Edit tour

Windows Analysis Report
oe8KMVNFEG.exe

Overview

General Information

Sample name:	oe8KMVNFEG.exe renamed because original name is a hash value
Original sample name:	d64cdbe6ba08bc293e824dc87c3b0aca90e432514f18b189b5f37e59bfaa29b9.exe
Analysis ID:	1588612
MD5:	e10abad4b0666e5acf257e4603453975
SHA1:	c5b02e62e6ad90541778f1b34ee9fc02f8e8d9b9
SHA256:	d64cdbe6ba08bc293e824dc87c3b0aca90e432514f18b189b5f37e59bfaa29b9
Tags:	exeuser-adrian__luca
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

oe8KMVNFEG.exe (PID: 7552 cmdline: "C:\Users\user\Desktop\oe8KMVNFEG.exe" MD5: E10ABAD4B0666E5ACF257E4603453975)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: oe8KMVNFEG.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: oe8KMVNFEG.exe	Virustotal: Detection: 63%			Perma Link
Source: oe8KMVNFEG.exe	ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: oe8KMVNFEG.exe

Joe Sandbox ML: detected

Source: oe8KMVNFEG.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: oe8KMVNFEG.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 45.9.191.182 45.9.191.182

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /salad/Ekaopt.mp4 HTTP/1.1Host: xianggrhen.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: xianggrhen.com

Source: oe8KMVNFEG.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: oe8KMVNFEG.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: oe8KMVNFEG.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: oe8KMVNFEG.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: oe8KMVNFEG.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: oe8KMVNFEG.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: oe8KMVNFEG.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: oe8KMVNFEG.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: oe8KMVNFEG.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: oe8KMVNFEG.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: oe8KMVNFEG.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: oe8KMVNFEG.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: oe8KMVNFEG.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: oe8KMVNFEG.exe, 00000000.00000002.4209662983.0000000003169000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: oe8KMVNFEG.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.000000000319B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xianggrhen.com
Source: oe8KMVNFEG.exe, 00000000.00000002.4209662983.0000000003111000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.0000000003109000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000030F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xianggrhen.com/salad/Ekaopt.mp4
Source: oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.000000000320E000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.0000000003169000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031EC000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xianggrhen.com/salad/Ekaopt.mp4l
Source: oe8KMVNFEG.exe, 00000000.00000002.4209662983.0000000003181000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.000000000320E000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.0000000003169000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031EC000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xianggrhen.comD
Source: oe8KMVNFEG.exe, 00000000.00000002.4209662983.0000000003181000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.000000000320C000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.000000000320E000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.0000000003169000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031EC000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.000000000319B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xianggrhen.comd
Source: oe8KMVNFEG.exe	String found in binary or memory: https://www.paessler.com0

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Code function: 0_2_0170E5F4	0_2_0170E5F4
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Code function: 0_2_0170F4F8	0_2_0170F4F8
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Code function: 0_2_0170F4E8	0_2_0170F4E8

Source: oe8KMVNFEG.exe

Static PE information: invalid certificate

Source: oe8KMVNFEG.exe, 00000000.00000002.4209141171.00000000012AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs oe8KMVNFEG.exe
Source: oe8KMVNFEG.exe, 00000000.00000000.1756232477.0000000000CFA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEzwjwazt.exe vs oe8KMVNFEG.exe
Source: oe8KMVNFEG.exe	Binary or memory string: OriginalFilenameEzwjwazt.exe vs oe8KMVNFEG.exe

Source: oe8KMVNFEG.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe

Mutant created: NULL

Source: oe8KMVNFEG.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: oe8KMVNFEG.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: oe8KMVNFEG.exe	Virustotal: Detection: 63%
Source: oe8KMVNFEG.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: oe8KMVNFEG.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: oe8KMVNFEG.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe

Code function: 0_2_0170EFC0 pushfd ; retf

0_2_0170EFC1

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Memory allocated: 16C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Memory allocated: 30A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Window / User API: threadDelayed 2628			Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Window / User API: threadDelayed 7187			Jump to behavior

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7624	Thread sleep count: 2628 > 30	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7624	Thread sleep count: 7187 > 30	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -99657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -99532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -99407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -99282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -99157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -99032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -98922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -98813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -98688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -98563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -98438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -98313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -98185s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -98078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -97871s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -97759s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -97653s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -97515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -97407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -97293s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -97188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -97078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -96969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -96860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -96735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -96610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -96485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -96360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -96235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -96110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -95985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -95860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -95735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -95610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -95485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -95360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -95235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -95108s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -95000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -94856s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -94746s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -94641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -94516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -94406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -94297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe TID: 7592	Thread sleep time: -94185s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 99657	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 99407	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 99282	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 99157	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 99032	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 98922	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 98813	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 98688	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 98563	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 98438	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 98313	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 98185	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 98078	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 97871	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 97759	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 97653	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 97515	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 97407	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 97293	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 97188	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 97078	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 96969	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 96860	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 96735	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 96610	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 96485	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 96360	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 96235	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 96110	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 95985	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 95860	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 95735	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 95610	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 95485	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 95360	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 95235	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 95108	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 95000	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 94856	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 94746	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 94641	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 94516	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 94406	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 94297	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Thread delayed: delay time: 94185	Jump to behavior

Source: oe8KMVNFEG.exe, 00000000.00000002.4210874987.00000000057F2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Queries volume information: C:\Users\user\Desktop\oe8KMVNFEG.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oe8KMVNFEG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\oe8KMVNFEG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	31 Virtualization/Sandbox Evasion	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
oe8KMVNFEG.exe	64%	Virustotal		Browse
oe8KMVNFEG.exe	61%	ReversingLabs	Win32.Trojan.Jalapeno
oe8KMVNFEG.exe	100%	Avira	HEUR/AGEN.1304477
oe8KMVNFEG.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://xianggrhen.com/salad/Ekaopt.mp4	0%	Avira URL Cloud	safe
http://xianggrhen.com/salad/Ekaopt.mp4l	0%	Avira URL Cloud	safe
http://xianggrhen.comD	0%	Avira URL Cloud	safe
https://www.paessler.com0	0%	Avira URL Cloud	safe
http://xianggrhen.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
xianggrhen.com	45.9.191.182	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://xianggrhen.com/salad/Ekaopt.mp4	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://xianggrhen.com	oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.000000000319B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	oe8KMVNFEG.exe, 00000000.00000002.4209662983.0000000003169000.00000004.00000800.00020000.00000000.sdmp	false		high
http://xianggrhen.com/salad/Ekaopt.mp4l	oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.000000000320E000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.0000000003169000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031EC000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031A6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xianggrhen.comD	oe8KMVNFEG.exe, 00000000.00000002.4209662983.0000000003181000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.000000000320E000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.0000000003169000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031EC000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031AA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xianggrhen.comd	oe8KMVNFEG.exe, 00000000.00000002.4209662983.0000000003181000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.000000000320C000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.000000000320E000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.0000000003169000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031EC000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, oe8KMVNFEG.exe, 00000000.00000002.4209662983.000000000319B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.paessler.com0	oe8KMVNFEG.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.9.191.182	xianggrhen.com	Germany		47583	AS-HOSTINGERLT	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588612
Start date and time:	2025-01-11 03:08:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	oe8KMVNFEG.exe renamed because original name is a hash value
Original Sample Name:	d64cdbe6ba08bc293e824dc87c3b0aca90e432514f18b189b5f37e59bfaa29b9.exe
Detection:	MAL
Classification:	mal64.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 10 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:09:11	API Interceptor	11457497x Sleep call for process: oe8KMVNFEG.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.9.191.182	PqJockhBoA.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/basket/Snobzw.vdf
	PqJockhBoA.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/basket/Snobzw.vdf
	EZ9o9I0iW9.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/book/Fvrbzpfzrm.vdf
	EZ9o9I0iW9.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/book/Fvrbzpfzrm.vdf
	rDecPayment_Swi.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/book/Netnoyfq.mp3
	10thDecember2024SWIFT-40111-34000-5410-24532-10477-65011-239605.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/composure/Emmaj.vdf
	LE-Y5029-D3948-W3029-K4302-Q20930-R4039-Y4938-E3028-LA3829-D300.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/composure/Vuglyxyuvio.pdf
	MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/camp/Reibbfkkyy.dat
	DecPayment410_F2103_S29103_M839_U4721_S381I_S98EEU_USD031224.exe	Get hash	malicious	Unknown	Browse	xianggrhen.com/desk/Tbddfcris.vdf

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
xianggrhen.com	PqJockhBoA.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	PqJockhBoA.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	EZ9o9I0iW9.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	EZ9o9I0iW9.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	rDecPayment_Swi.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	10thDecember2024SWIFT-40111-34000-5410-24532-10477-65011-239605.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	LE-Y5029-D3948-W3029-K4302-Q20930-R4039-Y4938-E3028-LA3829-D300.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	DecPayment410_F2103_S29103_M839_U4721_S381I_S98EEU_USD031224.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	AMTR-TT4781-SWFT-U4Y81-SO39-C37AR-AO937-CNR742-S3782-2818DY-9A82.exe	Get hash	malicious	Unknown	Browse	92.113.29.113

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-HOSTINGERLT	PqJockhBoA.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	PqJockhBoA.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	EZ9o9I0iW9.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	EZ9o9I0iW9.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	Employee_Letter.pdf	Get hash	malicious	HTMLPhisher	Browse	92.249.45.121
	rDecPayment_Swi.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	10thDecember2024SWIFT-40111-34000-5410-24532-10477-65011-239605.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	LE-Y5029-D3948-W3029-K4302-Q20930-R4039-Y4938-E3028-LA3829-D300.exe	Get hash	malicious	Unknown	Browse	45.9.191.182
	Employee_Letter.pdf	Get hash	malicious	HTMLPhisher	Browse	92.249.45.121
	MN-PAYMENT20241206-5002-10259-410291-30198-281920-30183-21474.exe	Get hash	malicious	Unknown	Browse	45.9.191.182

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.717986822258666
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	oe8KMVNFEG.exe
File size:	355'824 bytes
MD5:	e10abad4b0666e5acf257e4603453975
SHA1:	c5b02e62e6ad90541778f1b34ee9fc02f8e8d9b9
SHA256:	d64cdbe6ba08bc293e824dc87c3b0aca90e432514f18b189b5f37e59bfaa29b9
SHA512:	845f21d7e482cc5bdf226837e066b44db9a968cc20b5d36862ac2658c94ed7de11eca4163d8b324bd1dda8d0626cebf0b31316c97bf6901d6fe82117bc6b930a
SSDEEP:	6144:5PfmPMXk/cCRLxPJ2aQtr7beeozoI9QAjK0N:5TXk0C9eRwvn
TLSH:	BD74C3F4DFF4C024C68861F5E01D4624D2E0A9A9DF728E06AAA753AC15A27DCDDCC1E7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Og.................j............... ........@.. ....................................`................................

File Icon


Icon Hash:	1838d371e870710e

Static PE Info

General

Entrypoint:	0x4288ce
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x674FE587 [Wed Dec 4 05:15:51 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	10/02/2022 00:00:00 12/02/2025 23:59:59
Subject Chain	CN=Paessler AG, O=Paessler AG, L=N\xfcrnberg, C=DE
Version:	3
Thumbprint MD5:	234FA1A9133E1A346EA15776D9F6CCDF
Thumbprint SHA-1:	67F655F2440F1D2C453963909848E352D0EA89B2
Thumbprint SHA-256:	977E514E290BF4040604678E5E6615183CB8B77EC24D3A59B3C6794DD03CBC8E
Serial:	0CB1CD6F7F1F8923E738064FB0E9FECA

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x28880	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2a000	0x2d200	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x54000	0x2df0	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x58000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x268d4	0x26a00	bac9665143180cc6fff9248b01f10d3b	False	0.43673518406148865	data	6.045797265471035	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x2a000	0x2d200	0x2d200	903029ae5522937eeeccf4d8202b8d14	False	0.24765192174515235	data	4.541245382679845	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x58000	0xc	0x200	7b8c32915a3a4ddef936e6c3fdb68033	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x2a2b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 11811 x 11811 px/m	0.549645390070922
RT_ICON	0x2a718	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 11811 x 11811 px/m	0.39549180327868855
RT_ICON	0x2b0a0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 11811 x 11811 px/m	0.32082551594746717
RT_ICON	0x2c148	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 11811 x 11811 px/m	0.23443983402489627
RT_ICON	0x2e6f0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 11811 x 11811 px/m	0.19845299952763346
RT_ICON	0x32918	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 11811 x 11811 px/m	0.17841959334565619
RT_ICON	0x37da0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 11811 x 11811 px/m	0.14746689089762455
RT_ICON	0x41248	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 11811 x 11811 px/m	0.1194398438424228
RT_ICON	0x51a70	0x4dc9	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.99598252397931
RT_GROUP_ICON	0x5683c	0x84	data	0.7272727272727273
RT_VERSION	0x568c0	0x5a8	data	0.30455801104972374
RT_MANIFEST	0x56e68	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 03:09:12.760500908 CET	49731	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:09:12.765367031 CET	80	49731	45.9.191.182	192.168.2.4
Jan 11, 2025 03:09:12.765440941 CET	49731	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:09:12.766546965 CET	49731	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:09:12.771511078 CET	80	49731	45.9.191.182	192.168.2.4
Jan 11, 2025 03:09:34.139872074 CET	80	49731	45.9.191.182	192.168.2.4
Jan 11, 2025 03:09:34.140137911 CET	49731	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:09:34.161673069 CET	49731	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:09:34.163491011 CET	49738	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:09:34.166471958 CET	80	49731	45.9.191.182	192.168.2.4
Jan 11, 2025 03:09:34.168317080 CET	80	49738	45.9.191.182	192.168.2.4
Jan 11, 2025 03:09:34.168435097 CET	49738	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:09:34.168575048 CET	49738	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:09:34.173362017 CET	80	49738	45.9.191.182	192.168.2.4
Jan 11, 2025 03:09:55.549710989 CET	80	49738	45.9.191.182	192.168.2.4
Jan 11, 2025 03:09:55.549921036 CET	49738	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:09:55.550888062 CET	49738	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:09:55.556344032 CET	80	49738	45.9.191.182	192.168.2.4
Jan 11, 2025 03:09:55.559189081 CET	49739	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:09:55.564961910 CET	80	49739	45.9.191.182	192.168.2.4
Jan 11, 2025 03:09:55.565047979 CET	49739	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:09:55.565181971 CET	49739	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:09:55.570925951 CET	80	49739	45.9.191.182	192.168.2.4
Jan 11, 2025 03:10:16.921251059 CET	80	49739	45.9.191.182	192.168.2.4
Jan 11, 2025 03:10:16.921310902 CET	49739	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:10:16.921782970 CET	49739	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:10:16.922642946 CET	49831	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:10:16.926645994 CET	80	49739	45.9.191.182	192.168.2.4
Jan 11, 2025 03:10:16.927552938 CET	80	49831	45.9.191.182	192.168.2.4
Jan 11, 2025 03:10:16.927633047 CET	49831	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:10:16.927743912 CET	49831	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:10:16.932527065 CET	80	49831	45.9.191.182	192.168.2.4
Jan 11, 2025 03:10:38.280908108 CET	80	49831	45.9.191.182	192.168.2.4
Jan 11, 2025 03:10:38.282907009 CET	49831	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:10:38.287053108 CET	49831	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:10:38.292639971 CET	49959	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:10:38.294681072 CET	80	49831	45.9.191.182	192.168.2.4
Jan 11, 2025 03:10:38.301414967 CET	80	49959	45.9.191.182	192.168.2.4
Jan 11, 2025 03:10:38.301500082 CET	49959	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:10:38.301742077 CET	49959	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:10:38.309351921 CET	80	49959	45.9.191.182	192.168.2.4
Jan 11, 2025 03:10:45.286396980 CET	49959	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:10:45.287838936 CET	50008	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:10:45.292673111 CET	80	50008	45.9.191.182	192.168.2.4
Jan 11, 2025 03:10:45.292733908 CET	50008	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:10:45.292859077 CET	50008	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:10:45.297564983 CET	80	50008	45.9.191.182	192.168.2.4
Jan 11, 2025 03:10:45.336680889 CET	80	49959	45.9.191.182	192.168.2.4
Jan 11, 2025 03:10:55.585144043 CET	50008	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:10:55.585148096 CET	50009	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:10:55.589986086 CET	80	50009	45.9.191.182	192.168.2.4
Jan 11, 2025 03:10:55.590143919 CET	50009	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:10:55.590342045 CET	50009	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:10:55.595127106 CET	80	50009	45.9.191.182	192.168.2.4
Jan 11, 2025 03:10:55.632700920 CET	80	50008	45.9.191.182	192.168.2.4
Jan 11, 2025 03:10:59.678078890 CET	80	49959	45.9.191.182	192.168.2.4
Jan 11, 2025 03:10:59.678261995 CET	49959	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:06.656702042 CET	80	50008	45.9.191.182	192.168.2.4
Jan 11, 2025 03:11:06.656829119 CET	50008	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:09.880110025 CET	50009	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:09.881953955 CET	50010	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:09.886883020 CET	80	50010	45.9.191.182	192.168.2.4
Jan 11, 2025 03:11:09.886943102 CET	50010	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:09.887082100 CET	50010	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:09.891904116 CET	80	50010	45.9.191.182	192.168.2.4
Jan 11, 2025 03:11:09.928673983 CET	80	50009	45.9.191.182	192.168.2.4
Jan 11, 2025 03:11:16.364506006 CET	50010	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:16.366892099 CET	50011	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:16.371843100 CET	80	50011	45.9.191.182	192.168.2.4
Jan 11, 2025 03:11:16.371923923 CET	50011	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:16.372122049 CET	50011	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:16.376900911 CET	80	50011	45.9.191.182	192.168.2.4
Jan 11, 2025 03:11:16.412693024 CET	80	50010	45.9.191.182	192.168.2.4
Jan 11, 2025 03:11:16.801984072 CET	50011	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:16.804195881 CET	50012	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:17.004396915 CET	80	50009	45.9.191.182	192.168.2.4
Jan 11, 2025 03:11:17.004471064 CET	80	50012	45.9.191.182	192.168.2.4
Jan 11, 2025 03:11:17.004539967 CET	50009	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:17.004632950 CET	50012	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:17.004757881 CET	50012	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:17.011944056 CET	80	50012	45.9.191.182	192.168.2.4
Jan 11, 2025 03:11:17.049673080 CET	80	50011	45.9.191.182	192.168.2.4
Jan 11, 2025 03:11:31.265983105 CET	80	50010	45.9.191.182	192.168.2.4
Jan 11, 2025 03:11:31.266202927 CET	50010	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:37.765846014 CET	80	50011	45.9.191.182	192.168.2.4
Jan 11, 2025 03:11:37.768397093 CET	50011	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:38.391536951 CET	80	50012	45.9.191.182	192.168.2.4
Jan 11, 2025 03:11:38.391613007 CET	50012	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:38.395862103 CET	50012	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:38.398005962 CET	50013	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:38.400733948 CET	80	50012	45.9.191.182	192.168.2.4
Jan 11, 2025 03:11:38.402837038 CET	80	50013	45.9.191.182	192.168.2.4
Jan 11, 2025 03:11:38.402909040 CET	50013	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:38.403243065 CET	50013	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:38.408087969 CET	80	50013	45.9.191.182	192.168.2.4
Jan 11, 2025 03:11:40.302088022 CET	50013	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:40.305185080 CET	50014	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:40.310127974 CET	80	50014	45.9.191.182	192.168.2.4
Jan 11, 2025 03:11:40.310194016 CET	50014	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:40.310342073 CET	50014	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:40.315115929 CET	80	50014	45.9.191.182	192.168.2.4
Jan 11, 2025 03:11:40.350725889 CET	80	50013	45.9.191.182	192.168.2.4
Jan 11, 2025 03:11:44.442779064 CET	50014	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:44.444395065 CET	50015	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:44.449253082 CET	80	50015	45.9.191.182	192.168.2.4
Jan 11, 2025 03:11:44.449317932 CET	50015	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:44.449440002 CET	50015	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:11:44.454262018 CET	80	50015	45.9.191.182	192.168.2.4
Jan 11, 2025 03:11:44.488692999 CET	80	50014	45.9.191.182	192.168.2.4
Jan 11, 2025 03:11:59.766926050 CET	80	50013	45.9.191.182	192.168.2.4
Jan 11, 2025 03:11:59.768341064 CET	50013	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:01.720885038 CET	80	50014	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:01.721487045 CET	50014	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:05.692715883 CET	50015	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:05.695847034 CET	50016	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:05.700742960 CET	80	50016	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:05.700891972 CET	50016	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:05.701138020 CET	50016	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:05.705918074 CET	80	50016	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:05.740811110 CET	80	50015	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:05.864702940 CET	80	50015	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:05.864794970 CET	50015	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:27.063750982 CET	80	50016	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:27.064086914 CET	50016	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:27.069930077 CET	50016	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:27.070065975 CET	50017	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:27.074659109 CET	80	50016	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:27.074892044 CET	80	50017	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:27.075030088 CET	50017	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:27.076484919 CET	50017	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:27.081224918 CET	80	50017	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:33.567909956 CET	50017	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:33.571014881 CET	50018	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:33.575879097 CET	80	50018	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:33.576036930 CET	50018	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:33.576138020 CET	50018	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:33.581005096 CET	80	50018	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:33.612749100 CET	80	50017	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:34.852284908 CET	50018	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:34.852375031 CET	50019	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:34.857182980 CET	80	50019	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:34.857301950 CET	50019	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:34.857395887 CET	50019	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:34.862195015 CET	80	50019	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:34.900850058 CET	80	50018	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:46.427181005 CET	50019	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:46.428931952 CET	50020	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:46.433878899 CET	80	50020	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:46.433991909 CET	50020	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:46.434233904 CET	50020	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:46.439080954 CET	80	50020	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:46.476959944 CET	80	50019	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:48.272344112 CET	50020	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:48.274605036 CET	50021	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:48.279510021 CET	80	50021	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:48.279620886 CET	50021	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:48.279869080 CET	50021	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:48.284651041 CET	80	50021	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:48.320828915 CET	80	50020	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:48.424184084 CET	80	50017	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:48.424657106 CET	50017	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:53.958633900 CET	50021	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:53.962428093 CET	50022	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:53.967817068 CET	80	50022	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:53.967900991 CET	50022	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:53.968050003 CET	50022	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:53.972826004 CET	80	50022	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:54.004796028 CET	80	50021	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:54.954988956 CET	80	50018	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:54.958725929 CET	50018	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:56.221091986 CET	80	50019	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:56.230390072 CET	50019	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:58.366452932 CET	50023	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:58.366451025 CET	50022	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:58.375468016 CET	80	50023	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:58.379724979 CET	50023	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:58.379724979 CET	50023	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:58.387900114 CET	80	50023	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:58.416475058 CET	80	50022	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:59.083738089 CET	50023	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:59.086446047 CET	50024	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:59.091383934 CET	80	50024	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:59.091711044 CET	50024	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:59.091902971 CET	50024	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:12:59.096681118 CET	80	50024	45.9.191.182	192.168.2.4
Jan 11, 2025 03:12:59.128838062 CET	80	50023	45.9.191.182	192.168.2.4
Jan 11, 2025 03:13:06.991738081 CET	50024	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:13:07.000396967 CET	50025	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:13:07.005702019 CET	80	50025	45.9.191.182	192.168.2.4
Jan 11, 2025 03:13:07.008495092 CET	50025	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:13:07.008611917 CET	50025	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:13:07.013353109 CET	80	50025	45.9.191.182	192.168.2.4
Jan 11, 2025 03:13:07.036855936 CET	80	50024	45.9.191.182	192.168.2.4
Jan 11, 2025 03:13:07.846272945 CET	80	50020	45.9.191.182	192.168.2.4
Jan 11, 2025 03:13:07.846350908 CET	50020	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:13:09.694442034 CET	80	50021	45.9.191.182	192.168.2.4
Jan 11, 2025 03:13:09.694509029 CET	50021	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:13:15.347230911 CET	80	50022	45.9.191.182	192.168.2.4
Jan 11, 2025 03:13:15.347290039 CET	50022	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:13:17.626432896 CET	50025	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:13:17.627325058 CET	50026	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:13:17.632333040 CET	80	50026	45.9.191.182	192.168.2.4
Jan 11, 2025 03:13:17.632456064 CET	50026	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:13:17.632664919 CET	50026	80	192.168.2.4	45.9.191.182
Jan 11, 2025 03:13:17.637394905 CET	80	50026	45.9.191.182	192.168.2.4
Jan 11, 2025 03:13:17.676835060 CET	80	50025	45.9.191.182	192.168.2.4
Jan 11, 2025 03:13:19.772202015 CET	80	50023	45.9.191.182	192.168.2.4
Jan 11, 2025 03:13:19.772275925 CET	50023	80	192.168.2.4	45.9.191.182

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 03:09:12.489413023 CET	62385	53	192.168.2.4	1.1.1.1
Jan 11, 2025 03:09:12.673319101 CET	53	62385	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 03:09:12.489413023 CET	192.168.2.4	1.1.1.1	0x1a21	Standard query (0)	xianggrhen.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 03:09:12.673319101 CET	1.1.1.1	192.168.2.4	0x1a21	No error (0)	xianggrhen.com		45.9.191.182	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

xianggrhen.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	45.9.191.182	80	7552	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:09:12.766546965 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	45.9.191.182	80	7552	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:09:34.168575048 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	45.9.191.182	80	7552	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:09:55.565181971 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49831	45.9.191.182	80	7552	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:10:16.927743912 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49959	45.9.191.182	80	7552	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:10:38.301742077 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	50008	45.9.191.182	80	7552	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:10:45.292859077 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	50009	45.9.191.182	80	7552	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:10:55.590342045 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	50010	45.9.191.182	80	7552	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:11:09.887082100 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	50011	45.9.191.182	80	7552	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:11:16.372122049 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	50012	45.9.191.182	80	7552	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:11:17.004757881 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	50013	45.9.191.182	80	7552	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:11:38.403243065 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	50014	45.9.191.182	80	7552	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:11:40.310342073 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	50015	45.9.191.182	80	7552	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:11:44.449440002 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	50016	45.9.191.182	80	7552	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:12:05.701138020 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	50017	45.9.191.182	80	7552	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:12:27.076484919 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	50018	45.9.191.182	80	7552	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:12:33.576138020 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	50019	45.9.191.182	80	7552	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:12:34.857395887 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	50020	45.9.191.182	80	7552	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:12:46.434233904 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	50021	45.9.191.182	80	7552	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:12:48.279869080 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	50022	45.9.191.182	80	7552	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:12:53.968050003 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	50023	45.9.191.182	80	7552	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:12:58.379724979 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	50024	45.9.191.182	80	7552	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:12:59.091902971 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	50025	45.9.191.182	80	7552	C:\Users\user\Desktop\oe8KMVNFEG.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:13:07.008611917 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
23	192.168.2.4	50026	45.9.191.182	80

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:13:17.632664919 CET	80	OUT	GET /salad/Ekaopt.mp4 HTTP/1.1 Host: xianggrhen.com Connection: Keep-Alive

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: oe8KMVNFEG.exePID: 7552, Parent PID: 2580

General

Target ID:	0
Start time:	21:09:11
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\oe8KMVNFEG.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\oe8KMVNFEG.exe"
Imagebase:	0xcd0000
File size:	355'824 bytes
MD5 hash:	E10ABAD4B0666E5ACF257E4603453975
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: oe8KMVNFEG.exePID: 7552, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	7.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	70
Total number of Limit Nodes:	2

Executed Functions

Function 0170A488 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0170A6DE

Memory Dump Source

Source File: 00000000.00000002.4209485556.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_oe8KMVNFEG.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8082b265febf4fb42f9178cf5a7e37b045f3ae53737e3c646a79ce31a932d6b7
Instruction ID: 755becd46d0a3a25c12f2ed7d7c297150de675107e7c8e13838f3a7757e332b6
Opcode Fuzzy Hash: 8082b265febf4fb42f9178cf5a7e37b045f3ae53737e3c646a79ce31a932d6b7
Instruction Fuzzy Hash: 10812170A00B05CFD725DF29D48475AFBF1FB88204F108A2AD58AD7B90DB75E949CB90

Function 0170C710 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0170CD26,?,?,?,?,?), ref: 0170CDE7

Memory Dump Source

Source File: 00000000.00000002.4209485556.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_oe8KMVNFEG.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 56a69a9defa67ce6a4e78274aab09350fe8c4fdeb40db5ef771500d6c50542cc
Instruction ID: 7b636065192a59d6be94743fdbc8379af1efb8d9837b6dc533a9548a79ff2661
Opcode Fuzzy Hash: 56a69a9defa67ce6a4e78274aab09350fe8c4fdeb40db5ef771500d6c50542cc
Instruction Fuzzy Hash: C421D2B5900248DFDB11CFAAD984ADEFFF8EB48320F14845AE954A7250D374A940CFA5

Function 0170CD58 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0170CD26,?,?,?,?,?), ref: 0170CDE7

Memory Dump Source

Source File: 00000000.00000002.4209485556.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_oe8KMVNFEG.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3cbdf4b33ddf4d50f8aaef5c38e336cf1704ded6fa5208df49dccf81f4443f2e
Instruction ID: 2b63193ce109cbaf6d541ad88ebf31ca15278f2f8590d459dd23cec59b988965
Opcode Fuzzy Hash: 3cbdf4b33ddf4d50f8aaef5c38e336cf1704ded6fa5208df49dccf81f4443f2e
Instruction Fuzzy Hash: 5421E3B5D00218DFDB10CF99D984AEEBFF9EB48324F14845AE954A7250D378A940CF65

Function 0170A678 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0170A6DE

Memory Dump Source

Source File: 00000000.00000002.4209485556.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_oe8KMVNFEG.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0edcad6297fc41d80cbef283949bfccd9b2ae7f2b08d401f1aac19ef3f2daac4
Instruction ID: 9810af6e2f1a8dd0482edd5b69427d6ac979f794fbfd4150089ebac60db70def
Opcode Fuzzy Hash: 0edcad6297fc41d80cbef283949bfccd9b2ae7f2b08d401f1aac19ef3f2daac4
Instruction Fuzzy Hash: 8A11E0B5C00749CFDB10CF9AC844ADEFBF4EB88324F14842AD969A7650C379A545CFA5

Function 0123D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4208924807.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123d000_oe8KMVNFEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c2c360c1cbeb4ffdd0c8a90a1365dcffd125f5f7a91b28049df2c04a4896c8
Instruction ID: aac7ec503a7192462ee685120abf68b0f76841aaf0804ad3c1c1ebfa0681102b
Opcode Fuzzy Hash: 45c2c360c1cbeb4ffdd0c8a90a1365dcffd125f5f7a91b28049df2c04a4896c8
Instruction Fuzzy Hash: 892148B1510209DFDB01DF48E9C0B27BF65FBC4318F60C169EA0A0B296C376D455C7A1

Function 0124D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4208964952.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_124d000_oe8KMVNFEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7fe300090ae8dfc1ff01947f67a363229b24cf16801a9f6a19b0780b34d337a
Instruction ID: 3e9bf77fb310cebe521fdc4a533cb71e1ab13f69b8c8fc0cfd08e9feaa5ad98a
Opcode Fuzzy Hash: f7fe300090ae8dfc1ff01947f67a363229b24cf16801a9f6a19b0780b34d337a
Instruction Fuzzy Hash: 23214270214208DFCB19DFA8D984B26BFA1EB94314F20C56DD90A4B256C37AD407CA61

Function 0124D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4208964952.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_124d000_oe8KMVNFEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f538d7ea208d202c13ce37ea958081171c35d2a97689468923043d266a2739c8
Instruction ID: e7112512cbd9b9ce16659d92ba835b3be9fd12a33955ea78e8e5dc54c66937ca
Opcode Fuzzy Hash: f538d7ea208d202c13ce37ea958081171c35d2a97689468923043d266a2739c8
Instruction Fuzzy Hash: E5219F755083849FCB07CF64D994B11BF71EB56314F28C5EAD9498F2A7C33A980ACB62

Function 0123D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4208924807.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123d000_oe8KMVNFEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 4b618a2327f2d77333be03eca209e4e451340d4ced17cf43231878de50929f29
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 8A1103B2904244CFDB12CF48D5C4B16BF72FB84324F24C1A9DA090B257C336D45ACBA2

Function 0123D76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4208924807.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123d000_oe8KMVNFEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dad2672970ed42d430b08a88e523d7f4b530509c66b8acd279fcb5968fce2de
Instruction ID: 8bd087ffcd789f80fe0ff7b0e96287c4fe1fc0e76e7c6fa9e9c2e7d2a2639826
Opcode Fuzzy Hash: 9dad2672970ed42d430b08a88e523d7f4b530509c66b8acd279fcb5968fce2de
Instruction Fuzzy Hash: 6B01DBB10183899EE7164A59DDC4B67FFD8EF85324F58C42AEE094A196C279D840C671

Function 0123D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4208924807.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123d000_oe8KMVNFEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb5a31b24e674beb9959245ccfadf9f54bb744d1788a56cfd4d3be0e22e3b07
Instruction ID: 743d966a2e274e041d454c0fc01941d4f82fe6b600ce9d853ac712cd28d890c4
Opcode Fuzzy Hash: 2fb5a31b24e674beb9959245ccfadf9f54bb744d1788a56cfd4d3be0e22e3b07
Instruction Fuzzy Hash: 94F096B14083889EE7158E1ADDC4B62FFA8EF85734F18C45AEE484F2D6C2799844CA71

Non-executed Functions

Function 0170F4F8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4209485556.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_oe8KMVNFEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e4b8622535f72149491a4f67d3a31ba66b1e95913c2fb194101b5ceba30ff0b
Instruction ID: b96b6663754aa27d96d0c6687ca2515334b404510037a3c9c7e56ef5b54b26ca
Opcode Fuzzy Hash: 7e4b8622535f72149491a4f67d3a31ba66b1e95913c2fb194101b5ceba30ff0b
Instruction Fuzzy Hash: CE12EBF6C857498BD310CF65EC4C1A9FBB1B741398BD24A09CA622F2E1E7B4156ACF44

Function 0170E5F4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4209485556.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_oe8KMVNFEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9422cb2cdbc5b8940a745bf0b3e0370daa9360855b1e3648ed3e5bc937aa925f
Instruction ID: 28edfb64ff2275cb18ab7077f9bcafb2b452d85aab219ced53a256c6667829a6
Opcode Fuzzy Hash: 9422cb2cdbc5b8940a745bf0b3e0370daa9360855b1e3648ed3e5bc937aa925f
Instruction Fuzzy Hash: 5FA13C32A0030ACFCF16DFA5D84459EFBF2FF88300B15496AE905AB2A5DF31A955CB50

Function 0170F4E8 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4209485556.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_oe8KMVNFEG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2482bf7622673788335222f6b4877bd1a6ab8cefd73e92e9a3b2979506bb1fc6
Instruction ID: dc1ec35aa4510c693fb5baa1cd4fe39ca0909eec6c5e40a7fe88343a9caf013f
Opcode Fuzzy Hash: 2482bf7622673788335222f6b4877bd1a6ab8cefd73e92e9a3b2979506bb1fc6
Instruction Fuzzy Hash: 1CC12DB2C8470D8BD710CF75EC481A9FBB1FB85394F924A09D6622B2D1EBB81466CF44

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report oe8KMVNFEG.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Windows Analysis Report
oe8KMVNFEG.exe

Function 0170A488 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Function 0170C710 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0170CD58 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 0170A678 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON