a10: KeyLoggerEventArgs
0.2.oHchwlxMNG.exe.4567e10.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c31f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cd4f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d56f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b551:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bf81:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c7a1:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b984:$a4: \Orbitum\User Data\Default\Login Data 0x3c3b4:$a4: \Orbitum\User Data\Default\Login Data 0x5cbd4:$a4: \Orbitum\User Data\Default\Login Data 0x1c9c3:$a5: \Kometa\User Data\Default\Login Data 0x3d3f3:$a5: \Kometa\User Data\Default\Login Data 0x5dc13:$a5: \Kometa\User Data\Default\Login Data
0.2.oHchwlxMNG.exe.4567e10.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x155c7:$s1: UnHook 0x35ff7:$s1: UnHook 0x56817:$s1: UnHook 0x155ce:$s2: SetHook 0x35ffe:$s2: SetHook 0x5681e:$s2: SetHook 0x155d6:$s3: CallNextHook 0x36006:$s3: CallNextHook 0x56826:$s3: CallNextHook 0x155e3:$s4: _hook 0x36013:$s4: _hook 0x56833:$s4: _hook
0.2.oHchwlxMNG.exe.4567e10.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x182c4:$x1: $%SMTPDV$ 0x38cf4:$x1: $%SMTPDV$ 0x59514:$x1: $%SMTPDV$ 0x1832a:$x2: $#TheHashHere%& 0x38d5a:$x2: $#TheHashHere%& 0x5957a:$x2: $#TheHashHere%& 0x19921:$x3: %FTPDV$ 0x3a351:$x3: %FTPDV$ 0x5ab71:$x3: %FTPDV$ 0x19a15:$x4: $%TelegramDv$ 0x3a445:$x4: $%TelegramDv$ 0x5ac65:$x4: $%TelegramDv$ 0x15c6e:$x5: KeyLoggerEventArgs 0x15fd5:$x5: KeyLoggerEventArgs 0x3669e:$x5: KeyLoggerEventArgs 0x36a05:$x5: KeyLoggerEventArgs 0x56ebe:$x5: KeyLoggerEventArgs 0x57225:$x5: KeyLoggerEventArgs 0x19945:$m2: Clipboard Logs ID 0x19b65:$m2: Screenshot Logs ID 0x19c75:$m2: keystroke Logs ID
0.2.oHchwlxMNG.exe.44d7d70.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.oHchwlxMNG.exe.44d7d70.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.oHchwlxMNG.exe.44d7d70.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.oHchwlxMNG.exe.44d7d70.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa4ade:$a1: get_encryptedPassword 0xc550e:$a1: get_encryptedPassword 0xe5d2e:$a1: get_encryptedPassword 0xa4dca:$a2: get_encryptedUsername 0xc57fa:$a2: get_encryptedUsername 0xe601a:$a2: get_encryptedUsername 0xa48ea:$a3: get_timePasswordChanged 0xc531a:$a3: get_timePasswordChanged 0xe5b3a:$a3: get_timePasswordChanged 0xa49e5:$a4: get_passwordField 0xc5415:$a4: get_passwordField 0xe5c35:$a4: get_passwordField 0xa4af4:$a5: set_encryptedPassword 0xc5524:$a5: set_encryptedPassword 0xe5d44:$a5: set_encryptedPassword 0xa6112:$a7: get_logins 0xc6b42:$a7: get_logins 0xe7362:$a7: get_logins 0xa6075:$a10: KeyLoggerEventArgs 0xc6aa5:$a10: KeyLoggerEventArgs 0xe72c5:$a10: KeyLoggerEventArgs
0.2.oHchwlxMNG.exe.44d7d70.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xa5667:$s1: UnHook 0xc6097:$s1: UnHook 0xe68b7:$s1: UnHook 0xa566e:$s2: SetHook 0xc609e:$s2: SetHook 0xe68be:$s2: SetHook 0xa5676:$s3: CallNextHook 0xc60a6:$s3: CallNextHook 0xe68c6:$s3: CallNextHook 0xa5683:$s4: _hook 0xc60b3:$s4: _hook 0xe68d3:$s4: _hook
0.2.oHchwlxMNG.exe.44d7d70.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xa8364:$x1: $%SMTPDV$ 0xc8d94:$x1: $%SMTPDV$ 0xe95b4:$x1: $%SMTPDV$ 0xa83ca:$x2: $#TheHashHere%& 0xc8dfa:$x2: $#TheHashHere%& 0xe961a:$x2: $#TheHashHere%& 0xa99c1:$x3: %FTPDV$ 0xca3f1:$x3: %FTPDV$ 0xeac11:$x3: %FTPDV$ 0xa9ab5:$x4: $%TelegramDv$ 0xca4e5:$x4: $%TelegramDv$ 0xead05:$x4: $%TelegramDv$ 0xa5d0e:$x5: KeyLoggerEventArgs 0xa6075:$x5: KeyLoggerEventArgs 0xc673e:$x5: KeyLoggerEventArgs 0xc6aa5:$x5: KeyLoggerEventArgs 0xe6f5e:$x5: KeyLoggerEventArgs 0xe72c5:$x5: KeyLoggerEventArgs 0xa99e5:$m2: Clipboard Logs ID 0xa9c05:$m2: Screenshot Logs ID 0xa9d15:$m2: keystroke Logs ID
0.2.oHchwlxMNG.exe.44d7d70.4.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4ac6b:$x1: In$J$ct0r
Click to see the 40 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2073930745.0000000004489000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "rightlut@valleycountysar.org", "Password": "fY,FLoadtsiF", "Host": "valleycountysar.org", "Port": "26"}

Multi AV Scanner detection for submitted file

Source: oHchwlxMNG.exe

ReversingLabs: Detection: 75%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: oHchwlxMNG.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: oHchwlxMNG.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49708 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49715 version: TLS 1.0

Source: oHchwlxMNG.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: oHchwlxMNG.exe, 00000000.00000002.2073735949.0000000003481000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000000.00000002.2075155739.0000000005D60000.00000004.08000000.00040000.00000000.sdmp

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 1.2.oHchwlxMNG.exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oHchwlxMNG.exe.4588840.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oHchwlxMNG.exe.4567e10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oHchwlxMNG.exe.44d7d70.4.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49708 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49715 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A14000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A2F000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A78000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A4A000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A14000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A2F000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.00000000029C4000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002975000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A78000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: oHchwlxMNG.exe, 00000001.00000002.2185084446.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: oHchwlxMNG.exe, 00000000.00000002.2073930745.0000000004489000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2182986237.0000000000542000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A14000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002999000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A2F000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A78000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: oHchwlxMNG.exe, 00000001.00000002.2185084446.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A14000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A2F000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.00000000029C4000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A78000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: oHchwlxMNG.exe, 00000000.00000002.2073930745.0000000004489000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2182986237.0000000000542000.00000040.00000400.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A14000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A2F000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.00000000029C4000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A78000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.oHchwlxMNG.exe.5bd0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.oHchwlxMNG.exe.44d7d70.4.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.oHchwlxMNG.exe.5bd0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.oHchwlxMNG.exe.4588840.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.oHchwlxMNG.exe.4588840.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.oHchwlxMNG.exe.4588840.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.oHchwlxMNG.exe.4588840.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.oHchwlxMNG.exe.540000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.oHchwlxMNG.exe.540000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.oHchwlxMNG.exe.540000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.oHchwlxMNG.exe.540000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.oHchwlxMNG.exe.4567e10.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.oHchwlxMNG.exe.4567e10.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.oHchwlxMNG.exe.4567e10.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.oHchwlxMNG.exe.4567e10.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.oHchwlxMNG.exe.34d7100.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.oHchwlxMNG.exe.4588840.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.oHchwlxMNG.exe.4588840.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.oHchwlxMNG.exe.4588840.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.oHchwlxMNG.exe.4588840.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.oHchwlxMNG.exe.34d9940.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.oHchwlxMNG.exe.4567e10.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.oHchwlxMNG.exe.4567e10.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.oHchwlxMNG.exe.4567e10.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.oHchwlxMNG.exe.4567e10.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.oHchwlxMNG.exe.44d7d70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.oHchwlxMNG.exe.44d7d70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.oHchwlxMNG.exe.44d7d70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.oHchwlxMNG.exe.44d7d70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000001.00000002.2182986237.0000000000542000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.2182986237.0000000000542000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2074884087.0000000005BD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000000.00000002.2073930745.0000000004489000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2073930745.0000000004489000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: oHchwlxMNG.exe PID: 6632, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: oHchwlxMNG.exe PID: 6632, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: oHchwlxMNG.exe PID: 6644, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: oHchwlxMNG.exe PID: 6644, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Code function: 0_2_0178D3DC	0_2_0178D3DC
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Code function: 1_2_00B3C190	1_2_00B3C190
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Code function: 1_2_00B36108	1_2_00B36108
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Code function: 1_2_00B3B328	1_2_00B3B328
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Code function: 1_2_00B3C470	1_2_00B3C470
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Code function: 1_2_00B36730	1_2_00B36730
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Code function: 1_2_00B3C751	1_2_00B3C751
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Code function: 1_2_00B39858	1_2_00B39858
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Code function: 1_2_00B34AD9	1_2_00B34AD9
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Code function: 1_2_00B3CA31	1_2_00B3CA31
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Code function: 1_2_00B3BBD2	1_2_00B3BBD2
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Code function: 1_2_00B3BEB0	1_2_00B3BEB0
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Code function: 1_2_00B3B4F2	1_2_00B3B4F2
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Code function: 1_2_00B33570	1_2_00B33570

Source: oHchwlxMNG.exe, 00000000.00000002.2073930745.0000000004489000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs oHchwlxMNG.exe
Source: oHchwlxMNG.exe, 00000000.00000002.2073930745.0000000004489000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs oHchwlxMNG.exe
Source: oHchwlxMNG.exe, 00000000.00000002.2072923000.000000000160E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs oHchwlxMNG.exe
Source: oHchwlxMNG.exe, 00000000.00000002.2073735949.0000000003481000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs oHchwlxMNG.exe
Source: oHchwlxMNG.exe, 00000000.00000002.2073735949.0000000003481000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs oHchwlxMNG.exe
Source: oHchwlxMNG.exe, 00000000.00000002.2073735949.0000000003481000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs oHchwlxMNG.exe
Source: oHchwlxMNG.exe, 00000000.00000002.2073735949.0000000003481000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs oHchwlxMNG.exe
Source: oHchwlxMNG.exe, 00000000.00000002.2073735949.0000000003481000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $cq,\\StringFileInfo\\000004B0\\OriginalFilename vs oHchwlxMNG.exe
Source: oHchwlxMNG.exe, 00000000.00000000.2066429067.0000000000F02000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHumbling.exe. vs oHchwlxMNG.exe
Source: oHchwlxMNG.exe, 00000000.00000002.2074884087.0000000005BD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs oHchwlxMNG.exe
Source: oHchwlxMNG.exe, 00000000.00000002.2075155739.0000000005D60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs oHchwlxMNG.exe
Source: oHchwlxMNG.exe, 00000001.00000002.2182986237.0000000000542000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs oHchwlxMNG.exe
Source: oHchwlxMNG.exe	Binary or memory string: OriginalFilenameHumbling.exe. vs oHchwlxMNG.exe

Source: oHchwlxMNG.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.oHchwlxMNG.exe.5bd0000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.oHchwlxMNG.exe.44d7d70.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.oHchwlxMNG.exe.5bd0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.oHchwlxMNG.exe.4588840.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.oHchwlxMNG.exe.4588840.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.oHchwlxMNG.exe.4588840.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.oHchwlxMNG.exe.4588840.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.oHchwlxMNG.exe.540000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.oHchwlxMNG.exe.540000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.oHchwlxMNG.exe.540000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.oHchwlxMNG.exe.540000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.oHchwlxMNG.exe.4567e10.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.oHchwlxMNG.exe.4567e10.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.oHchwlxMNG.exe.4567e10.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.oHchwlxMNG.exe.4567e10.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.oHchwlxMNG.exe.34d7100.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.oHchwlxMNG.exe.4588840.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.oHchwlxMNG.exe.4588840.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.oHchwlxMNG.exe.4588840.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.oHchwlxMNG.exe.4588840.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.oHchwlxMNG.exe.34d9940.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.oHchwlxMNG.exe.4567e10.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.oHchwlxMNG.exe.4567e10.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.oHchwlxMNG.exe.4567e10.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.oHchwlxMNG.exe.4567e10.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.oHchwlxMNG.exe.44d7d70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.oHchwlxMNG.exe.44d7d70.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.oHchwlxMNG.exe.44d7d70.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.oHchwlxMNG.exe.44d7d70.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000001.00000002.2182986237.0000000000542000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.2182986237.0000000000542000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2074884087.0000000005BD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000000.00000002.2073930745.0000000004489000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2073930745.0000000004489000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: oHchwlxMNG.exe PID: 6632, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: oHchwlxMNG.exe PID: 6632, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: oHchwlxMNG.exe PID: 6644, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: oHchwlxMNG.exe PID: 6644, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.oHchwlxMNG.exe.5bd0000.5.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.oHchwlxMNG.exe.44d7d70.4.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.oHchwlxMNG.exe.4588840.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.oHchwlxMNG.exe.4588840.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.oHchwlxMNG.exe.4588840.2.raw.unpack, K-J.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.oHchwlxMNG.exe.4588840.2.raw.unpack, K-J.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.oHchwlxMNG.exe.4567e10.3.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.oHchwlxMNG.exe.4567e10.3.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.oHchwlxMNG.exe.4567e10.3.raw.unpack, K-J.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.oHchwlxMNG.exe.4567e10.3.raw.unpack, K-J.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.oHchwlxMNG.exe.5bd0000.5.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.oHchwlxMNG.exe.44d7d70.4.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/1@2/2

Source: C:\Users\user\Desktop\oHchwlxMNG.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oHchwlxMNG.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5504:120:WilError_03

Source: oHchwlxMNG.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: oHchwlxMNG.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\oHchwlxMNG.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\oHchwlxMNG.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: oHchwlxMNG.exe

ReversingLabs: Detection: 75%

Source: unknown	Process created: C:\Users\user\Desktop\oHchwlxMNG.exe "C:\Users\user\Desktop\oHchwlxMNG.exe"
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process created: C:\Users\user\Desktop\oHchwlxMNG.exe "C:\Users\user\Desktop\oHchwlxMNG.exe"
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\oHchwlxMNG.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process created: C:\Users\user\Desktop\oHchwlxMNG.exe "C:\Users\user\Desktop\oHchwlxMNG.exe"	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\oHchwlxMNG.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\oHchwlxMNG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\oHchwlxMNG.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: oHchwlxMNG.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: oHchwlxMNG.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Source: oHchwlxMNG.exe

Static PE information: 0xDA8CE5FE [Mon Mar 11 06:36:46 2086 UTC]

Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Code function: 0_2_0665C6DD push FFFFFF8Bh; iretd		0_2_0665C6DF
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Code function: 0_2_06657232 push eax; retf		0_2_06657239

Source: oHchwlxMNG.exe

Static PE information: section name: .text entropy: 7.3678270714413365

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\oHchwlxMNG.exe"
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\oHchwlxMNG.exe"			Jump to behavior

Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: oHchwlxMNG.exe PID: 6632, type: MEMORYSTR

Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Memory allocated: 15E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Memory allocated: 3480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Memory allocated: 32A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Memory allocated: B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Memory allocated: 28C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Memory allocated: 2700000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 595861	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 595249	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 594219	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 594094	Jump to behavior

Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Window / User API: threadDelayed 1407			Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Window / User API: threadDelayed 8419			Jump to behavior

Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 6520	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2700	Thread sleep count: 1407 > 30	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2700	Thread sleep count: 8419 > 30	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -599110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -595861s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -595249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -595141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -594922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -594813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -594688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -594563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -594438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -594328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -594219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe TID: 2696	Thread sleep time: -594094s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 595861	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 595249	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 594219	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Thread delayed: delay time: 594094	Jump to behavior

Source: oHchwlxMNG.exe, 00000001.00000002.2184383410.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&

Source: C:\Users\user\Desktop\oHchwlxMNG.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\oHchwlxMNG.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\oHchwlxMNG.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.oHchwlxMNG.exe.34d9940.0.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.oHchwlxMNG.exe.34d9940.0.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.oHchwlxMNG.exe.34d9940.0.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process created: C:\Users\user\Desktop\oHchwlxMNG.exe "C:\Users\user\Desktop\oHchwlxMNG.exe"	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\oHchwlxMNG.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Queries volume information: C:\Users\user\Desktop\oHchwlxMNG.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Queries volume information: C:\Users\user\Desktop\oHchwlxMNG.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oHchwlxMNG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\oHchwlxMNG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.oHchwlxMNG.exe.4588840.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.oHchwlxMNG.exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oHchwlxMNG.exe.4567e10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oHchwlxMNG.exe.4588840.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oHchwlxMNG.exe.4567e10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oHchwlxMNG.exe.44d7d70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2182986237.0000000000542000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2073930745.0000000004489000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2185084446.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oHchwlxMNG.exe PID: 6632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: oHchwlxMNG.exe PID: 6644, type: MEMORYSTR

Source: Yara match	File source: 0.2.oHchwlxMNG.exe.4588840.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.oHchwlxMNG.exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oHchwlxMNG.exe.4567e10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oHchwlxMNG.exe.4588840.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oHchwlxMNG.exe.4567e10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oHchwlxMNG.exe.44d7d70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2182986237.0000000000542000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2073930745.0000000004489000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oHchwlxMNG.exe PID: 6632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: oHchwlxMNG.exe PID: 6644, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.oHchwlxMNG.exe.4588840.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.oHchwlxMNG.exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oHchwlxMNG.exe.4567e10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oHchwlxMNG.exe.4588840.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oHchwlxMNG.exe.4567e10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oHchwlxMNG.exe.44d7d70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2182986237.0000000000542000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2073930745.0000000004489000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2185084446.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oHchwlxMNG.exe PID: 6632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: oHchwlxMNG.exe PID: 6644, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 File Deletion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
oHchwlxMNG.exe	76%	ReversingLabs	Win32.Spyware.Snakekeylogger
oHchwlxMNG.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	Avira URL Cloud	safe
http://checkip.dyndns.org	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org	0%	Avira URL Cloud	safe
http://reallyfreegeoip.org	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/q	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
http://checkip.dyndns.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	true	unknown
checkip.dyndns.com	132.226.247.73	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org	oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A14000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A2F000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.00000000029C4000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A78000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A4A000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A14000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A2F000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.00000000029C4000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002975000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A78000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.com	oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A14000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A2F000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A78000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A14000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A2F000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.00000000029C4000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A78000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	oHchwlxMNG.exe, 00000001.00000002.2185084446.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	oHchwlxMNG.exe, 00000000.00000002.2073930745.0000000004489000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2182986237.0000000000542000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://reallyfreegeoip.org	oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A14000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002999000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A2F000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A78000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	oHchwlxMNG.exe, 00000000.00000002.2073930745.0000000004489000.00000004.00000800.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2182986237.0000000000542000.00000040.00000400.00020000.00000000.sdmp, oHchwlxMNG.exe, 00000001.00000002.2185084446.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	true
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465287
Start date and time:	2024-07-01 14:47:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	oHchwlxMNG.exe renamed because original name is a hash value
Original Sample Name:	771049ea28dc7d93076d1019ff573d8ad9a8c47ca8dec2a8c64be18aec259d03.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/1@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 68 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target oHchwlxMNG.exe, PID 6644 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: oHchwlxMNG.exe

Simulations

Behavior and APIs

Time	Type	Description
08:48:02	API Interceptor	76x Sleep call for process: oHchwlxMNG.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	file.exe	Get hash	malicious	FormBook	Browse	www.cavetta.org.mt/yhnb/
	6Z4Q4bREii.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	000366cm.nyashka.top/phpflowergenerator.php
	DHL Arrival Notice.exe	Get hash	malicious	FormBook	Browse	www.coinwab.com/efdt/
	arrival notice_pdf.exe	Get hash	malicious	FormBook	Browse	www.evoolihubs.shop/fwdd/?CbPtaF=K/pqHoAOWNF4P+w91QXSNI32+N7yog1OarJgSNepE9X9MW/JWlOOpIGlAtDTMDCyfqCkO2QB+3/EX24VIjMTes4MJP5Wyr3Pze4srZjnfJQNxaR/LCxeJK4=&NV=CzkTp6UpmNmd
	BbaXbvOA7D.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	228282cm.nyashka.top/ExternalimagevmRequestlongpollsqldbLocal.php
	j05KsN2280.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	640740cm.nyashka.top/providerEternalGameWindowstest.php
	QUOTATION_JUNQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/L69kvhYI/download
	Techno_PO LV12406-00311.xla.xlsx	Get hash	malicious	Unknown	Browse	qr-in.com/cpGHnqq
	QUOTATION_JUNQTRA031244#U0652PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/Txmfx0A2/download
	RITS Ref 3379-06.exe	Get hash	malicious	FormBook	Browse	www.ad14.fun/az6h/
132.226.247.73	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	itinerary_1719382117.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Halkbank_Ekstre_20240625_082306_910668.bat.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	242010.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Baltic questionnaire.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.23220.28486.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Win32.TrojanX-gen.29327.20826.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	CTM USD28600.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	rGcsbax.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	scan copy.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
checkip.dyndns.com	file.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	scan copy.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://m.exactag.com/ai.aspx?tc=d9650035bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Acluelesscollective.com%2Fwinner%2F49479%2F%2FYWRyaWFuLmt1amF3YUAyc2ZnLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	http://zoom.voipmessage.uk/XTVNEL3Y5b1J3cmNET2VKbmR6bVRsN3V1NmVOY1NGblBJVC9iTE8rdVgxbTVqY2FOZnZ4TUM0ZlFjRHpCR3RWejFXajBVK2d4TW1YbEM3bTdUSWMzV3hrSEFpYnNQL282UDBDM1E0OVhPS1ZjR1JpSzJpRlZZSGVWc3RkVld1K0ZNM2t1YU5qN0hocjRoMWlOeXBkYzlZUXdMYysyWTZaUWtNVVlSWWVCNG1FTnBPWXc3R2RFWjJSbVNEcEw3clVRbTRHVzNRPT0tLUR6bnh4akFBbEUrU3NKL3YtLXRQbTlZaDQ1Tzd4b0NQSFdzTDA4eWc9PQ==	Get hash	malicious	Unknown	Browse	104.18.89.62
	t4i3QEZnNh.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Wy95YVZ3zt.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	Agreement for Bmangan 5753.pdf	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	KiOK5LRFEG.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://skofmygytomybosinthrfm.nl/you/hi/okay/okay/their/kkyag/than/to/us/us/invite/	Get hash	malicious	HTMLPhisher	Browse	172.67.166.58
	rHHG2h2w8U.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://m.exactag.com/ai.aspx?tc=d9648951bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Ajeffreyhensley.com%2Fwinner%2F13566%2F%2FZWdpZGlqdXMuem9rYWl0aXNAMnNmZy5jb20=	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	http://links.notification.intuit.com/ls/click?upn=u001.4HBRtPy8j6uXsK2aeX2RzAh5EFPhCIIFV3VEN-2Fx7CtL7yL0rqbEG5To4Yn7gWqQ9aLy0xQjXtfA1aWI51jOBcgZZmdPU7rNXiI9qBQrw0Fh0XMUzwxEuUgv3ZFNQWIem-2BNTPYnrL9k9a1nDRjz4a88WPYyDduqTuKohuiQXsusYwJ-2FidZWWf8oC-2Bke5XZf6maHD-2Fd7ablYFhYAopCg9-2FJ24-2F8yZwA220wlNNRUX0yppVttR34V4P26behAEAgmPnWgi1QdqkcH8GVovfzu4LIw-3D-3DQBy7_5Y9C-2B-2Fzbmi1Z8AZ1P0Xb45Ep-2FzkkH96c1HQoTeKyfF3Cy9GA0JrKF-2FtBKU7Gy7tV6PIIEw2aSpbKuiOE5zUrdfKHijLS1CrX6di2rdCWz3230MnOWYRyIFetWhrSPF9k5LzSphdJmNETjrHElDpdShj1s4ILnQWpWcU1acTiMnif850-2BYV-2F5lXeG2jTC-2BOwApN8qupRmwT8fNNE9PPcwErJLxahBxSpmSq91gTlumLJlQuv6Mi-2FueOgXZeZsKYVaksXeYc4hm3iYcmZyYCYz0c5CytX-2FkcYDgjcEPGcMdE4wdmef7F34ZhNuR1BzXUZca-2BlM-2FSHy6Wcv-2B44fNGLavW0-2FgwmkSe7DWrN2Qxs4-2BbmqEK8zVd2B-2F-2BfhLv7s-2BwUYCFzSfpco2w0S0EkPk2QiaigfgYJrhsDWFQrr8XAjN8LEK9fzOOYMlKBdNBCCovn1-2BQdoVowInLACYcfv7UF18ixzp9yjXcoI2GtVtXTFy0zwL-2BunyW6y6aLD3UTkKp7eGuS-2Fs2l9K233QQTHOgsxIsW5yOnAipuno6Jz4FUupJjvG-2FSd7m5GLY99tPmOlknWYVUdaS4l4nbH7zNFdVoP-2Fmr7J9FoB812uhszre4JhgikLbqFLMCT1av4GEdnKOwpstUkw9rVNgxd2MHPktA30uhIQeOnTGGKgw66UsPvJvw-3D	Get hash	malicious	Unknown	Browse	104.17.27.92
UTMEMUS	scan copy.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	CDMZxujRpn.elf	Get hash	malicious	Mirai	Browse	132.192.25.142
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Find-DscResource_QoS.ps1	Get hash	malicious	Unknown	Browse	132.226.8.169
	LEpsypIZxU.elf	Get hash	malicious	Mirai, Moobot	Browse	128.169.91.82
	itinerary_1719382117.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Halkbank_Ekstre_20240625_082306_910668.bat.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	YBzCUPEvkm.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	YBzCUPEvkm.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	file.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	scan copy.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Order Details.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3

Process:	C:\Users\user\Desktop\oHchwlxMNG.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.356695880348912
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	oHchwlxMNG.exe
File size:	533'504 bytes
MD5:	cb45d49e68b2c594f6c9bcf7edd6481a
SHA1:	fa05b81dc9b816e4e8dd51349271e8af273b799b
SHA256:	771049ea28dc7d93076d1019ff573d8ad9a8c47ca8dec2a8c64be18aec259d03
SHA512:	8538a493ead6c65d2aac98c9b56b53b152e0c1699b88b239597ca16173a6980cc862bdba596807d36075befce7a7e6cf8d3baf2218ecd3a0c95e072f594af695
SSDEEP:	6144:cTVFZInd6Xcfg9UVFuVqsLSccPNJcnkhcYlEHNLpKJjPh2Lu2GyfyRUoXHO8cZlJ:c5kndm7/L2Pd2WyfyFXH5sJQniP
TLSH:	A1B4CF28379019FCC83A85F5E8D6427D6A70665236D2D42251CF1EDD2CCEF9289CA36F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............~8... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x48387e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xDA8CE5FE [Mon Mar 11 06:36:46 2086 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x83828	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x84000	0x59e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x81884	0x81a00	b35d072492edb24b2741e581b7e22f44	False	0.5440347757955641	data	7.3678270714413365	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x84000	0x59e	0x600	a7dcf28809e6e4005982d016358a971d	False	0.4186197916666667	data	4.052104303958992	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x86000	0xc	0x200	0f0d9de0e3de3f2007b41aec9a7f70d0	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x840a0	0x314	data			0.434010152284264
RT_MANIFEST	0x843b4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 14:48:01.034341097 CEST	49705	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:01.039263010 CEST	80	49705	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:01.039352894 CEST	49705	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:01.039625883 CEST	49705	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:01.044405937 CEST	80	49705	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:01.718384027 CEST	80	49705	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:01.722160101 CEST	49705	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:01.726921082 CEST	80	49705	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:02.128196001 CEST	80	49705	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:02.146929026 CEST	80	49705	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:02.151802063 CEST	49705	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:02.345122099 CEST	49708	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:02.345154047 CEST	443	49708	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:02.345223904 CEST	49708	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:02.349123955 CEST	49708	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:02.349139929 CEST	443	49708	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:02.839267969 CEST	443	49708	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:02.839498997 CEST	49708	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:02.844805956 CEST	49708	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:02.844825983 CEST	443	49708	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:02.845104933 CEST	443	49708	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:02.891473055 CEST	49708	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:02.905512094 CEST	49708	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:02.952501059 CEST	443	49708	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:03.014620066 CEST	443	49708	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:03.014719009 CEST	443	49708	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:03.014776945 CEST	49708	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:03.020773888 CEST	49708	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:03.024116039 CEST	49705	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:03.028906107 CEST	80	49705	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:03.230232954 CEST	80	49705	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:03.234724998 CEST	49709	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:03.234764099 CEST	443	49709	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:03.234859943 CEST	49709	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:03.235138893 CEST	49709	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:03.235151052 CEST	443	49709	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:03.282078981 CEST	49705	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:03.703210115 CEST	443	49709	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:03.705849886 CEST	49709	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:03.705873966 CEST	443	49709	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:03.852164984 CEST	443	49709	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:03.852264881 CEST	443	49709	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:03.852498055 CEST	49709	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:03.852967024 CEST	49709	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:03.856230021 CEST	49705	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:03.857479095 CEST	49711	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:03.861319065 CEST	80	49705	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:03.861397028 CEST	49705	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:03.862231016 CEST	80	49711	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:03.862303019 CEST	49711	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:03.862428904 CEST	49711	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:03.867203951 CEST	80	49711	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:04.550159931 CEST	80	49711	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:04.559657097 CEST	49712	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:04.559708118 CEST	443	49712	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:04.559776068 CEST	49712	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:04.560049057 CEST	49712	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:04.560060978 CEST	443	49712	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:04.594583988 CEST	49711	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:05.035068035 CEST	443	49712	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:05.037516117 CEST	49712	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:05.037538052 CEST	443	49712	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:05.188321114 CEST	443	49712	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:05.188445091 CEST	443	49712	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:05.188523054 CEST	49712	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:05.189053059 CEST	49712	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:05.193377972 CEST	49713	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:05.198126078 CEST	80	49713	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:05.198316097 CEST	49713	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:05.198316097 CEST	49713	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:05.203114033 CEST	80	49713	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:05.886773109 CEST	80	49713	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:05.887898922 CEST	49715	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:05.887929916 CEST	443	49715	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:05.887990952 CEST	49715	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:05.888222933 CEST	49715	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:05.888236046 CEST	443	49715	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:05.938361883 CEST	49713	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:06.365711927 CEST	443	49715	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:06.367480040 CEST	49715	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:06.367501020 CEST	443	49715	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:06.496829033 CEST	443	49715	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:06.496928930 CEST	443	49715	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:06.496969938 CEST	49715	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:06.497427940 CEST	49715	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:06.502000093 CEST	49713	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:06.503463030 CEST	49716	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:06.507049084 CEST	80	49713	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:06.507132053 CEST	49713	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:06.508285046 CEST	80	49716	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:06.508378029 CEST	49716	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:06.508450985 CEST	49716	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:06.513319969 CEST	80	49716	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:07.305919886 CEST	80	49716	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:07.311600924 CEST	49718	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:07.311633110 CEST	443	49718	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:07.312249899 CEST	49718	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:07.312249899 CEST	49718	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:07.312278986 CEST	443	49718	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:07.360212088 CEST	49716	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:07.780818939 CEST	443	49718	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:07.782686949 CEST	49718	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:07.782711983 CEST	443	49718	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:07.931380033 CEST	443	49718	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:07.931497097 CEST	443	49718	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:07.932077885 CEST	49718	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:07.932077885 CEST	49718	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:07.935482979 CEST	49716	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:07.936829090 CEST	49719	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:07.940498114 CEST	80	49716	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:07.940640926 CEST	49716	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:07.941677094 CEST	80	49719	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:07.941834927 CEST	49719	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:07.941834927 CEST	49719	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:07.946624041 CEST	80	49719	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:08.612823009 CEST	80	49719	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:08.614310980 CEST	49720	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:08.614367962 CEST	443	49720	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:08.614450932 CEST	49720	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:08.614729881 CEST	49720	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:08.614742994 CEST	443	49720	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:08.657066107 CEST	49719	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:09.101659060 CEST	443	49720	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:09.103595018 CEST	49720	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:09.103632927 CEST	443	49720	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:09.250407934 CEST	443	49720	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:09.250511885 CEST	443	49720	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:09.250590086 CEST	49720	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:09.251204967 CEST	49720	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:09.254446030 CEST	49719	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:09.255547047 CEST	49721	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:09.260257959 CEST	80	49719	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:09.260349035 CEST	49719	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:09.262041092 CEST	80	49721	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:09.262116909 CEST	49721	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:09.262222052 CEST	49721	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:09.267915010 CEST	80	49721	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:09.936078072 CEST	80	49721	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:09.937309980 CEST	49722	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:09.937344074 CEST	443	49722	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:09.937429905 CEST	49722	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:09.937719107 CEST	49722	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:09.937733889 CEST	443	49722	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:09.985233068 CEST	49721	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:10.424552917 CEST	443	49722	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:10.426736116 CEST	49722	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:10.426760912 CEST	443	49722	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:10.576903105 CEST	443	49722	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:10.577085972 CEST	443	49722	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:10.577140093 CEST	49722	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:10.577478886 CEST	49722	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:10.581074953 CEST	49721	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:10.581918955 CEST	49723	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:10.586421013 CEST	80	49721	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:10.586489916 CEST	49721	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:10.586708069 CEST	80	49723	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:10.586762905 CEST	49723	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:10.586850882 CEST	49723	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:10.591581106 CEST	80	49723	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:11.258527040 CEST	80	49723	132.226.247.73	192.168.2.5
Jul 1, 2024 14:48:11.260147095 CEST	49724	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:11.260185957 CEST	443	49724	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:11.260274887 CEST	49724	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:11.260505915 CEST	49724	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:11.260516882 CEST	443	49724	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:11.313337088 CEST	49723	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:11.744915962 CEST	443	49724	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:11.746603966 CEST	49724	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:11.746620893 CEST	443	49724	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:11.876240015 CEST	443	49724	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:11.876352072 CEST	443	49724	188.114.97.3	192.168.2.5
Jul 1, 2024 14:48:11.876445055 CEST	49724	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:11.876933098 CEST	49724	443	192.168.2.5	188.114.97.3
Jul 1, 2024 14:48:11.978504896 CEST	49723	80	192.168.2.5	132.226.247.73
Jul 1, 2024 14:48:11.978569031 CEST	49711	80	192.168.2.5	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 14:48:01.012331963 CEST	60476	53	192.168.2.5	1.1.1.1
Jul 1, 2024 14:48:01.020935059 CEST	53	60476	1.1.1.1	192.168.2.5
Jul 1, 2024 14:48:02.337035894 CEST	57037	53	192.168.2.5	1.1.1.1
Jul 1, 2024 14:48:02.344580889 CEST	53	57037	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 1, 2024 14:48:01.012331963 CEST	192.168.2.5	1.1.1.1	0x605f	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jul 1, 2024 14:48:02.337035894 CEST	192.168.2.5	1.1.1.1	0x297e	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 1, 2024 14:48:01.020935059 CEST	1.1.1.1	192.168.2.5	0x605f	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 1, 2024 14:48:01.020935059 CEST	1.1.1.1	192.168.2.5	0x605f	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jul 1, 2024 14:48:01.020935059 CEST	1.1.1.1	192.168.2.5	0x605f	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jul 1, 2024 14:48:01.020935059 CEST	1.1.1.1	192.168.2.5	0x605f	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jul 1, 2024 14:48:01.020935059 CEST	1.1.1.1	192.168.2.5	0x605f	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jul 1, 2024 14:48:01.020935059 CEST	1.1.1.1	192.168.2.5	0x605f	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jul 1, 2024 14:48:02.344580889 CEST	1.1.1.1	192.168.2.5	0x297e	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 1, 2024 14:48:02.344580889 CEST	1.1.1.1	192.168.2.5	0x297e	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	132.226.247.73	80	6644	C:\Users\user\Desktop\oHchwlxMNG.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 14:48:01.039625883 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 1, 2024 14:48:01.718384027 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 12:48:01 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6ecb6b5ca40978861e60eb3b01280cfe Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 1, 2024 14:48:01.722160101 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 1, 2024 14:48:02.128196001 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 12:48:01 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8503d33a5409992b325326825495d897 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 1, 2024 14:48:02.146929026 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 12:48:01 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8503d33a5409992b325326825495d897 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Jul 1, 2024 14:48:03.024116039 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 1, 2024 14:48:03.230232954 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 12:48:03 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 45127c3c7a29061d61ccb36097e8d4d8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49711	132.226.247.73	80	6644	C:\Users\user\Desktop\oHchwlxMNG.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 14:48:03.862428904 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jul 1, 2024 14:48:04.550159931 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 12:48:04 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c67d9be113782d6cd29d57045737f854 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49713	132.226.247.73	80	6644	C:\Users\user\Desktop\oHchwlxMNG.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 14:48:05.198316097 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 1, 2024 14:48:05.886773109 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 12:48:05 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d4eb3485f9d9cab9af03a8e3082e966d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49716	132.226.247.73	80	6644	C:\Users\user\Desktop\oHchwlxMNG.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 14:48:06.508450985 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 1, 2024 14:48:07.305919886 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 12:48:07 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9f081a609b9209db6985959c7c8d34fa Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49719	132.226.247.73	80	6644	C:\Users\user\Desktop\oHchwlxMNG.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 14:48:07.941834927 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 1, 2024 14:48:08.612823009 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 12:48:08 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3aa954ae4a6e99fa7531f8be94356cc8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49721	132.226.247.73	80	6644	C:\Users\user\Desktop\oHchwlxMNG.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 14:48:09.262222052 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 1, 2024 14:48:09.936078072 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 12:48:09 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 476452144fe21a4c6e5279c8c49befba Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49723	132.226.247.73	80	6644	C:\Users\user\Desktop\oHchwlxMNG.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 14:48:10.586850882 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jul 1, 2024 14:48:11.258527040 CEST	320	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 12:48:11 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 22d56da80bcb5bd6eb4f09c5e1b12d2b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49708	188.114.97.3	443	6644	C:\Users\user\Desktop\oHchwlxMNG.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 12:48:02 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-01 12:48:03 UTC	706	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 12:48:02 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 80646 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WT081SRU2dt8rxIe7waMMrRJ7Mgi3yeki0T9A5zUPArr5TfAzbpuIxyqhH4Fu6kuyLuliVWqJE%2F9yxqtLTbIrwrRYlMtRnDkDuOTUehFDx%2BbzLiAW0GBBhlx%2FJlMzeXyLaTLJgnO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89c68212797341df-EWR alt-svc: h3=":443"; ma=86400
2024-07-01 12:48:03 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-01 12:48:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49709	188.114.97.3	443	6644	C:\Users\user\Desktop\oHchwlxMNG.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 12:48:03 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-01 12:48:03 UTC	712	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 12:48:03 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 80647 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9Gq52leC3bxr%2FLA7gNOWBwk7SCwAQGc5PVC9hv8oDa8nxpFTk06PxQjI1L5X3HZutvbtSxsznKcTxYyb9aCz%2Fjz9LoNlzABpOPAOF%2FzSh%2F8scJx7Z%2FwSKShlpj2iWOC9HyDguai%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89c68217be26c425-EWR alt-svc: h3=":443"; ma=86400
2024-07-01 12:48:03 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-01 12:48:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49712	188.114.97.3	443	6644	C:\Users\user\Desktop\oHchwlxMNG.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 12:48:05 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-01 12:48:05 UTC	708	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 12:48:05 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 80649 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YxhetYh0QYMvxnrZqzLgFj2sq3sPpj06CqY%2FyUXiwkLav2Q%2Fj4VLznN5pFV5UgXZPC5NHygVsLsAx4ibs5hBDHjrBhbps5qfW%2BeeKtBXLBTKD47ixEuqF4p%2B8ShOjaXnHdrOcEEr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89c68220095b0ca2-EWR alt-svc: h3=":443"; ma=86400
2024-07-01 12:48:05 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-01 12:48:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49715	188.114.97.3	443	6644	C:\Users\user\Desktop\oHchwlxMNG.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 12:48:06 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-01 12:48:06 UTC	702	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 12:48:06 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 80650 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l7WJb3RRITTASOHFYLgXPTOCj77t9B1VmiNmLNZq2wlomUP1y4rW8v51ir17W9xNH7QJz8vYGrurN0H00FK5mAlz6NhGcz8c7PNo1HCLcywmv3u27MJ438R9dlcR2tFslKnf%2Bcsl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89c6822838aec420-EWR alt-svc: h3=":443"; ma=86400
2024-07-01 12:48:06 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-01 12:48:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49718	188.114.97.3	443	6644	C:\Users\user\Desktop\oHchwlxMNG.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 12:48:07 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-01 12:48:07 UTC	714	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 12:48:07 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 80651 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jp%2FvBW%2F3mfLHKx5D76z8U%2Bk5Pc7VXsPkUUSY7WIG74q%2BwGNTNS1%2Bt9U%2B00DEiHzN0ZAkdRCwZwtssFsPDB6DXkj10Z%2BKcqx3cdiAWKAyMAI721YWQLQyKIpEzAkRkHoN2nHtW9wi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89c682313ec5c409-EWR alt-svc: h3=":443"; ma=86400
2024-07-01 12:48:07 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-01 12:48:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49720	188.114.97.3	443	6644	C:\Users\user\Desktop\oHchwlxMNG.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 12:48:09 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-01 12:48:09 UTC	706	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 12:48:09 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 80653 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C0KuJKcGsDEsbKEVI7Ue9vy78kWHizpG8Zbs66S0B%2FVCRPYlZp9%2Br8j9ykri62fhZj2lnv6kasmPnisyixnbJa1fTkiauyCfVLow%2FfhTYgpdExzz1yOdFVeUjgWBz9vGAPQPcEax"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89c682396d5d19db-EWR alt-svc: h3=":443"; ma=86400
2024-07-01 12:48:09 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-01 12:48:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49722	188.114.97.3	443	6644	C:\Users\user\Desktop\oHchwlxMNG.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 12:48:10 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-07-01 12:48:10 UTC	708	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 12:48:10 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 80654 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zou83x%2F29LYAQnQSkZ3FeIKzjVMSJfZXYPvz8MHYmT9Og39hisq2oS48r9sTve9T%2BQtBHL%2FvbqzMIMl7GyKmcnVPviPf3cWsvMjrEyS6%2B8dZ610rAZEikpHlCKhOFsmBJ4QTzBB8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89c68241bcfc42c0-EWR alt-svc: h3=":443"; ma=86400
2024-07-01 12:48:10 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-01 12:48:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49724	188.114.97.3	443	6644	C:\Users\user\Desktop\oHchwlxMNG.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 12:48:11 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-07-01 12:48:11 UTC	706	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 12:48:11 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 80655 Last-Modified: Sun, 30 Jun 2024 14:23:56 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6OqPfnfzJPGnANx42Zu353OIGnw9Lx4K2tzKwiF%2FJ3TTAAsCFEsCLu9gNQEFLaZdRNVJX3M%2BQxWe4r4ygvdDtWP37O91UdNnYXfrlk1%2F56pEyT2pmnC5m4DnYhZsrJtOtSiLb7wI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89c68249dc9e7c8d-EWR alt-svc: h3=":443"; ma=86400
2024-07-01 12:48:11 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-07-01 12:48:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	08:47:59
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\oHchwlxMNG.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\oHchwlxMNG.exe"
Imagebase:	0xf00000
File size:	533'504 bytes
MD5 hash:	CB45D49E68B2C594F6C9BCF7EDD6481A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000000.00000002.2074884087.0000000005BD0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2073930745.0000000004489000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2073930745.0000000004489000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2073930745.0000000004489000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2073930745.0000000004489000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:48:00
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\oHchwlxMNG.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\oHchwlxMNG.exe"
Imagebase:	0x3f0000
File size:	533'504 bytes
MD5 hash:	CB45D49E68B2C594F6C9BCF7EDD6481A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2182986237.0000000000542000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.2182986237.0000000000542000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.2182986237.0000000000542000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000002.2182986237.0000000000542000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.2185084446.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:48:11
Start date:	01/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\oHchwlxMNG.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:48:11
Start date:	01/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:48:11
Start date:	01/07/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0xd10000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	126
Total number of Limit Nodes:	9

Executed Functions

Function 0178C909 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0178C996
GetCurrentThread.KERNEL32 ref: 0178C9D3
GetCurrentProcess.KERNEL32 ref: 0178CA10
GetCurrentThreadId.KERNEL32 ref: 0178CA69

Memory Dump Source

Source File: 00000000.00000002.2073248728.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_oHchwlxMNG.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 52e3004f8556262b35bbd3c57b4d553a4993fbf250a61ed74a013620b3ec8299
Instruction ID: 46f0d30116a7e5e59689376a5f2decf9301a90dfa4448f76457fef9bb5816a0b
Opcode Fuzzy Hash: 52e3004f8556262b35bbd3c57b4d553a4993fbf250a61ed74a013620b3ec8299
Instruction Fuzzy Hash: C05186B5900209CFDB54DFA9D988BDEFBF1EF88314F208059E509AB260DB356944CF65

Function 0178C918 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0178C996
GetCurrentThread.KERNEL32 ref: 0178C9D3
GetCurrentProcess.KERNEL32 ref: 0178CA10
GetCurrentThreadId.KERNEL32 ref: 0178CA69

Memory Dump Source

Source File: 00000000.00000002.2073248728.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_oHchwlxMNG.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 310f72a14bcc72c5812461ee44662c065a333dcb41345426b1ed982cf3d696ed
Instruction ID: 6fdbf4c0b9eeb3c974ca89e4450df401b9aac7181ca6800dcd94c19fea101847
Opcode Fuzzy Hash: 310f72a14bcc72c5812461ee44662c065a333dcb41345426b1ed982cf3d696ed
Instruction Fuzzy Hash: BD5177B4900209CFDB54DFA9D988BDEFBF1EF48314F208059E509AB260DB35A944CB65

Function 0178A690 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0178A8E6

Memory Dump Source

Source File: 00000000.00000002.2073248728.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_oHchwlxMNG.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 45455508bf2f126a71c04f5451dc4d6c45478ed3d3f7fd6a2852d110a0a7df1e
Instruction ID: f16e3a3bb0baf0a84900e9f5587940e2a4a2b08cfd15d6144032a2547a666259
Opcode Fuzzy Hash: 45455508bf2f126a71c04f5451dc4d6c45478ed3d3f7fd6a2852d110a0a7df1e
Instruction Fuzzy Hash: 377146B0A00B058FDB64EF2AD44475ABBF1FF88310F10892ED54ADBA50D775E946CB91

Function 0178CB58 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0178CBE7

Memory Dump Source

Source File: 00000000.00000002.2073248728.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_oHchwlxMNG.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1ae33f9390619f0a842c6a8ab9e81addfd753b12a9a0c464cac4b6a0997ebe5a
Instruction ID: fe37687a92702f9b0b82fc69f314896ce1571f34a0ef6a8578a77d9237895b6d
Opcode Fuzzy Hash: 1ae33f9390619f0a842c6a8ab9e81addfd753b12a9a0c464cac4b6a0997ebe5a
Instruction Fuzzy Hash: 3721C3B5D002499FDB10CFA9D984ADEFBF5EB48310F14841AE958A3310D375A954DFA1

Function 0178CB60 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0178CBE7

Memory Dump Source

Source File: 00000000.00000002.2073248728.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_oHchwlxMNG.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fa8f75d4fcd45ab6276eeb28bd05bba5303e687396e799f81b9332131e5467d3
Instruction ID: 3970b5ab5af3a095e0d69d90ce3138ee2f8c9989d1d482f371cb25219b8ef8b0
Opcode Fuzzy Hash: fa8f75d4fcd45ab6276eeb28bd05bba5303e687396e799f81b9332131e5467d3
Instruction Fuzzy Hash: 7F21B3B59002499FDB10CFAAD984ADEFFF8EB48310F14841AE914A7350D375A944DFA5

Function 0178AB00 Relevance: 1.6, APIs: 1, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0178A961,00000800,00000000,00000000), ref: 0178AB72

Memory Dump Source

Source File: 00000000.00000002.2073248728.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_oHchwlxMNG.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a85546c9995ce57876318f3c2a01880cb72eeeb848db7224c318a7a53e70a822
Instruction ID: 11d33ae9f8e8042fabb3b65b49821162642a440e8928b722d34da7ead1972f1d
Opcode Fuzzy Hash: a85546c9995ce57876318f3c2a01880cb72eeeb848db7224c318a7a53e70a822
Instruction Fuzzy Hash: 192113B6C002498FDB20CFAAC484ADEFBF5EF98310F14852ED529A7200C379A545CFA0

Function 0178A118 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0178A961,00000800,00000000,00000000), ref: 0178AB72

Memory Dump Source

Source File: 00000000.00000002.2073248728.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_oHchwlxMNG.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 02d360df0e5654e258b23737c83b893d16aa31b94268466aae3d31ecc14053de
Instruction ID: 2781ba351ae112f455592e11032ee1fb840c568adcce6235f74e7f7268d6ba2d
Opcode Fuzzy Hash: 02d360df0e5654e258b23737c83b893d16aa31b94268466aae3d31ecc14053de
Instruction Fuzzy Hash: 451114B6D003098FDB10DF9AD844A9EFFF5EB48320F10842EE529A7200C379A945CFA1

Function 06652484 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,06653009,?,?), ref: 066531B0

Memory Dump Source

Source File: 00000000.00000002.2075378466.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6650000_oHchwlxMNG.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: f4aa446f497006786f67d9f9d1c8fc3155348f836d5db7547ae0ab4bb6c0282e
Instruction ID: 4f055441ace81c31e82309d277af4dd11fb3a26debc5c3fca2a7cc16a19f14ad
Opcode Fuzzy Hash: f4aa446f497006786f67d9f9d1c8fc3155348f836d5db7547ae0ab4bb6c0282e
Instruction Fuzzy Hash: 341125B5C04249CFDB60DF99C485BDEBBF4EB48320F14845AD968A7340D738A948CFA5

Function 06653150 Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,06653009,?,?), ref: 066531B0

Memory Dump Source

Source File: 00000000.00000002.2075378466.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6650000_oHchwlxMNG.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 6053c59a973c1581a697606ceb39a79a437641a302e3d77d21f029fb7a451d8a
Instruction ID: 47a864f2ea8956ccfbec2c75a64178f9867a2381786f4a5523b62038ea3a0be4
Opcode Fuzzy Hash: 6053c59a973c1581a697606ceb39a79a437641a302e3d77d21f029fb7a451d8a
Instruction Fuzzy Hash: 621116B68002098FCB10CF99C545BDEBBF4EB48320F15841AD568A7740E738A544CFA1

Function 06658D14 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0665ADA5

Memory Dump Source

Source File: 00000000.00000002.2075378466.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6650000_oHchwlxMNG.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 839d4d36639bda6e5bd036c63c7a073bba213fecddbb8290b0dec85ab768f51a
Instruction ID: 9fde8c32b6b944ba1648f0f8f67ae97e2a9452c58c002ac7d2ddab669b87eaf3
Opcode Fuzzy Hash: 839d4d36639bda6e5bd036c63c7a073bba213fecddbb8290b0dec85ab768f51a
Instruction Fuzzy Hash: 021103B5800349DFDB50DF9AC889BDEBBF8EB48320F108559E958A7200D375A944CFA1

Function 0178A880 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0178A8E6

Memory Dump Source

Source File: 00000000.00000002.2073248728.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_oHchwlxMNG.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f40c657ace5271310c688967a41f52203773cdfad0b9b650c1a8ad1d499abe31
Instruction ID: 2693dfc65421bf396a52f0089c51bc4f2ca143f2a4cf43762dd2d40388a48fa6
Opcode Fuzzy Hash: f40c657ace5271310c688967a41f52203773cdfad0b9b650c1a8ad1d499abe31
Instruction Fuzzy Hash: 1511DFB6C007498FDB10DF9AD844A9EFBF4EF88320F14846AD529A7210D379A545CFA1

Function 0665AD40 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0665ADA5

Memory Dump Source

Source File: 00000000.00000002.2075378466.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6650000_oHchwlxMNG.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e38df752462d9888541b925148b12bd4810e3bc266e45b9f151b5fb0db2978c9
Instruction ID: 55e3e31597999e6422dd977e4c58c88b0cc3fc58d05be9fa0be2c4a821209f8a
Opcode Fuzzy Hash: e38df752462d9888541b925148b12bd4810e3bc266e45b9f151b5fb0db2978c9
Instruction Fuzzy Hash: 771103B9800349DFCB50DF9AD845BDEBBF8EB48320F108519E918A7200C375A944CFA1

Function 0158D5B8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072493562.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_158d000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea80bdd4c38648b62ee16acce61599d4a51e1cd454646b684f40e8f917e4d7c
Instruction ID: ddc75042e59d7835c0d1f1b50593c5698f86ed5562a1a5a94e6b1db2210eaa97
Opcode Fuzzy Hash: eea80bdd4c38648b62ee16acce61599d4a51e1cd454646b684f40e8f917e4d7c
Instruction Fuzzy Hash: 0D212871504208DFDB06EF99D9C0B2ABFF5FB94328F24856DD9092F286C336D456C6A1

Function 0159D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072563538.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_159d000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2911615c63ee0a30f20924a79c93747319985f14996bcd88256110849e0c0f0
Instruction ID: e75b2d4975f7d9435fc5f696513e6e8ace6483cd7fa24257961e44291e300a73
Opcode Fuzzy Hash: e2911615c63ee0a30f20924a79c93747319985f14996bcd88256110849e0c0f0
Instruction Fuzzy Hash: F3210375504200DFDF15DF58D984B2ABBB5FB84354F20C96DD80A0F246D33BD406CA62

Function 0159D1EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072563538.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_159d000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a0ced3ffb7daba5c6d4f2e4977e87793870935cd364f76f81889f9a885aabd
Instruction ID: a2b620eb17f4dc5010c336f495ba2895a3a5f7519ef64af99e69ac7d6ddce87f
Opcode Fuzzy Hash: b0a0ced3ffb7daba5c6d4f2e4977e87793870935cd364f76f81889f9a885aabd
Instruction Fuzzy Hash: 5F21C5755042049FDF05DF98D5C0B1ABBB5FB84324F24C9ADD9094F256C37AD846CAA2

Function 0159D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072563538.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_159d000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6128c940c959c02427b2f73ec1c5ae9f9d5c5430e7efd9423e8ff4c7cad158
Instruction ID: 8417711d2b2f475e0bbbe06fb9a0eda947e1835186a6bbde847b16f7e85f0f18
Opcode Fuzzy Hash: 0b6128c940c959c02427b2f73ec1c5ae9f9d5c5430e7efd9423e8ff4c7cad158
Instruction Fuzzy Hash: 63218B755093808FDB03CF64D994B15BF71FB46214F28C5EAD8498F2A7C33A980ACB62

Function 0158D5B3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072493562.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_158d000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: a9600599fdeedd4af6e4cf07d250f36966090fd9e43dc85db7c5a75a9936ff6e
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: 1511DF76404244CFCB02DF54D5C4B1ABFB1FB84328F2486A9D8091F256C33AD45ACBA1

Function 0159D1E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072563538.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_159d000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: 1dfc263b5d2489eeb8faf68bdfe7e54e1d9a4a7b80609931c859e5dddcb7bd09
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: D7118E75504244DFDF06CF54D5C4B19BB71FB44324F24C6A9D8494F656C33AD44ACB92

Non-executed Functions

Function 0178D3DC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073248728.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1780000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8974564f34c6ad79cd9c0e8f09b891daabb453a21149b65c0603e222194edabb
Instruction ID: d1bc02a4015bf45fcaec7e3932f5396568f3c1ea8b4856c689f92dbbc58c81a8
Opcode Fuzzy Hash: 8974564f34c6ad79cd9c0e8f09b891daabb453a21149b65c0603e222194edabb
Instruction Fuzzy Hash: F5A16132E4020A8FCF15EFB9C8849DEFBB2FF85310B15856AE905AB255DB31E945CB50

Analysis Process: oHchwlxMNG.exePID: 6644, Parent PID: 6632COMMON

Executed Functions

Function 00B3B328 Relevance: 6.6, Strings: 5, Instructions: 350COMMON

Download Yara Rule

Strings

LjFp, xrefs: 00B3B6CF
PHcq, xrefs: 00B3B747
0oFp, xrefs: 00B3B562
LjFp, xrefs: 00B3B6E5
PHcq, xrefs: 00B3B758

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 4c6185cb465b10f12294003bb69d78c71cf2e361d5805c6c536e315cdcbcd9ae
Instruction ID: f6957c00081cbad8742d1b1649f4f08d87d6fc8c990dfc0d5c82b4af3bd3497e
Opcode Fuzzy Hash: 4c6185cb465b10f12294003bb69d78c71cf2e361d5805c6c536e315cdcbcd9ae
Instruction Fuzzy Hash: 45E1E774A006188FDB14CFA9C884A9DBBF1FF88300F2581A9E919AB366D731AC41CF54

Function 00B3BEB0 Relevance: 6.5, Strings: 5, Instructions: 203COMMON

Download Yara Rule

Strings

PHcq, xrefs: 00B3C107
LjFp, xrefs: 00B3C08F
0oFp, xrefs: 00B3BF22
LjFp, xrefs: 00B3C0A5
PHcq, xrefs: 00B3C118

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 64323a02e74fcf0780f952f24451d89a33395e76207822df4a23c585f0f3af06
Instruction ID: a650e637bb3e772923e6f833ac30174dfe14ac36fcc4e74030121c1941a29971
Opcode Fuzzy Hash: 64323a02e74fcf0780f952f24451d89a33395e76207822df4a23c585f0f3af06
Instruction Fuzzy Hash: A081C574E00258CFDB18DFA9D984A9DBBF2BF89300F24C0AAE409AB365DB355945CF51

Function 00B3C190 Relevance: 6.4, Strings: 5, Instructions: 196COMMON

Download Yara Rule

Strings

LjFp, xrefs: 00B3C36F
LjFp, xrefs: 00B3C385
0oFp, xrefs: 00B3C202
PHcq, xrefs: 00B3C3F8
PHcq, xrefs: 00B3C3E7

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 46bd0095ff0ff3a00258ad9d4ab8841d596fd31fdabb1177b4fe8718a344ef87
Instruction ID: eb56ee4bcd1d7654192e30791b3fab8fd5dc7213e6097abc40a0bece69f2b06b
Opcode Fuzzy Hash: 46bd0095ff0ff3a00258ad9d4ab8841d596fd31fdabb1177b4fe8718a344ef87
Instruction Fuzzy Hash: 58819374E042189FDB14DFAAD984A9DBBF2BF89300F24C0A9E419BB365DB349945CF50

Function 00B3BBD2 Relevance: 6.4, Strings: 5, Instructions: 194COMMON

Download Yara Rule

Strings

LjFp, xrefs: 00B3BDAF
0oFp, xrefs: 00B3BC42
PHcq, xrefs: 00B3BE27
PHcq, xrefs: 00B3BE38
LjFp, xrefs: 00B3BDC5

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 21266a444dcee0da92437fd5029490517e8de0048c41062aeaa3e866d21674da
Instruction ID: 59c3495edc2793431f8e911f6a04a8604b324467a0f97d3fd15a25aa288797c7
Opcode Fuzzy Hash: 21266a444dcee0da92437fd5029490517e8de0048c41062aeaa3e866d21674da
Instruction Fuzzy Hash: 8691B474E00218DFDB14DFA9D884A9DBBF2FF89300F2481A9E509AB369DB349945CF10

Function 00B3C470 Relevance: 6.4, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

PHcq, xrefs: 00B3C6D8
LjFp, xrefs: 00B3C665
0oFp, xrefs: 00B3C4E2
LjFp, xrefs: 00B3C64F
PHcq, xrefs: 00B3C6C7

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: 2a733237305aeecc977211826030021fd81a64a5a39f4fb8c6510859c4c01c81
Instruction ID: 5b4ee4890d637f10e0aec22f7202eab3eac9678d2db84b0c7fd9913421a91a63
Opcode Fuzzy Hash: 2a733237305aeecc977211826030021fd81a64a5a39f4fb8c6510859c4c01c81
Instruction Fuzzy Hash: 1A81B274E002188FDB14DFA9D984A9DBBF2FF88300F24C1A9E409AB365DB349941CF10

Function 00B3C751 Relevance: 6.4, Strings: 5, Instructions: 188COMMON

Download Yara Rule

Strings

LjFp, xrefs: 00B3C945
0oFp, xrefs: 00B3C7C2
LjFp, xrefs: 00B3C92F
PHcq, xrefs: 00B3C9B8
PHcq, xrefs: 00B3C9A7

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: c662ae3802d2f3f2eb4bd82114efe2251188cc9990f3b393a3dffb2bb1461e08
Instruction ID: 3728d31800cc58435e77250a24c7ef7ca00495d6f8d2f15c9818e0e658cc83b4
Opcode Fuzzy Hash: c662ae3802d2f3f2eb4bd82114efe2251188cc9990f3b393a3dffb2bb1461e08
Instruction Fuzzy Hash: 4E81A374E04218DFDB14DFA9D984A9DBBF2BF89300F24C1A9E809AB365DB349945CF10

Function 00B34AD9 Relevance: 6.4, Strings: 5, Instructions: 188COMMON

Download Yara Rule

Strings

LjFp, xrefs: 00B34CCE
PHcq, xrefs: 00B34D41
PHcq, xrefs: 00B34D30
LjFp, xrefs: 00B34CB8
0oFp, xrefs: 00B34B4A

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: d4396d680bcc2b92174fee60e49853478df5a5a30dfcfef5cdf431b43bb092c7
Instruction ID: 4ec050d8a04d02ac12c09f4f33fe83c908961f6aa46b4ed599ab3846dd613f18
Opcode Fuzzy Hash: d4396d680bcc2b92174fee60e49853478df5a5a30dfcfef5cdf431b43bb092c7
Instruction Fuzzy Hash: 7C81B474E01218DFDB14DFA9D984A9DBBF2FF88300F2491A9E419AB365DB34A941CF10

Function 00B3CA31 Relevance: 6.4, Strings: 5, Instructions: 183COMMON

Download Yara Rule

Strings

PHcq, xrefs: 00B3CC87
LjFp, xrefs: 00B3CC0F
0oFp, xrefs: 00B3CAA2
LjFp, xrefs: 00B3CC25
PHcq, xrefs: 00B3CC98

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
API String ID: 0-3391486992
Opcode ID: b550fa293da7e357434ad6666edcaa0d5c308f25a24512ae7ee42f837e2a2938
Instruction ID: df1618b856dc5d7773bae584fbda5df0ad4c280cd783cb2238b61a685fbb070c
Opcode Fuzzy Hash: b550fa293da7e357434ad6666edcaa0d5c308f25a24512ae7ee42f837e2a2938
Instruction Fuzzy Hash: C3819374E00218DFDB14DFA9D984A9DBBF2FF88300F6490A9E819AB365DB349945CF50

Function 00B36730 Relevance: 5.4, Strings: 4, Instructions: 441COMMON

Download Yara Rule

Strings

,gq, xrefs: 00B36A00
(ocq, xrefs: 00B36988
(ocq, xrefs: 00B3697A
,gq, xrefs: 00B369F2

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID: (ocq$(ocq$,gq$,gq
API String ID: 0-2401767512
Opcode ID: 83faaac0050a6cc10fa0915bf16299c2a71cdcf73eae6887be923693903ddfe6
Instruction ID: 6411b8e2c7e7e462a09179ab8660dcf3098bd1221f2b258ed2d9ef004e4f0cf2
Opcode Fuzzy Hash: 83faaac0050a6cc10fa0915bf16299c2a71cdcf73eae6887be923693903ddfe6
Instruction Fuzzy Hash: 3A020871A00219EFCB15CF69C984AAEBBF2EF88305F65C1A9E445EB2A1D734DD41CB50

Function 00B3B4F2 Relevance: 3.9, Strings: 3, Instructions: 152COMMON

Download Yara Rule

Strings

PHcq, xrefs: 00B3B747
0oFp, xrefs: 00B3B562
PHcq, xrefs: 00B3B758

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID: 0oFp$PHcq$PHcq
API String ID: 0-775545523
Opcode ID: e4e23239c7794ad6f66e5cca7b4b5655baeebdf0658b39c80c619ada9465b74f
Instruction ID: dc1a650f5bcf36e6e0d214733f3ffda5dde5717dd7744c3e0de7dd971a125a5a
Opcode Fuzzy Hash: e4e23239c7794ad6f66e5cca7b4b5655baeebdf0658b39c80c619ada9465b74f
Instruction Fuzzy Hash: 2561B474E006089FDB18DFAAD984A9EBBF2FF88300F24C169E519AB365DB345941CF10

Function 00B39858 Relevance: 3.4, Strings: 2, Instructions: 859COMMON

Download Yara Rule

Strings

4'cq, xrefs: 00B3A273
(ocq, xrefs: 00B39C78

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID: (ocq$4'cq
API String ID: 0-3004416391
Opcode ID: 8e27fb57aa672596d89521ad4c643a7e49852e1711acb5cde406b522f47ef944
Instruction ID: d44af0f63e79d069fab2260f4162c53f21cb0cef1f4d68a40665193e609dbd2b
Opcode Fuzzy Hash: 8e27fb57aa672596d89521ad4c643a7e49852e1711acb5cde406b522f47ef944
Instruction Fuzzy Hash: E3727D70A00609DFCB15CF68C984AAEBBF2FF89301F258599E845EB2A1D770ED45CB51

Function 00B36108 Relevance: 3.0, Strings: 2, Instructions: 513COMMON

Download Yara Rule

Strings

Hgq, xrefs: 00B3650E
(ocq, xrefs: 00B36642

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID: (ocq$Hgq
API String ID: 0-2239030825
Opcode ID: 69740deedffdee4547dbbaff198f87a319edaf3256b7d5ed6335fd23de32ebd6
Instruction ID: 0ecca2e254dab6dfa2140d2a63a4a839bb57dca3dc1ccaaebc1f6d260e043bc8
Opcode Fuzzy Hash: 69740deedffdee4547dbbaff198f87a319edaf3256b7d5ed6335fd23de32ebd6
Instruction Fuzzy Hash: 83127D71A002199FDB14DF69C954BAEBBF6FF88300F2085A9E506DB3A1DB349D45CB90

Function 00B377F0 Relevance: 28.2, Strings: 22, Instructions: 697COMMON

Download Yara Rule

Strings

.H, xrefs: 00B37A23
.H, xrefs: 00B3788E
$cq, xrefs: 00B38337
.H, xrefs: 00B37999
.H, xrefs: 00B37954
.H, xrefs: 00B37C68
.H, xrefs: 00B37C06
.H, xrefs: 00B37871
.H, xrefs: 00B37BC1
.H, xrefs: 00B37AAD
.H, xrefs: 00B37C4B
.H, xrefs: 00B37835
.H, xrefs: 00B37A68
.H, xrefs: 00B37B37
.H, xrefs: 00B37AF2
.H, xrefs: 00B379DE
.H, xrefs: 00B3790F
.H, xrefs: 00B37B7C
.H, xrefs: 00B378CA
$cq, xrefs: 00B38314
.H, xrefs: 00B3781B
NH, xrefs: 00B37809

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID: .H$.H$.H$.H$.H$.H$.H$.H$.H$.H$.H$.H$.H$.H$.H$.H$.H$.H$.H$NH$$cq$$cq
API String ID: 0-2197362138
Opcode ID: 5f13b256f401269d768cf145b1b6a1ec71522f734487ae8d2a6a522ba4af9ef9
Instruction ID: 6760bef313168de203334bb4139e913984982ec6af228ec7db47350836178dc8
Opcode Fuzzy Hash: 5f13b256f401269d768cf145b1b6a1ec71522f734487ae8d2a6a522ba4af9ef9
Instruction Fuzzy Hash: 23523075A00218CFEF259BA4C860BAEBBB3EF84300F5080A9D50A6B395DF355E85DF51

Function 00B36E58 Relevance: 10.5, Strings: 8, Instructions: 477COMMON

Download Yara Rule

Strings

,gq, xrefs: 00B372F8
(ocq, xrefs: 00B3701A
(ocq, xrefs: 00B37377
(ocq, xrefs: 00B36E96
(ocq, xrefs: 00B36F7D
(ocq, xrefs: 00B36F51
(ocq, xrefs: 00B37367
,gq, xrefs: 00B37308

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID: (ocq$(ocq$(ocq$(ocq$(ocq$(ocq$,gq$,gq
API String ID: 0-3338910979
Opcode ID: 1f349d193c6365f4a0b6266c59c4fb2dbd89c964101c1b4f2aafd44d5fbb1fe3
Instruction ID: b1f18c34cbd01f2f93165a51a236a0fcb3952a7724ced898398f28721188477c
Opcode Fuzzy Hash: 1f349d193c6365f4a0b6266c59c4fb2dbd89c964101c1b4f2aafd44d5fbb1fe3
Instruction Fuzzy Hash: E9126B71A046499FCB25CF68D884E9EBBF2FF89314F258599E805DB2A1DB30ED41CB50

Function 00B387E9 Relevance: 2.8, Strings: 2, Instructions: 332COMMON

Download Yara Rule

Strings

4'cq, xrefs: 00B38811
4'cq, xrefs: 00B38837

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID: 4'cq$4'cq
API String ID: 0-60795322
Opcode ID: 02b361d1cbf98aff9ef61a2a83e3c89b3c98071ed9ca3b22ea27ee02c0a6955c
Instruction ID: 0c27668d3baf1f12aee185b3a37800d4a231630f0d39065924a788a6a116b568
Opcode Fuzzy Hash: 02b361d1cbf98aff9ef61a2a83e3c89b3c98071ed9ca3b22ea27ee02c0a6955c
Instruction Fuzzy Hash: 1BB12B713147028FDB159B28C998B3976E6EF85701F7944EAF502CB3A1EE29CC429753

Function 00B356A8 Relevance: 2.8, Strings: 2, Instructions: 326COMMON

Download Yara Rule

Strings

Hgq, xrefs: 00B35793
Hgq, xrefs: 00B357C6

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID: Hgq$Hgq
API String ID: 0-3391890871
Opcode ID: 3e0ee160b9a9eb94f5456e85fb5ae6cf35e53922a8fd710a977ccc750349b264
Instruction ID: dc8a6ed7173820e1e7d099a91958cd62f9b580b8d119e6861d47b6d000c66f3a
Opcode Fuzzy Hash: 3e0ee160b9a9eb94f5456e85fb5ae6cf35e53922a8fd710a977ccc750349b264
Instruction Fuzzy Hash: DAB1CF31704654CFDB269F38C894B6A7BE2EB88311F2489A9E446CB3A1DF34DC41DB91

Function 00B35C08 Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

,gq, xrefs: 00B35CDE
,gq, xrefs: 00B35CE8

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID: ,gq$,gq
API String ID: 0-2533611571
Opcode ID: 4d4c09c1760907327c574093daa2c7bf32c106fb929135299dfdc64b4e205d13
Instruction ID: 5c98698a4b7ed7e1906b5402bee97e1a8cde346d49b68e9f269566efa9cb21f0
Opcode Fuzzy Hash: 4d4c09c1760907327c574093daa2c7bf32c106fb929135299dfdc64b4e205d13
Instruction Fuzzy Hash: 3681AD35A00A158FCB24DF69C888AAAB7F2FF89304F7581A9D406DB365D731ED41CB50

Function 00B395D9 Relevance: 2.7, Strings: 2, Instructions: 224COMMON

Download Yara Rule

Strings

T, xrefs: 00B395E6
4'cq, xrefs: 00B3966C

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID: 4'cq$T
API String ID: 0-3162913229
Opcode ID: b10b6eeef224f11626335af7a9b7abd21443cb236bf092087bf46634784a59b5
Instruction ID: 30c730c505157875419db148d2e183466dd36d08639a80a66eaceb392b0ce5b2
Opcode Fuzzy Hash: b10b6eeef224f11626335af7a9b7abd21443cb236bf092087bf46634784a59b5
Instruction Fuzzy Hash: C381E7756092458FDB05DB68C894ABEBBF5EF85300F3885EAD401CB2A2DB75DC42CB91

Function 00B39390 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

4'cq, xrefs: 00B394CD
4'cq, xrefs: 00B394E4

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID: 4'cq$4'cq
API String ID: 0-60795322
Opcode ID: 299f6d33d4a633020d5e10b1dc3061105a3e34cba186bc356602b439f765394b
Instruction ID: 53c43c0521c192b7c97a9cbf0eb5caefdbe8c0f1376ebc5f41f4298743e9e8e0
Opcode Fuzzy Hash: 299f6d33d4a633020d5e10b1dc3061105a3e34cba186bc356602b439f765394b
Instruction Fuzzy Hash: 1F517F317003149FDB11DF69C884B6A7BEAEF88350F2884A6E909CB391DB75DC42CB91

Function 00B33428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xgq, xrefs: 00B33435
Xgq, xrefs: 00B3345E

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID: Xgq$Xgq
API String ID: 0-2113765878
Opcode ID: a048cef25133a844b0516226581b817a80a65b99b7eb45b9e05bac626c3c04e5
Instruction ID: 54e8ef5cde219c0b880b9d1e022e46e5a72ee2a39d4d74ed4ffd820c88d46d81
Opcode Fuzzy Hash: a048cef25133a844b0516226581b817a80a65b99b7eb45b9e05bac626c3c04e5
Instruction Fuzzy Hash: 82310771B043248BDF298BAA899423F75EAEBC4B11F3840B9D806C7390DF75CE458651

Function 00B30CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LRcq, xrefs: 00B30E5E

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID: LRcq
API String ID: 0-4134321033
Opcode ID: f6893d658513a4b3180b77079f7ded89f5d18b0294536a7eab143ba02e9c5d5d
Instruction ID: a3e5e68624350d3e0df35a5c90054e2c689bb60cd61c76b7f76613ce6f3bf9d5
Opcode Fuzzy Hash: f6893d658513a4b3180b77079f7ded89f5d18b0294536a7eab143ba02e9c5d5d
Instruction Fuzzy Hash: 0822A474A1061ACFCB55EF64E894A9DBBB2FF88301F1086E5D809A7365DB706D86CF40

Function 00B3964C Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

4'cq, xrefs: 00B3966C

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID: 4'cq
API String ID: 0-182294849
Opcode ID: 91b206330edd85abdce0bf0fc982f9004ab104660f35e171defbe6c536045628
Instruction ID: 95e6eb47dc425a710d0848204ed56487748dab032cca53ff1b5f160fc8127af1
Opcode Fuzzy Hash: 91b206330edd85abdce0bf0fc982f9004ab104660f35e171defbe6c536045628
Instruction Fuzzy Hash: 4541B575B042059FDF15DAA9C881ABFB7F9EF88300F3484E9E402DB291DAB5CC418B90

Function 00B3A650 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

(ocq, xrefs: 00B3A7D9

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID: (ocq
API String ID: 0-1855696158
Opcode ID: e9bc6ee97c3daed03a40e7bcebe543c8ff3ee8e3a078306a729cbde2b86da694
Instruction ID: a9401846f06d46d2143912caed3bf014bf5b80f5a299b8110ecf6e08c96d0499
Opcode Fuzzy Hash: e9bc6ee97c3daed03a40e7bcebe543c8ff3ee8e3a078306a729cbde2b86da694
Instruction Fuzzy Hash: 1E41E1317042489FCB05AB69D854AAE7BF6EBC8311F2444A9E506E7391CE359C02CBE1

Function 00B35EA8 Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

1, xrefs: 00B35EA8

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID: 1
API String ID: 0-501262851
Opcode ID: fee29336bcb63133d9edc1c213253aedac06b8b0673f1df3103fef947b251796
Instruction ID: 956560ec85c967ffd727756969f921c6817c9bbbe0eba9e4d9ae3e4f8b15bc5d
Opcode Fuzzy Hash: fee29336bcb63133d9edc1c213253aedac06b8b0673f1df3103fef947b251796
Instruction Fuzzy Hash: 34D02B705087490FD702F330ED115043B29EF81304F9046E0F5060B06BEEB8194587A2

Function 00B3A818 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2feba492944f7a6ef1ea8fb9f45797dc668289944f931e7798f4af55d9ba28c
Instruction ID: 9ba1935b732cef0f5ed30af75496cae7384b954ac494b22bd7e6e55c5757e852
Opcode Fuzzy Hash: b2feba492944f7a6ef1ea8fb9f45797dc668289944f931e7798f4af55d9ba28c
Instruction Fuzzy Hash: 32F11775A006148FCB04CF6DC884AADBBF6EF88311F3A8199E545AB361DB35EC81CB51

Function 00B37438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611b3af46eb315c1bc2809726eb0a86c51fc460ae15173b0d58430e2ff75bf8d
Instruction ID: 055dea50918662ee0452b98a67e588faa979a38302615522cc7c59b0b928d7f8
Opcode Fuzzy Hash: 611b3af46eb315c1bc2809726eb0a86c51fc460ae15173b0d58430e2ff75bf8d
Instruction Fuzzy Hash: 8471D3746486058FDB29DF28C898AA97BE5EF59301F2540E9E806CB3B1DF70EC41DB90

Function 00B3CEC7 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a62c10dad9e937e90d30afe930e9e7ed3f1fa0989c6eca5504ff9b3b33c521c1
Instruction ID: e9c89a7992b5a621df8e35e107fd03a6df9bcd264bb5c4f1d432d9de413bbe96
Opcode Fuzzy Hash: a62c10dad9e937e90d30afe930e9e7ed3f1fa0989c6eca5504ff9b3b33c521c1
Instruction Fuzzy Hash: C751BF304257439FD2217FB0E9AC26A7BA0FB0F3137456E84A10EC61B59F75548ADA1A

Function 00B3CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4136a507a2bb1cb2ce0ac2db56cdb34365205a2770bcf256f490b7e4068820
Instruction ID: 678dcb2122202c52ff79c0c7d5b5ec83fc52aa800c46167a1543319a9e3cd24d
Opcode Fuzzy Hash: 9b4136a507a2bb1cb2ce0ac2db56cdb34365205a2770bcf256f490b7e4068820
Instruction Fuzzy Hash: AD519E304217439FD2607FB0E9AC22EBBA5FB0F3277406E84A10EC61759F75548ADE1A

Function 00B3CD10 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32ec22896e53e9a027ebb25b90d0c069e2fa5e7d60e342447e8fda17cbd9f836
Instruction ID: 2838aca5296a2e8f485ecd63c990f5accdc290683963da734089d4b50037fce5
Opcode Fuzzy Hash: 32ec22896e53e9a027ebb25b90d0c069e2fa5e7d60e342447e8fda17cbd9f836
Instruction Fuzzy Hash: 96519474E012189FDB54DFA9D9849DDBBF2FF89300F20816AE819AB365DB30A905CF50

Function 00B33908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81559910a2d7718dbe3de49ce7d6340c759515d3d5e7e9aeb4cba6b878cfd02b
Instruction ID: b7db634dbc20316945ae5f273a8109622c405ec3b43d40d401fd06a11090774f
Opcode Fuzzy Hash: 81559910a2d7718dbe3de49ce7d6340c759515d3d5e7e9aeb4cba6b878cfd02b
Instruction Fuzzy Hash: D4519274E11608CFCB48DFA9D99499DBBF2FF89300F208569E805AB364DB35A945CF50

Function 00B39A63 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e10382e3192d24a2d17eb0abfd92005b3dcb62409d3aba885dc4083765cbbe2
Instruction ID: a6bd71c37f994a3934ae3a8f395ac0664659265ac22c4ba7cdb3f02a05f66328
Opcode Fuzzy Hash: 2e10382e3192d24a2d17eb0abfd92005b3dcb62409d3aba885dc4083765cbbe2
Instruction Fuzzy Hash: 3741A531A04249DFCF11CFA8D844A9EBFF2EF49310F248295E9559B2A1D7B4ED54CB50

Function 00B34DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc0f748d3339dd0b57df96a922f6aaf4e7d7cb75e4b5872f5cedba4047dad48a
Instruction ID: 0057c969d9632792e96a7ffb471eae47bca3997a760ab1a6b6fe55e678fc1b31
Opcode Fuzzy Hash: bc0f748d3339dd0b57df96a922f6aaf4e7d7cb75e4b5872f5cedba4047dad48a
Instruction Fuzzy Hash: 1F3160323042199FCF059F65D854AAE3BE6FB88302F1044A4F91687255CF35DD65DBA1

Function 00B376E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb63988d6cca014a444931d5315fd5bba7a99c0cabe67de4bbae5f599b815d18
Instruction ID: 74d4b996d139d2aa10ca6d36d8c6a839380024801c0a51b35b2f9411e9bdc64c
Opcode Fuzzy Hash: eb63988d6cca014a444931d5315fd5bba7a99c0cabe67de4bbae5f599b815d18
Instruction Fuzzy Hash: B021CF763482048BEB2557298894A7A36D7EFC4719F3440F9D506CB794EE29CC82A381

Function 00B35A60 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f90aaa37dc1d83fc523af92d1bc6b6eb8ba9926955b53285294cbe64b9f4f9b9
Instruction ID: 18e04b367867e9bc7fe2e5d75d86371ec4495410e29bb230bc00ff7758ae1c65
Opcode Fuzzy Hash: f90aaa37dc1d83fc523af92d1bc6b6eb8ba9926955b53285294cbe64b9f4f9b9
Instruction Fuzzy Hash: 7B21D331305A129FC7269B29C89462EB7E6EF85752B2542F9E806DB365CE34DC02CBC1

Function 00B32060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed689cb92d71d73bd7d0a9b404cc3e7aa76898cfd36dbc866dd97b855d8e8ac
Instruction ID: bf3cd57c03276714e818d86bd08bb32a25d381fe223148e904d0f61a98a6baa7
Opcode Fuzzy Hash: 4ed689cb92d71d73bd7d0a9b404cc3e7aa76898cfd36dbc866dd97b855d8e8ac
Instruction Fuzzy Hash: B121E231A006069FCF14DF34D5809AEB7B6EB9C350F20C459D9099B3A8EA31EE45CBD1

Function 00B3D11A Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcb823df4301d0974c545d30be26bb9395c5ea90f462dcd129d3c2b250f92ba6
Instruction ID: dab8b51d7d4dd2230c3ef00721bc37b355857fff388749ef849b9fe7c718f3ff
Opcode Fuzzy Hash: bcb823df4301d0974c545d30be26bb9395c5ea90f462dcd129d3c2b250f92ba6
Instruction Fuzzy Hash: EE215331C11609CECF00EFE8E914AECBBB0FF4A300F109669E40577294EB706A5ACB80

Function 00B3215C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca2b4f5747c1598ba47fc2efc33920d82001a88e1b72c87c7e44f9d0384719d
Instruction ID: e4bfd11ae40adf6995fd019789c06277c41e49a35f9b1bc4b22395c9fe1b572c
Opcode Fuzzy Hash: 5ca2b4f5747c1598ba47fc2efc33920d82001a88e1b72c87c7e44f9d0384719d
Instruction Fuzzy Hash: 38113B31E192599FCB029BB8AC104DEBB71FF89310B258796D626B7091FA351909C791

Function 00B3D218 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95a5f53dc9b54aae44c60118ec2c6fd3f6ae0d4f37c114d99e4bc6ac4cbda357
Instruction ID: e6d81b2ffb1aa5b29e739889bd54d066570b8dc8b8200f470b90deab1cdc3bed
Opcode Fuzzy Hash: 95a5f53dc9b54aae44c60118ec2c6fd3f6ae0d4f37c114d99e4bc6ac4cbda357
Instruction Fuzzy Hash: 80213834A452088FCF08DFB4E850AEEB7B2FB8A300F206569D401773A4CB399942CF65

Function 00B339ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34bde957a028935f26bd50066ca8f6c929706bafb72fc9337109c9710d8eb5c
Instruction ID: d35e964ef0f9ed4e39a53223bc7dab6a0d519608d041be7d5bb0d4858fe307de
Opcode Fuzzy Hash: a34bde957a028935f26bd50066ca8f6c929706bafb72fc9337109c9710d8eb5c
Instruction Fuzzy Hash: 7B316474E11309DFCB44DFA8E59499DBBB2FF89301B2044A9E809AB368DB35AD05CF40

Function 00B38EC1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd9691b7b117895b8fed16dd63dd0ace642c994ba41a30d65f3138467906a899
Instruction ID: df783a259b995232836bcde58eeb23a3d8bd0f3a3716907fad8a81b8ae2add25
Opcode Fuzzy Hash: bd9691b7b117895b8fed16dd63dd0ace642c994ba41a30d65f3138467906a899
Instruction Fuzzy Hash: 13215A70A003489FCB05CFA5D950AEEBFF6EF48301F2484A9F415A72A0DB309A41DF50

Function 00B3D228 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db423d6b3b6c3337cdb7457c7095dd89c838f3bc1af12c35bd9ea2e11f312b5
Instruction ID: a292f718f242e3321fddf8d2795375562e55630ca01fee7c79b2dc546df5babd
Opcode Fuzzy Hash: 3db423d6b3b6c3337cdb7457c7095dd89c838f3bc1af12c35bd9ea2e11f312b5
Instruction Fuzzy Hash: 6821D334A412088FCF08DFB4E850AEEB7B2FB8A301F10A569D405733A4CB79A945CE65

Function 00B39B41 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67d2073dda05788c5407ea63354d59d13c3c5b9bbc4fb4edab805efac25d1ef
Instruction ID: 2c746b4fa9d5b93d1a1dbeb9d83f7acfab4b55b8ef0d6d757c9fe2b890374c93
Opcode Fuzzy Hash: a67d2073dda05788c5407ea63354d59d13c3c5b9bbc4fb4edab805efac25d1ef
Instruction Fuzzy Hash: D321D231600245DFDF10DF5DD884B9AFBE2EF85320F248695D554AB291E3B1E810C7A5

Function 00B35A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0cd569cbef4fdb4876f8425d14da6f42135a945500c04b806209b975cd94c57
Instruction ID: fccb5a7be101cc22d4b5f5dfabcb8b0a6db008ea787dfb9f020b1072b3cf4044
Opcode Fuzzy Hash: f0cd569cbef4fdb4876f8425d14da6f42135a945500c04b806209b975cd94c57
Instruction Fuzzy Hash: 57115231701A129FC7255B29D89462EB7E6EFC4752B2542F8E906DB360DF20DC0287D0

Function 00B31F08 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fddf15c3c3a07b6aaf0ac4ec361579fd83c85e566c3af438cd35e0210fa722f3
Instruction ID: bc4c3153b8c20a6ba6cbfaf3dcf0631a5fee8c95bafec159d6ee4d8f56f5a8ff
Opcode Fuzzy Hash: fddf15c3c3a07b6aaf0ac4ec361579fd83c85e566c3af438cd35e0210fa722f3
Instruction Fuzzy Hash: DE211574C052098FCB01EFA8D8945EDBFF4FF49311F2441AAD845B7264EB311A45CBA1

Function 00B35607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bccf542f1cfa8b26a9f36b5533e52cf434257fb7cc79bed6329541b235bbeb73
Instruction ID: f874595ffc3c57e595a16c9f0cbef32d1af7843cfda4f82348b2f2d7213363a7
Opcode Fuzzy Hash: bccf542f1cfa8b26a9f36b5533e52cf434257fb7cc79bed6329541b235bbeb73
Instruction Fuzzy Hash: 6901F572B041146FCB129E649C117AE3FE7DFC9352F2880EAF904D7294CA718D1597A1

Function 00B31F71 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ff1e3a4be84ebe423c969296d6d504c08af9724b8540c2f300187f53568bd3
Instruction ID: 83ed488bcccb4005ee94906ba2f89d5ec4621f57e085518b9cdce9fca79ce363
Opcode Fuzzy Hash: 41ff1e3a4be84ebe423c969296d6d504c08af9724b8540c2f300187f53568bd3
Instruction Fuzzy Hash: 4C11A2B4D0060A8FCB44EFA8D9456EEBBF5FF49301F10516AD909B3264EB305A95CFA1

Function 00B32020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d099596c5039f32abd5eb8bb1b60d0c1891107dfd6be82a7ce55e034a4a8dabd
Instruction ID: db8cfe9a5269b80211ebb607dba456c0403f579192cc5d7d749a334f38f8a52d
Opcode Fuzzy Hash: d099596c5039f32abd5eb8bb1b60d0c1891107dfd6be82a7ce55e034a4a8dabd
Instruction Fuzzy Hash: F6D01231D2022B968B00A6A5DC044DEB739EE96261B544626D52437154EB70265986E1

Function 00B38258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 6b6dbfb2b066e5e0056edeb25cb9995e819ac493e43881beb9b263b868e0a449
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: FDC0123724C2282AA624108E7C80AA3BB8CC2C17B4E3501B7F91CA3200A8429C8001AA

Function 00B3A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d01bce935a10e03b603263ad0d0830907564198f6e808c6ff0e55f5c6f975068
Instruction ID: bf237ba472c1129715971b2fd7854ffedc9d773838704012e196856d2896564d
Opcode Fuzzy Hash: d01bce935a10e03b603263ad0d0830907564198f6e808c6ff0e55f5c6f975068
Instruction Fuzzy Hash: EDD0677AB511189FCB049F98EC409DDB7B6FB9C222B048156EA15E3261C6319961DB50

Function 00B35EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f70f257d34c357aa11ceea97d1e84438907195e9388006577330228b97cba3dd
Instruction ID: 2d9264f3c627331b82fb0b1fb794401e7c0d1e26db4c216422fd87ba6eb98e18
Opcode Fuzzy Hash: f70f257d34c357aa11ceea97d1e84438907195e9388006577330228b97cba3dd
Instruction Fuzzy Hash: 95C01270214B094BCA02F775EE45515776EEFC0300F904AA0B10B0612ADEB819858A91

Non-executed Functions

Function 00B36088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;cq, xrefs: 00B360BA
\;cq, xrefs: 00B360C6
\;cq, xrefs: 00B36094
\;cq, xrefs: 00B3609E

Memory Dump Source

Source File: 00000001.00000002.2184261020.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_b30000_oHchwlxMNG.jbxd

Similarity

API ID:
String ID: \;cq$\;cq$\;cq$\;cq
API String ID: 0-2961067002
Opcode ID: 6b2b491686b4758eabd6edfe6dd90c7c75d58c88cb4ae5d5ad31f988b13bc736
Instruction ID: d266c4f3130f177a1b23db1e623ef7fc606d5ee50a55f606a400c3ecfa9d3bd7
Opcode Fuzzy Hash: 6b2b491686b4758eabd6edfe6dd90c7c75d58c88cb4ae5d5ad31f988b13bc736
Instruction Fuzzy Hash: DD017C31710414AF8B2C8E2DC4C5D2677E6EFD8760B3581BAE502CB3B4DA72DC418790

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report oHchwlxMNG.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oHchwlxMNG.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
oHchwlxMNG.exe

Function 0178C909 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Function 0178C918 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 0178A690 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Function 0178CB58 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Function 0178CB60 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 0178AB00 Relevance: 1.6, APIs: 1, Instructions: 58
libraryCOMMON

Function 0178A118 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 06652484 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Function 06653150 Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Function 0178A880 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre