Edit tour
Windows
Analysis Report
rdD2B4MLXl.exe
Overview
General Information
| Sample name: | rdD2B4MLXl.exerenamed because original name is a hash value |
| Original sample name: | 2cee710e6e9aa9984b810218533fa11080885c70.exe |
| Analysis ID: | 1624117 |
| MD5: | 11ee9190de7d96e509b14cd55c5dcdf1 |
| SHA1: | 2cee710e6e9aa9984b810218533fa11080885c70 |
| SHA256: | 6693465d15b4a4448c2937af6013acf5fc0a4932a55c46dda78defdeed5cea3d |
| Tags: | exeuser-threatcat_ch |
| Infos: |  |
 | |
Detection
CobaltStrike
| Score: | 96 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected CobaltStrike
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
rdD2B4MLXl.exe (PID: 4268 cmdline: "C:\Users\ user\Deskt op\rdD2B4M LXl.exe" MD5: 11EE9190DE7D96E509B14CD55C5DCDF1)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Cobalt Strike, CobaltStrike | Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable. |
{"BeaconType": ["HTTPS"], "Port": 443, "SleepTime": 31000, "MaxGetSize": 2796513, "Jitter": 41, "C2Server": "cysdetred-support.com,/services/data/v36.0/sobjects/account/describe", "HttpPostUri": "/services/data/v41.0/jobs/ingest", "Malleable_C2_Instructions": ["Remove 4 bytes from the end", "Remove 31 bytes from the end", "Remove 42 bytes from the end", "Remove 33 bytes from the end", "Remove 29 bytes from the end", "Remove 12 bytes from the beginning", "Remove 31 bytes from the beginning", "Remove 27 bytes from the beginning", "Remove 25 bytes from the beginning", "Remove 26 bytes from the beginning", "Remove 24 bytes from the beginning", "Remove 25 bytes from the beginning", "Base64 decode"], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe", "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 191386109, "bStageCleanup": "True", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 16900, "ProcInject_PrependAppend_x86": ["kJCQkA==", "Empty"], "ProcInject_PrependAppend_x64": ["kJCQkA==", "Empty"], "ProcInject_Execute": ["ntdll:RtlUserThreadStart", "SetThreadContext", "NtQueueApcThread-s", "kernel32.dll:LoadLibraryA", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "False", "HostHeader": "Host: cysdetred-support.com\r\n"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CobaltStrike_2 | Yara detected CobaltStrike | Joe Security | ||
| JoeSecurity_CobaltStrike_4 | Yara detected CobaltStrike | Joe Security | ||
| JoeSecurity_CobaltStrike_3 | Yara detected CobaltStrike | Joe Security | ||
| Windows_Trojan_CobaltStrike_f0b627fc | Rule for beacon reflective loader | unknown |
| |
| JoeSecurity_CobaltStrike_2 | Yara detected CobaltStrike | Joe Security | ||
| Click to see the 1 entries | ||||
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Code function: | 0_2_00007FF60AC9CA80 | |
| Source: | Code function: | 0_2_00007FF60AC9F080 | |
| Source: | Code function: | 0_2_00007FF60AC9DDE0 | |
| Source: | Code function: | 0_2_00007FF60AC9D510 | |
| Source: | Code function: | 0_2_00007FF60AC9D7E0 | |
| Source: | Code function: | 0_2_00007FF60ACA96A0 | |
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_00007FF60ACB4FDC | |
Networking | |
|---|
| Source: | URLs: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 0_2_00007FF60AC9DDE0 | |
| Source: | Code function: | 0_2_00007FF60AC9D7E0 | |
| Source: | Code function: | 0_2_00007FF60ACA96A0 | |
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Code function: | 0_2_00007FF60ACE2A00 | |
| Source: | Code function: | 0_2_00007FF60AC5D070 | |
| Source: | Code function: | 0_2_00007FF60ACF03E0 | |
| Source: | Code function: | 0_2_00007FF60AC5C3A0 | |
| Source: | Code function: | 0_2_00007FF60ACDE340 | |
| Source: | Code function: | 0_2_00007FF60AC66510 | |
| Source: | Code function: | 0_2_00007FF60AC442F0 | |
| Source: | Code function: | 0_2_00007FF60AC96800 | |
| Source: | Code function: | 0_2_00007FF60ACDE624 | |
| Source: | Code function: | 0_2_00007FF60ACD7C0C | |
| Source: | Code function: | 0_2_00007FF60AC73C00 | |
| Source: | Code function: | 0_2_00007FF60ACC9CC0 | |
| Source: | Code function: | 0_2_00007FF60ACC9A4C | |
| Source: | Code function: | 0_2_00007FF60AC69F80 | |
| Source: | Code function: | 0_2_00007FF60ACC9FAC | |
| Source: | Code function: | 0_2_00007FF60AC520E0 | |
| Source: | Code function: | 0_2_00007FF60AC9DDE0 | |
| Source: | Code function: | 0_2_00007FF60ACDFEA8 | |
| Source: | Code function: | 0_2_00007FF60ACBBE38 | |
| Source: | Code function: | 0_2_00007FF60AC6B1B0 | |
| Source: | Code function: | 0_2_00007FF60AC751A0 | |
| Source: | Code function: | 0_2_00007FF60ACD3258 | |
| Source: | Code function: | 0_2_00007FF60ACDB7D4 | |
| Source: | Code function: | 0_2_00007FF60AC9D7E0 | |
| Source: | Code function: | 0_2_00007FF60ACD378C | |
| Source: | Code function: | 0_2_00007FF60ACC97B4 | |
| Source: | Code function: | 0_2_00007FF60ACDD748 | |
| Source: | Code function: | 0_2_00007FF60AC65770 | |
| Source: | Code function: | 0_2_00007FF60AC7F8D0 | |
| Source: | Code function: | 0_2_00007FF60AC678E0 | |
| Source: | Code function: | 0_2_00007FF60AC4F5A0 | |
| Source: | Code function: | 0_2_00007FF60AC5F640 | |
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 0_2_00007FF60AC946A0 | |
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00007FF60ACF2FC0 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 0_3_00007FF4B9A52277 | |
| Source: | Code function: | 0_3_00007FF4B9A529B3 | |
| Source: | Code function: | 0_3_00007FF4B9A539E7 | |
| Source: | Code function: | 0_3_00007FF4B9A52C5B | |
| Source: | Code function: | 0_3_00007FF4B9A52C5B | |
| Source: | Code function: | 0_3_00007FF4B9A52C5B | |
| Source: | Code function: | 0_3_00007FF4B9A523DB | |
| Source: | Code function: | 0_3_00007FF4B9A56BBF | |
| Source: | Code function: | 0_3_00007FF4B9A523DB | |
| Source: | Code function: | 0_3_00007FF4B9A52EB7 | |
| Source: | Code function: | 0_3_00007FF4B9A52EB7 | |
| Source: | Code function: | 0_3_00007FF4B9A51E1B | |
| Source: | Code function: | 0_3_00007FF4B9A52DAB | |
| Source: | Code function: | 0_3_00007FF4B9A51583 | |
| Source: | Code function: | 0_3_00007FF4B9A51E1B | |
| Source: | Code function: | 0_3_00007FF4B9A570A4 | |
| Source: | Code function: | 0_3_00007FF4B9A57177 | |
| Source: | Code function: | 0_3_00007FF4B9A570A4 | |
| Source: | Code function: | 0_3_00007FF4B9A570A4 | |
| Source: | Code function: | 0_3_00007FF4B9A570E8 | |
| Source: | Code function: | 0_3_00007FF4B9A570A4 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF60AC946A0 | |
| Source: | API coverage: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_00007FF60ACB4FDC | |
| Source: | Code function: | 0_2_00007FF60AC4AA30 | |
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
Anti Debugging | |
|---|
| Source: | Thread information set: | Jump to behavior | ||
| Source: | Thread information set: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF60ACB8B18 | |
| Source: | Code function: | 0_2_00007FF60ACB8B18 | |
| Source: | Code function: | 0_2_00007FF60AC946A0 | |
| Source: | Code function: | 0_2_00007FF60ACF2FC0 | |
| Source: | Code function: | 0_2_00007FF60AC9CA80 | |
| Source: | Code function: | 0_2_00007FF60ACB82A0 | |
| Source: | Code function: | 0_2_00007FF60ACC68E8 | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | NtOpenFile: | Jump to behavior | ||
| Source: | NtQueryInformationProcess: | Jump to behavior | ||
| Source: | NtClose: | |||
| Source: | NtResumeThread: | Jump to behavior | ||
| Source: | NtQuerySystemInformation: | Jump to behavior | ||
| Source: | NtQueryInformationProcess: | Jump to behavior | ||
| Source: | NtOpenFile: | Jump to behavior | ||
| Source: | NtSetSecurityObject: | Jump to behavior | ||
| Source: | NtSetSecurityObject: | Jump to behavior | ||
| Source: | NtResumeThread: | Jump to behavior | ||
| Source: | NtSuspendThread: | Jump to behavior | ||
| Source: | NtClose: | |||
| Source: | NtSetInformationProcess: | Jump to behavior | ||
| Source: | NtQueryInformationProcess: | Jump to behavior | ||
| Source: | Code function: | 0_2_00007FF60AC8CA20 | |
| Source: | Code function: | 0_2_00007FF60ACEBCB8 | |
| Source: | Code function: | 0_2_00007FF60ACEBADC | |
| Source: | Code function: | 0_2_00007FF60ACE1EAC | |
| Source: | Code function: | 0_2_00007FF60ACEB2CC | |
| Source: | Code function: | 0_2_00007FF60ACE18C0 | |
| Source: | Code function: | 0_2_00007FF60ACEB5E4 | |
| Source: | Code function: | 0_2_00007FF60ACEB6B4 | |
| Source: | Code function: | 0_2_00007FF60ACB8998 | |
| Source: | Code function: | 0_2_00007FF60AC73C00 | |
| Source: | Key value queried: | Jump to behavior | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 Abuse Elevation Control Mechanism | 11 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | 11 Archive Collected Data | 21 Encrypted Channel | Exfiltration Over Other Network Medium | 1 Data Encrypted for Impact |
| Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | LSASS Memory | 151 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Abuse Elevation Control Mechanism | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 2 Obfuscated Files or Information | NTDS | 2 Process Discovery | Distributed Component Object Model | Input Capture | 113 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 15 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 6% | Virustotal | Browse | ||
| 3% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| bg.microsoft.map.fastly.net | 199.232.210.172 | true | false | high | |
| cysdetred-support.com | 3.69.83.191 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| false |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 3.69.83.191 | cysdetred-support.com | United States | 16509 | AMAZON-02US | true |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1624117 |
| Start date and time: | 2025-02-25 21:38:30 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 39s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Run name: | Run with higher sleep bypass |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | rdD2B4MLXl.exerenamed because original name is a hash value |
| Original Sample Name: | 2cee710e6e9aa9984b810218533fa11080885c70.exe |
| Detection: | MAL |
| Classification: | mal96.troj.evad.winEXE@1/0@1/1 |
| EGA Information: |
|
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 2.23.77.188, 4.175.87.197, 13.107.246.60
- Excluded domains from analysis (whitelisted): cac-ocsp.digicert.com.edgekey.net, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, e3913.cd.akamaiedge.net, ocsp.edge.digicert.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
⊘No simulations
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| bg.microsoft.map.fastly.net | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | AsyncRAT | Browse |
| ||
| Get hash | malicious | Quasar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| AMAZON-02US | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
| Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
| Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | XWorm | Browse |
| |
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | GhostRat | Browse |
| ||
| Get hash | malicious | FormBook | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Discord Token Stealer, GuLoader | Browse |
| ||
| Get hash | malicious | Discord Token Stealer, GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader, Snake Keylogger | Browse |
| ||
| Get hash | malicious | Discord Token Stealer, GuLoader | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.948938787158752 |
| TrID: |
|
| File name: | rdD2B4MLXl.exe |
| File size: | 1'884'160 bytes |
| MD5: | 11ee9190de7d96e509b14cd55c5dcdf1 |
| SHA1: | 2cee710e6e9aa9984b810218533fa11080885c70 |
| SHA256: | 6693465d15b4a4448c2937af6013acf5fc0a4932a55c46dda78defdeed5cea3d |
| SHA512: | 77e5eb72420c9cf4a8a70a5f18713796b00c404635a0d97c919f70dd482ac783b896a5babd09453f62d5231d0e704ab80870ff5c606b37c9632c9ccaf2e62214 |
| SSDEEP: | 49152:5NQc7U0SgxsTA9zil8QTGT/2XLQhqxP1cN/tZmC:vXU0SisM9iHitz |
| TLSH: | 9095AE0A67ED51E8D2B7D078C4A15A5AFAB2741847346ADF42D012491F33FE8DE3EB12 |
| File Content Preview: | MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.........b%...v...v...v...w...v...w...v...wi..v...v...v...v...v...v...v...w...v...w...v...w...v...w...v9..w...v...v...v...v...v9..w... |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x14008819c |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6450C6E4 [Tue May 2 08:16:36 2023 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 4a36bdc0e9acb57b3de15b1c9077fb08 |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| call 00007F837CD120D8h |
| dec eax |
| add esp, 28h |
| jmp 00007F837CD11757h |
| int3 |
| int3 |
| dec eax |
| mov eax, esp |
| dec eax |
| mov dword ptr [eax+18h], ebx |
| dec eax |
| mov dword ptr [eax+20h], esi |
| dec eax |
| mov dword ptr [eax+10h], edx |
| dec eax |
| mov dword ptr [eax+08h], ecx |
| push edi |
| inc ecx |
| push esi |
| inc ecx |
| push edi |
| dec eax |
| sub esp, 30h |
| dec ebp |
| mov edi, ecx |
| dec ebp |
| mov esi, eax |
| dec eax |
| mov esi, edx |
| dec eax |
| mov edi, ecx |
| xor ebx, ebx |
| dec eax |
| mov dword ptr [eax-20h], ebx |
| mov byte ptr [eax-28h], bl |
| dec ecx |
| cmp ebx, esi |
| je 00007F837CD11903h |
| dec eax |
| mov ecx, edi |
| dec ecx |
| mov eax, edi |
| dec eax |
| mov edx, dword ptr [000587CDh] |
| call edx |
| dec eax |
| add edi, esi |
| dec eax |
| mov dword ptr [esp+50h], edi |
| dec eax |
| inc ebx |
| dec eax |
| mov dword ptr [esp+28h], ebx |
| jmp 00007F837CD118BCh |
| mov byte ptr [esp+20h], 00000001h |
| dec eax |
| mov ebx, dword ptr [esp+60h] |
| dec eax |
| mov esi, dword ptr [esp+68h] |
| dec eax |
| add esp, 30h |
| inc ecx |
| pop edi |
| inc ecx |
| pop esi |
| pop edi |
| ret |
| dec eax |
| mov eax, esp |
| dec eax |
| mov dword ptr [eax+08h], ebx |
| dec eax |
| mov dword ptr [eax+10h], ebp |
| dec eax |
| mov dword ptr [eax+18h], esi |
| dec eax |
| mov dword ptr [eax+20h], edi |
| inc ecx |
| push esi |
| dec eax |
| sub esp, 20h |
| dec ecx |
| mov ebx, dword ptr [ecx+38h] |
| dec eax |
| mov esi, edx |
| dec ebp |
| mov esi, eax |
| dec eax |
| mov ebp, ecx |
| dec ecx |
| mov edx, ecx |
| dec eax |
| mov ecx, esi |
| dec ecx |
| mov edi, ecx |
| dec esp |
| lea eax, dword ptr [ebx+04h] |
| call 00007F837CD1148Dh |
| mov eax, dword ptr [ebp+04h] |
| and al, 66h |
| neg al |
| mov eax, 00000001h |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x12a800 | 0x140 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x14d000 | 0xf18 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x13e000 | 0xd71c | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x14e000 | 0x3438 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x11214c | 0x54 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x112300 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x1121a0 | 0x138 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0xe0000 | 0x9b0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xdefa5 | 0xdf000 | a66a279793add96d35aaa60d5c8a0354 | False | 0.4505062359865471 | data | 6.343793949291786 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0xe0000 | 0x4cad2 | 0x4cc00 | 8f942ce760096a7c41a5e64586ce0cf9 | False | 0.3718381005700326 | data | 5.079341680143342 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x12d000 | 0x1019c | 0x7200 | 04f1fc0e410777a6e6be42d48aa6ed34 | False | 0.12051123903508772 | data | 4.122764053596428 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x13e000 | 0xd71c | 0xd800 | 168271fc175a68d27e7aa44e757a9fb1 | False | 0.4433051215277778 | PEX Binary Archive | 5.751389690234424 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| _RDATA | 0x14c000 | 0xf4 | 0x200 | ff465f28bfbd93484d7f7d51083bc402 | False | 0.306640625 | data | 2.431409032399032 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x14d000 | 0xf18 | 0x1000 | 099150967efac80426cb5a3fca82e31c | False | 0.333984375 | data | 5.207750131576838 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x14e000 | 0x8a400 | 0x8a400 | 4bb390476d9f49afe5e85e8c26230611 | False | 0.758718425067812 | data | 7.75419550208802 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| TRENDOSCESALTVCRP | 0x14d174 | 0x4 | data | English | United States | 3.0 |
| TREND_XBC_PACK | 0x14d178 | 0x4 | data | Chinese | Taiwan | 3.0 |
| RT_VERSION | 0x14d17c | 0x450 | data | Chinese | Taiwan | 0.41032608695652173 |
| RT_MANIFEST | 0x14d5cc | 0x94c | exported SGML document, ASCII text, with CRLF line terminators | English | United States | 0.31596638655462184 |
| DLL | Import |
|---|---|
| VERSION.dll | GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW |
| ADVAPI32.dll | IsValidSid, OpenProcessToken, EqualSid, GetTokenInformation, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, RegCloseKey, RegCreateKeyExW, RegOpenKeyExW, RegQueryValueExW, RegSetValueExW, RegQueryValueExA, RegSetValueExA, ImpersonateLoggedOnUser, RevertToSelf, LookupAccountSidW, CryptDeriveKey, CryptAcquireContextW, CreateWellKnownSid, RegCreateKeyExA, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptDecrypt, CryptEncrypt, CryptImportKey, CryptGetHashParam, CryptSetKeyParam, CryptDestroyKey, CryptReleaseContext, CryptAcquireContextA, RegOpenKeyExA |
| SHLWAPI.dll | PathRemoveFileSpecW, PathCanonicalizeW, PathStripPathW, PathFileExistsA, PathAppendW, PathFileExistsW |
| RPCRT4.dll | UuidToStringW, RpcStringFreeW |
| WINHTTP.dll | WinHttpQueryAuthSchemes, WinHttpSetCredentials, WinHttpReadData, WinHttpSetStatusCallback, WinHttpCrackUrl, WinHttpOpen, WinHttpCloseHandle, WinHttpConnect, WinHttpQueryDataAvailable, WinHttpQueryOption, WinHttpSetOption, WinHttpOpenRequest, WinHttpAddRequestHeaders, WinHttpQueryHeaders, WinHttpReceiveResponse, WinHttpSendRequest |
| KERNEL32.dll | FreeLibrary, LoadLibraryW, GetSystemDirectoryA, GetSystemDirectoryW, GetModuleFileNameW, MultiByteToWideChar, WideCharToMultiByte, GetACP, LoadLibraryA, GlobalFree, OpenProcess, WTSGetActiveConsoleSessionId, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, DecodePointer, RaiseException, HeapDestroy, HeapReAlloc, HeapSize, InitializeCriticalSectionEx, DeleteCriticalSection, DeleteFileA, GetTempPathA, GetTempFileNameA, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, CreateFileA, WriteFile, LocalFree, GetCurrentDirectoryW, CreateDirectoryW, FileTimeToLocalFileTime, GetFileTime, GetTempFileNameW, LocalFileTimeToFileTime, SetFileTime, GetTempPathW, ReleaseMutex, WaitForSingleObject, WaitForSingleObjectEx, GetWindowsDirectoryW, CopyFileW, FileTimeToSystemTime, SystemTimeToFileTime, GetSystemTimeAsFileTime, GetCurrentProcessId, GetVersionExW, LoadLibraryExW, LoadResource, LockResource, SizeofResource, FindResourceW, WaitForMultipleObjects, GetExitCodeProcess, CreateProcessW, SystemTimeToTzSpecificLocalTime, MoveFileExW, TryEnterCriticalSection, InitializeSRWLock, QueryFullProcessImageNameA, OpenMutexA, GetSystemWow64DirectoryA, GetWindowsDirectoryA, GetSystemTime, ProcessIdToSessionId, TerminateThread, CreateThread, CreateMutexA, GetCurrentThreadId, GetModuleFileNameA, lstrlenA, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, CreateEventW, CreateMutexW, GetProcessHeap, HeapFree, HeapAlloc, GetLastError, CloseHandle, GetModuleHandleA, GetProcAddress, GetSystemInfo, SwitchToThread, GetTickCount, GetModuleHandleW, GetVolumePathNamesForVolumeNameW, QueryDosDeviceW, GetLongPathNameW, GetDriveTypeA, FindVolumeClose, FindNextVolumeW, FindFirstVolumeW, FindFirstFileA, Sleep, RtlUnwind, ExitThread, FreeLibraryAndExitThread, CreateFileW, DeleteFileW, GetFileSizeEx, ReadFile, LocalAlloc, QueryFullProcessImageNameW, SetLastError, SetEvent, GetFileSize, CreateFileMappingA, GetLocalTime, GetVersionExA, ReleaseSemaphore, WaitForMultipleObjectsEx, CreateEventA, FormatMessageA, CreateSemaphoreA, GetStringTypeW, FindClose, FindFirstFileExW, FindNextFileW, GetFileAttributesExW, GetFinalPathNameByHandleW, SetEndOfFile, SetFileInformationByHandle, SetFilePointerEx, AreFileApisANSI, GetFileInformationByHandleEx, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, EncodePointer, LCMapStringEx, GetCPInfo, InitializeSListHead, InitializeCriticalSectionAndSpinCount, ResetEvent, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, OutputDebugStringW, InterlockedPushEntrySList, RtlPcToFileHeader, RtlUnwindEx, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, QueryPerformanceFrequency, ExitProcess, GetModuleHandleExW, GetStdHandle, GetCommandLineA, GetCommandLineW, GetFileType, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, FlushFileBuffers, GetConsoleCP, GetConsoleMode, ReadConsoleW, FindNextFileA, IsValidCodePage, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetEnvironmentVariableW, SetStdHandle, WriteConsoleW, GetCurrentProcess, SetNamedPipeHandleState, WaitNamedPipeW, ConnectNamedPipe, DisconnectNamedPipe, CreateNamedPipeW, GetOverlappedResult, SetWaitableTimer |
| SHELL32.dll | SHGetFolderPathW |
| ole32.dll | CoUninitialize, CoCreateInstance, CoInitialize, CoInitializeEx, CoInitializeSecurity, CoCreateGuid |
| OLEAUT32.dll | SysAllocString, SysFreeString, VariantClear, VariantInit |
| CRYPT32.dll | CryptProtectData, CryptUnprotectData, CryptSIPRetrieveSubjectGuidForCatalogFile, CryptMsgUpdate, CryptMsgOpenToDecode, CertVerifyCertificateChainPolicy, CertFreeCertificateChain, CertGetCertificateChain, CryptQueryObject, CertGetNameStringW, CertFreeCertificateContext, CertFindCertificateInStore, CertCloseStore, CertOpenStore, CryptMsgControl, CryptMsgGetParam, CryptMsgClose, CryptDecodeObject |
| WTSAPI32.dll | WTSQueryUserToken |
| urlmon.dll | URLDownloadToFileA |
| WINTRUST.dll | WTHelperProvDataFromStateData, WTHelperGetProvCertFromChain, WTHelperGetProvSignerFromChain, WinVerifyTrust, CryptCATAdminAcquireContext, CryptCATAdminReleaseCatalogContext, CryptCATAdminEnumCatalogFromHash, CryptCATAdminCalcHashFromFileHandle, CryptCATCatalogInfoFromContext, CryptSIPGetSignedDataMsg, CryptSIPVerifyIndirectData, CryptCATAdminReleaseContext |
| PSAPI.DLL | EnumProcessModulesEx, GetModuleFileNameExA |
| dbghelp.dll | ImageNtHeader |
| Description | Data |
|---|---|
| CompanyName | Trend Micro Inc. |
| CoverageBuild | None |
| CompileOption | None |
| BuildType | None |
| FileDescription | Trend Micro Support Connector |
| FileVersion | 14.0.0.12032 |
| LegalCopyright | Copyright (C) 2023 Trend Micro Incorporated. All rights reserved. |
| LegalTrademarks | Copyright (C) Trend Micro Inc. |
| PrivateBuild | Build 12032 - None |
| ProductName | Trend Micro Apex One |
| ProductVersion | 14.0 |
| SpecialBuild | 12032 |
| Translation | 0x0409 0x04b0 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
| Chinese | Taiwan |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Feb 25, 2025 21:39:48.192840099 CET | 49736 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:39:48.192898989 CET | 443 | 49736 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:39:48.193073034 CET | 49736 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:39:48.219880104 CET | 49736 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:39:48.219904900 CET | 443 | 49736 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:39:48.858477116 CET | 443 | 49736 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:39:48.858685017 CET | 49736 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:39:48.958728075 CET | 49736 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:39:48.958751917 CET | 443 | 49736 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:39:48.959223986 CET | 443 | 49736 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:39:48.959289074 CET | 49736 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:39:48.987776041 CET | 49736 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:39:49.035334110 CET | 443 | 49736 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:39:49.211757898 CET | 443 | 49736 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:39:49.211852074 CET | 49736 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:39:49.211870909 CET | 443 | 49736 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:39:49.211916924 CET | 49736 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:39:49.211956024 CET | 443 | 49736 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:39:49.212009907 CET | 49736 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:39:49.212929964 CET | 49736 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:39:49.212946892 CET | 443 | 49736 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:40:16.594017982 CET | 49737 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:40:16.594065905 CET | 443 | 49737 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:40:16.594165087 CET | 49737 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:40:16.594460964 CET | 49737 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:40:16.594482899 CET | 443 | 49737 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:40:17.228167057 CET | 443 | 49737 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:40:17.228322029 CET | 49737 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:40:17.229075909 CET | 49737 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:40:17.229094982 CET | 443 | 49737 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:40:17.233023882 CET | 49737 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:40:17.233038902 CET | 443 | 49737 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:40:17.550631046 CET | 443 | 49737 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:40:17.550721884 CET | 49737 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:40:17.550755978 CET | 443 | 49737 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:40:17.550797939 CET | 443 | 49737 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:40:17.550821066 CET | 49737 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:40:17.550851107 CET | 49737 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:40:17.551177979 CET | 49737 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:40:17.551208019 CET | 443 | 49737 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:40:41.465982914 CET | 49875 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:40:41.466016054 CET | 443 | 49875 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:40:41.466074944 CET | 49875 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:40:41.466304064 CET | 49875 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:40:41.466319084 CET | 443 | 49875 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:40:42.136200905 CET | 443 | 49875 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:40:42.136275053 CET | 49875 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:40:42.136837006 CET | 49875 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:40:42.136843920 CET | 443 | 49875 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:40:42.138098001 CET | 49875 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:40:42.138103962 CET | 443 | 49875 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:40:42.480776072 CET | 443 | 49875 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:40:42.480859041 CET | 443 | 49875 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:40:42.480917931 CET | 49875 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:40:42.481308937 CET | 49875 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:40:42.481379986 CET | 49875 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:40:42.481398106 CET | 443 | 49875 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:41:07.419291019 CET | 50005 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:41:07.419408083 CET | 443 | 50005 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:41:07.419503927 CET | 50005 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:41:07.419934988 CET | 50005 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:41:07.419970989 CET | 443 | 50005 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:41:08.149575949 CET | 443 | 50005 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:41:08.149697065 CET | 50005 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:41:08.150470972 CET | 50005 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:41:08.150482893 CET | 443 | 50005 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:41:08.151897907 CET | 50005 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:41:08.151904106 CET | 443 | 50005 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:41:08.540499926 CET | 443 | 50005 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:41:08.540569067 CET | 443 | 50005 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:41:08.540678024 CET | 50005 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:41:08.541002035 CET | 50005 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:41:08.541038990 CET | 443 | 50005 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:41:38.310642004 CET | 50006 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:41:38.310698986 CET | 443 | 50006 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:41:38.310790062 CET | 50006 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:41:38.311150074 CET | 50006 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:41:38.311167955 CET | 443 | 50006 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:41:38.950932026 CET | 443 | 50006 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:41:38.951011896 CET | 50006 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:41:38.955677032 CET | 50006 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:41:38.955688953 CET | 443 | 50006 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:41:38.967461109 CET | 50006 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:41:38.967469931 CET | 443 | 50006 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:41:39.265398979 CET | 443 | 50006 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:41:39.265456915 CET | 50006 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:41:39.265465975 CET | 443 | 50006 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:41:39.265506983 CET | 50006 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:41:39.266093016 CET | 50006 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:41:39.266110897 CET | 443 | 50006 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:42:00.623255968 CET | 50007 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:42:00.623403072 CET | 443 | 50007 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:42:00.623620987 CET | 50007 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:42:00.623959064 CET | 50007 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:42:00.623992920 CET | 443 | 50007 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:42:01.273768902 CET | 443 | 50007 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:42:01.276204109 CET | 50007 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:42:01.276684999 CET | 50007 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:42:01.276712894 CET | 443 | 50007 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:42:01.278054953 CET | 50007 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:42:01.278069973 CET | 443 | 50007 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:42:01.629679918 CET | 443 | 50007 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:42:01.629756927 CET | 443 | 50007 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:42:01.629774094 CET | 50007 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:42:01.629853010 CET | 50007 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:42:01.630378008 CET | 50007 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:42:01.630424976 CET | 443 | 50007 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:42:23.654170036 CET | 50008 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:42:23.654213905 CET | 443 | 50008 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:42:23.654278040 CET | 50008 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:42:23.654706955 CET | 50008 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:42:23.654720068 CET | 443 | 50008 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:42:24.289695024 CET | 443 | 50008 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:42:24.289953947 CET | 50008 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:42:24.290469885 CET | 50008 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:42:24.290479898 CET | 443 | 50008 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:42:24.291735888 CET | 50008 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:42:24.291740894 CET | 443 | 50008 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:42:24.586235046 CET | 443 | 50008 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:42:24.586297989 CET | 443 | 50008 | 3.69.83.191 | 192.168.2.4 |
| Feb 25, 2025 21:42:24.586463928 CET | 50008 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:42:24.586464882 CET | 50008 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:42:24.586860895 CET | 50008 | 443 | 192.168.2.4 | 3.69.83.191 |
| Feb 25, 2025 21:42:24.586884022 CET | 443 | 50008 | 3.69.83.191 | 192.168.2.4 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Feb 25, 2025 21:39:48.120824099 CET | 61015 | 53 | 192.168.2.4 | 1.1.1.1 |
| Feb 25, 2025 21:39:48.159073114 CET | 53 | 61015 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Feb 25, 2025 21:39:48.120824099 CET | 192.168.2.4 | 1.1.1.1 | 0x39c | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Feb 25, 2025 21:39:29.418550968 CET | 1.1.1.1 | 192.168.2.4 | 0x40d6 | No error (0) | 199.232.210.172 | A (IP address) | IN (0x0001) | false | ||
| Feb 25, 2025 21:39:29.418550968 CET | 1.1.1.1 | 192.168.2.4 | 0x40d6 | No error (0) | 199.232.214.172 | A (IP address) | IN (0x0001) | false | ||
| Feb 25, 2025 21:39:48.159073114 CET | 1.1.1.1 | 192.168.2.4 | 0x39c | No error (0) | 3.69.83.191 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49736 | 3.69.83.191 | 443 | 4268 | C:\Users\user\Desktop\rdD2B4MLXl.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-25 20:39:48 UTC | 581 | OUT | |
| 2025-02-25 20:39:49 UTC | 303 | IN | |
| 2025-02-25 20:39:49 UTC | 373 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49737 | 3.69.83.191 | 443 | 4268 | C:\Users\user\Desktop\rdD2B4MLXl.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-25 20:40:17 UTC | 614 | OUT | |
| 2025-02-25 20:40:17 UTC | 303 | IN | |
| 2025-02-25 20:40:17 UTC | 373 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49875 | 3.69.83.191 | 443 | 4268 | C:\Users\user\Desktop\rdD2B4MLXl.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-25 20:40:42 UTC | 614 | OUT | |
| 2025-02-25 20:40:42 UTC | 303 | IN | |
| 2025-02-25 20:40:42 UTC | 373 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 50005 | 3.69.83.191 | 443 | 4268 | C:\Users\user\Desktop\rdD2B4MLXl.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-25 20:41:08 UTC | 614 | OUT | |
| 2025-02-25 20:41:08 UTC | 303 | IN | |
| 2025-02-25 20:41:08 UTC | 373 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 50006 | 3.69.83.191 | 443 | 4268 | C:\Users\user\Desktop\rdD2B4MLXl.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-25 20:41:38 UTC | 614 | OUT | |
| 2025-02-25 20:41:39 UTC | 303 | IN | |
| 2025-02-25 20:41:39 UTC | 373 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 50007 | 3.69.83.191 | 443 | 4268 | C:\Users\user\Desktop\rdD2B4MLXl.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-25 20:42:01 UTC | 614 | OUT | |
| 2025-02-25 20:42:01 UTC | 303 | IN | |
| 2025-02-25 20:42:01 UTC | 373 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 50008 | 3.69.83.191 | 443 | 4268 | C:\Users\user\Desktop\rdD2B4MLXl.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-02-25 20:42:24 UTC | 614 | OUT | |
| 2025-02-25 20:42:24 UTC | 303 | IN | |
| 2025-02-25 20:42:24 UTC | 373 | IN |
| Target ID: | 0 |
| Start time: | 15:39:33 |
| Start date: | 25/02/2025 |
| Path: | C:\Users\user\Desktop\rdD2B4MLXl.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff60ac30000 |
| File size: | 1'884'160 bytes |
| MD5 hash: | 11EE9190DE7D96E509B14CD55C5DCDF1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | false |