Edit tour
Windows
Analysis Report
Ro4bYKEVnD.exe
Overview
General Information
| Sample name: | Ro4bYKEVnD.exerenamed because original name is a hash value |
| Original sample name: | 3b364ba7695b8ca0faccb7f3559a7e42.exe |
| Analysis ID: | 1675398 |
| MD5: | 3b364ba7695b8ca0faccb7f3559a7e42 |
| SHA1: | 08a9024a29f6ccb63a21570e3a94f1cd7c5acf76 |
| SHA256: | 00d14c2ab7420b99c6525b077abd2864d6db21053635c59531ef7aa0cd0e600e |
| Tags: | exeOffLoaderuser-abuse_ch |
| Infos: | |
 | |
Detection
| Score: | 48 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Drops PE files
Found dropped PE file which has not been started or loaded
JA3 SSL client fingerprint seen in connection with other malware
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Classification
- System is w10x64
Ro4bYKEVnD.exe (PID: 2960 cmdline: "C:\Users\ user\Deskt op\Ro4bYKE VnD.exe" MD5: 3B364BA7695B8CA0FACCB7F3559A7E42) - Ro4bYKEVnD.tmp (PID: 4040 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-EOP TJ.tmp\Ro4 bYKEVnD.tm p" /SL5="$ 2043E,9343 34,844800, C:\Users\u ser\Deskto p\Ro4bYKEV nD.exe" MD5: 4A66BFB87A90F5CE57AE24992CF676C5)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | JA3 fingerprint: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key value created or modified: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | String found in binary or memory: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Key value created or modified: | Jump to behavior | ||
| Source: | Window found: | Jump to behavior | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Process Injection | LSASS Memory | 2 System Owner/User Discovery | Remote Desktop Protocol | Data from Removable Media | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | 1 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 3 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | 1 Ingress Tool Transfer | Traffic Duplication | Data Destruction |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 51% | Virustotal | Browse | ||
| 36% | ReversingLabs | Win32.Trojan.Generic |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs | |||
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| battlesummer.icu | 104.21.30.99 | true | false | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 104.21.30.99 | battlesummer.icu | United States | 13335 | CLOUDFLARENETUS | false |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1675398 |
| Start date and time: | 2025-04-27 09:52:13 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 5m 29s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 13 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Ro4bYKEVnD.exerenamed because original name is a hash value |
| Original Sample Name: | 3b364ba7695b8ca0faccb7f3559a7e42.exe |
| Detection: | MAL |
| Classification: | mal48.winEXE@3/7@1/1 |
| EGA Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, d llhost.exe, SIHClient.exe, Sgr mBroker.exe, conhost.exe, svch ost.exe - Excluded IPs from analysis (wh
itelisted): 184.29.183.29, 172 .202.163.200 - Excluded domains from analysis
(whitelisted): fs.microsoft.c om, slscr.update.microsoft.com , ctldl.windowsupdate.com, c.p ki.goog, fe3cr.delivery.mp.mic rosoft.com - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtProtectVirtualMemory calls found. - Report size getting too big, t
oo many NtQueryValueKey calls found.
⊘No simulations
⊘No context
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC, PureLog Stealer, zgRAT | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | AsyncRAT, XWorm | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Python Stealer, Blank Grabber, Exela Stealer, Umbral Stealer | Browse |
| ||
| Get hash | malicious | HTMLPhisher, Invisible JS, Tycoon2FA | Browse |
| ||
| Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | Discord Token Stealer | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | GuLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\is-85HPG.tmp\_isetup\_setup64.tmp | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Amadey, CryptOne, LummaC Stealer | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse |
| Process: | C:\Users\user\AppData\Local\Temp\is-EOPTJ.tmp\Ro4bYKEVnD.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3543383 |
| Entropy (8bit): | 6.522099560567718 |
| Encrypted: | false |
| SSDEEP: | 49152:4uAKxvISKIJhNRQSJ3MhjxIXhEzAWig8l1sXyKFz0ool5+UKL5333TBD:4uAK6XMXhKAWwLsXa0333TV |
| MD5: | 88DD74E56BE69E607B79A3B8CB3A7DCA |
| SHA1: | 3742C9A9403B6FA1490BA1A426ED5BE8C79B6ED5 |
| SHA-256: | D1BE3E4E4A8288F3EF5E1F0AE1C0315F91CDC0FDAE0D341FEC53389852D9574A |
| SHA-512: | 5B9B5B2B0932823E6E7285ED7BB30FDEF84081F1BB441ABE6A0C687EC97B0D15C76BDA8D0E217F2AC9034C7790CB69A2F6FBB255FBE5D7BB4C8A6F4971426578 |
| Malicious: | false |
| Antivirus: |
|
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-EOPTJ.tmp\Ro4bYKEVnD.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 47001 |
| Entropy (8bit): | 3.9097203460528447 |
| Encrypted: | false |
| SSDEEP: | 384:WzZxgY8eg74F9XA7LBy7sb7IPA1AN9JD/VmzVm9bPIHTvTehH4:WjiI90LBy7s3mXN9tUzVcbYTvKC |
| MD5: | 4BD5790B9F83539F8EF5F547E79460B0 |
| SHA1: | 7606C6B46B4645410A3500EAAFA6AA3EC329F1D0 |
| SHA-256: | 1B5ADE31F5EC154143942E4750432A24675CBDE772D1DD9E893CFFD8E294BB24 |
| SHA-512: | A7B9B1BF458E76E34B049BC6D8C04D297922089E260682A6B330FA88826887C777FB49BEBE7E066686EF693740E94A3375F270455C760922669DF8E2D842E613 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-EOPTJ.tmp\Ro4bYKEVnD.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3543383 |
| Entropy (8bit): | 6.522099560567718 |
| Encrypted: | false |
| SSDEEP: | 49152:4uAKxvISKIJhNRQSJ3MhjxIXhEzAWig8l1sXyKFz0ool5+UKL5333TBD:4uAK6XMXhKAWwLsXa0333TV |
| MD5: | 88DD74E56BE69E607B79A3B8CB3A7DCA |
| SHA1: | 3742C9A9403B6FA1490BA1A426ED5BE8C79B6ED5 |
| SHA-256: | D1BE3E4E4A8288F3EF5E1F0AE1C0315F91CDC0FDAE0D341FEC53389852D9574A |
| SHA-512: | 5B9B5B2B0932823E6E7285ED7BB30FDEF84081F1BB441ABE6A0C687EC97B0D15C76BDA8D0E217F2AC9034C7790CB69A2F6FBB255FBE5D7BB4C8A6F4971426578 |
| Malicious: | false |
| Antivirus: |
|
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-EOPTJ.tmp\Ro4bYKEVnD.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 6144 |
| Entropy (8bit): | 4.720366600008286 |
| Encrypted: | false |
| SSDEEP: | 96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0 |
| MD5: | E4211D6D009757C078A9FAC7FF4F03D4 |
| SHA1: | 019CD56BA687D39D12D4B13991C9A42EA6BA03DA |
| SHA-256: | 388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95 |
| SHA-512: | 17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E |
| Malicious: | false |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Reputation: | high, very likely benign file |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-EOPTJ.tmp\Ro4bYKEVnD.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2 |
| Entropy (8bit): | 1.0 |
| Encrypted: | false |
| SSDEEP: | 3:+:+ |
| MD5: | 7FA3B767C460B54A2BE4D49030B349C7 |
| SHA1: | FD1286353570C5703799BA76999323B7C7447B06 |
| SHA-256: | 9390298F3FB0C5B160498935D79CB139AEF28E1C47358B4BBBA61862B9C26E59 |
| SHA-512: | 22494AF556A0782623729D0B5A9878F80AA6C21A6F51D346771842D613F51073C3B02FAB211BAFF42FB1998F38B77250DC7A1C71DD98B4B00CAE9620A6102AD7 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\is-EOPTJ.tmp\Ro4bYKEVnD.tmp |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 237568 |
| Entropy (8bit): | 6.42067568634536 |
| Encrypted: | false |
| SSDEEP: | 3072:dnSx3lws+iWbUmJmE8dxMw7r+mjT5PbzEFwyGIyTcHY10tSB9j:IP0bUmQEUr+mRcbTx4N |
| MD5: | 55C310C0319260D798757557AB3BF636 |
| SHA1: | 0892EB7ED31D8BB20A56C6835990749011A2D8DE |
| SHA-256: | 54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED |
| SHA-512: | E0082109737097658677D7963CBF28D412DCA3FA8F5812C2567E53849336CE45EBAE2C0430DF74BFE16C0F3EEBB46961BC1A10F32CA7947692A900162128AE57 |
| Malicious: | false |
| Antivirus: |
|
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\Ro4bYKEVnD.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3518976 |
| Entropy (8bit): | 6.534669625234648 |
| Encrypted: | false |
| SSDEEP: | 49152:AuAKxvISKIJhNRQSJ3MhjxIXhEzAWig8l1sXyKFz0ool5+UKL5333TB:AuAK6XMXhKAWwLsXa0333T |
| MD5: | 4A66BFB87A90F5CE57AE24992CF676C5 |
| SHA1: | 51309C6AAAE90F0D8D70A641A90092FE40D34ED0 |
| SHA-256: | D779A9008F8A973DDCD80C1909F1F8C3BDAC4A84BC7C69ED857706E9790F1D03 |
| SHA-512: | BCA74E2FC655FCBC701CDB12758523A00CD6757C151FE298DE8F920640DF82D5486F3CDFEC1284364E6E26B0BE0C05151D982787967380F316AE38F7B151C910 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| File type: | |
| Entropy (8bit): | 7.5696649517575905 |
| TrID: |
|
| File name: | Ro4bYKEVnD.exe |
| File size: | 1'914'433 bytes |
| MD5: | 3b364ba7695b8ca0faccb7f3559a7e42 |
| SHA1: | 08a9024a29f6ccb63a21570e3a94f1cd7c5acf76 |
| SHA256: | 00d14c2ab7420b99c6525b077abd2864d6db21053635c59531ef7aa0cd0e600e |
| SHA512: | e58d3f9de0141acba3145c72baba16ff563e3bc6fe326dff50b5efd8548812c388c0536d5dc4abe1fdc4eabbbc1143e9f5a35f7672118c7ef5d7a27a5afd4606 |
| SSDEEP: | 24576:waE+hTNrCHtLfTfuM7Djr5QpYrao2rupZdH13Nf+YH5JaFMWHIta3+8Fk86Y1olY:0+MRvHrv4Ju+ekQoEcB |
| TLSH: | A795CF23F2CBE03EE05E0B3705B2A15494FBAA256523AD5786ECB49CCF751601E3E647 |
| File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
 | |
| Icon Hash: | 0c0c2d33ceec80aa |
| Entrypoint: | 0x4a7f98 |
| Entrypoint Section: | .itext |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x67AC374C [Wed Feb 12 05:53:16 2025 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 1 |
| File Version Major: | 6 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 40ab50289f7ef5fae60801f88d4541fc |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| add esp, FFFFFFA4h |
| push ebx |
| push esi |
| push edi |
| xor eax, eax |
| mov dword ptr [ebp-3Ch], eax |
| mov dword ptr [ebp-40h], eax |
| mov dword ptr [ebp-5Ch], eax |
| mov dword ptr [ebp-30h], eax |
| mov dword ptr [ebp-38h], eax |
| mov dword ptr [ebp-34h], eax |
| mov dword ptr [ebp-2Ch], eax |
| mov dword ptr [ebp-28h], eax |
| mov dword ptr [ebp-14h], eax |
| mov eax, 004A3274h |
| call 00007F6434B99719h |
| xor eax, eax |
| push ebp |
| push 004A869Dh |
| push dword ptr fs:[eax] |
| mov dword ptr fs:[eax], esp |
| xor edx, edx |
| push ebp |
| push 004A8657h |
| push dword ptr fs:[edx] |
| mov dword ptr fs:[edx], esp |
| mov eax, dword ptr [004B0634h] |
| call 00007F6434C2B44Bh |
| call 00007F6434C2AF9Eh |
| lea edx, dword ptr [ebp-14h] |
| xor eax, eax |
| call 00007F6434C257F8h |
| mov edx, dword ptr [ebp-14h] |
| mov eax, 004B4214h |
| call 00007F6434B937C7h |
| push 00000002h |
| push 00000000h |
| push 00000001h |
| mov ecx, dword ptr [004B4214h] |
| mov dl, 01h |
| mov eax, dword ptr [0049CCF4h] |
| call 00007F6434C26BE7h |
| mov dword ptr [004B4218h], eax |
| xor edx, edx |
| push ebp |
| push 004A8603h |
| push dword ptr fs:[edx] |
| mov dword ptr fs:[edx], esp |
| call 00007F6434C2B4D3h |
| mov dword ptr [004B4220h], eax |
| mov eax, dword ptr [004B4220h] |
| cmp dword ptr [eax+0Ch], 01h |
| jne 00007F6434C319EAh |
| mov eax, dword ptr [004B4220h] |
| mov edx, 00000028h |
| call 00007F6434C27504h |
| mov edx, dword ptr [004B4220h] |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0xb7000 | 0x71 | .edata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xb5000 | 0xfec | .idata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xcb000 | 0x11200 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xba000 | 0x10d80 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0xb9000 | 0x18 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0xb52d4 | 0x25c | .idata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0xb6000 | 0x1a4 | .didata |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xa56a4 | 0xa5800 | 463e3aaab99b053f2c4a2f67933c8e57 | False | 0.3625687429191843 | data | 6.379407961748755 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .itext | 0xa7000 | 0x1740 | 0x1800 | aabad89a99811463c0c9e4733f9929f6 | False | 0.5677083333333334 | data | 6.168310852607473 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0xa9000 | 0x3838 | 0x3a00 | 4daf07ad25de9a5fbce0e8bfa5bebf31 | False | 0.3537176724137931 | data | 4.9726577614511855 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .bss | 0xad000 | 0x7278 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .idata | 0xb5000 | 0xfec | 0x1000 | 627340dff539ef99048969aa4824fb2d | False | 0.380615234375 | data | 5.020404933181373 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .didata | 0xb6000 | 0x1a4 | 0x200 | fd11c1109737963cc6cb7258063abfd6 | False | 0.34765625 | data | 2.729290535217263 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .edata | 0xb7000 | 0x71 | 0x200 | 7de8ca0c7a61668a728fd3a88dc0942d | False | 0.1796875 | data | 1.305578535725827 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .tls | 0xb8000 | 0x18 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0xb9000 | 0x5d | 0x200 | d84006640084dc9f74a07c2ff9c7d656 | False | 0.189453125 | data | 1.3892750148744617 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0xba000 | 0x10d80 | 0x10e00 | 8871bb651f0d9a00a939ad4155039605 | False | 0.5829861111111111 | data | 6.713549988072992 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .rsrc | 0xcb000 | 0x11200 | 0x11200 | 1cad866f2579ff5d81649f04eb5e2586 | False | 0.1858747718978102 | data | 3.705099132450798 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xcb678 | 0xa68 | Device independent bitmap graphic, 64 x 128 x 4, image size 2048 | English | United States | 0.1174924924924925 |
| RT_ICON | 0xcc0e0 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 1152 | English | United States | 0.15792682926829268 |
| RT_ICON | 0xcc748 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512 | English | United States | 0.23387096774193547 |
| RT_ICON | 0xcca30 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128 | English | United States | 0.39864864864864863 |
| RT_ICON | 0xccb58 | 0x1628 | Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors | English | United States | 0.08339210155148095 |
| RT_ICON | 0xce180 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors | English | United States | 0.1023454157782516 |
| RT_ICON | 0xcf028 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors | English | United States | 0.10649819494584838 |
| RT_ICON | 0xcf8d0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors | English | United States | 0.10838150289017341 |
| RT_ICON | 0xcfe38 | 0x12e5 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.8712011577424024 |
| RT_ICON | 0xd1120 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | English | United States | 0.05668398677373642 |
| RT_ICON | 0xd5348 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.08475103734439834 |
| RT_ICON | 0xd78f0 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.09920262664165103 |
| RT_ICON | 0xd8998 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.2047872340425532 |
| RT_STRING | 0xd8e00 | 0x3f8 | data | 0.3198818897637795 | ||
| RT_STRING | 0xd91f8 | 0x2dc | data | 0.36475409836065575 | ||
| RT_STRING | 0xd94d4 | 0x430 | data | 0.40578358208955223 | ||
| RT_STRING | 0xd9904 | 0x44c | data | 0.38636363636363635 | ||
| RT_STRING | 0xd9d50 | 0x2d4 | data | 0.39226519337016574 | ||
| RT_STRING | 0xda024 | 0xb8 | data | 0.6467391304347826 | ||
| RT_STRING | 0xda0dc | 0x9c | data | 0.6410256410256411 | ||
| RT_STRING | 0xda178 | 0x374 | data | 0.4230769230769231 | ||
| RT_STRING | 0xda4ec | 0x398 | data | 0.3358695652173913 | ||
| RT_STRING | 0xda884 | 0x368 | data | 0.3795871559633027 | ||
| RT_STRING | 0xdabec | 0x2a4 | data | 0.4275147928994083 | ||
| RT_RCDATA | 0xdae90 | 0x10 | data | 1.5 | ||
| RT_RCDATA | 0xdaea0 | 0x354 | data | 0.5586854460093896 | ||
| RT_RCDATA | 0xdb1f4 | 0x2c | data | 1.1818181818181819 | ||
| RT_GROUP_ICON | 0xdb220 | 0xbc | data | English | United States | 0.6170212765957447 |
| RT_VERSION | 0xdb2dc | 0x584 | data | English | United States | 0.2613314447592068 |
| RT_MANIFEST | 0xdb860 | 0x7a8 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.3377551020408163 |
| DLL | Import |
|---|---|
| kernel32.dll | GetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale |
| comctl32.dll | InitCommonControls |
| user32.dll | CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW |
| oleaut32.dll | SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate |
| advapi32.dll | ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey |
| Name | Ordinal | Address |
|---|---|---|
| __dbk_fcall_wrapper | 2 | 0x40fc10 |
| dbkFCallWrapperAddr | 1 | 0x4b063c |
| Description | Data |
|---|---|
| Comments | This installation was built with Inno Setup. |
| CompanyName | |
| FileDescription | Kiddion Modest Menu.exe Setup |
| FileVersion | 1.0.0.0 |
| LegalCopyright | Kiddion Modest Menu.exe |
| OriginalFileName | |
| ProductName | Kiddion Modest Menu.exe |
| ProductVersion | 1.0.0.0 |
| Translation | 0x0000 0x04b0 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeDownload Network PCAP: filtered – full
- Total Packets: 22
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 27, 2025 09:53:13.556087971 CEST | 49687 | 443 | 192.168.2.6 | 104.21.30.99 |
| Apr 27, 2025 09:53:13.556138039 CEST | 443 | 49687 | 104.21.30.99 | 192.168.2.6 |
| Apr 27, 2025 09:53:13.556233883 CEST | 49687 | 443 | 192.168.2.6 | 104.21.30.99 |
| Apr 27, 2025 09:53:13.597615957 CEST | 49687 | 443 | 192.168.2.6 | 104.21.30.99 |
| Apr 27, 2025 09:53:13.597632885 CEST | 443 | 49687 | 104.21.30.99 | 192.168.2.6 |
| Apr 27, 2025 09:53:13.890146971 CEST | 443 | 49687 | 104.21.30.99 | 192.168.2.6 |
| Apr 27, 2025 09:53:13.890259981 CEST | 49687 | 443 | 192.168.2.6 | 104.21.30.99 |
| Apr 27, 2025 09:53:13.944462061 CEST | 49687 | 443 | 192.168.2.6 | 104.21.30.99 |
| Apr 27, 2025 09:53:13.944483042 CEST | 443 | 49687 | 104.21.30.99 | 192.168.2.6 |
| Apr 27, 2025 09:53:13.945108891 CEST | 443 | 49687 | 104.21.30.99 | 192.168.2.6 |
| Apr 27, 2025 09:53:13.945188999 CEST | 49687 | 443 | 192.168.2.6 | 104.21.30.99 |
| Apr 27, 2025 09:53:13.947810888 CEST | 49687 | 443 | 192.168.2.6 | 104.21.30.99 |
| Apr 27, 2025 09:53:13.988274097 CEST | 443 | 49687 | 104.21.30.99 | 192.168.2.6 |
| Apr 27, 2025 09:53:14.911812067 CEST | 443 | 49687 | 104.21.30.99 | 192.168.2.6 |
| Apr 27, 2025 09:53:14.911874056 CEST | 443 | 49687 | 104.21.30.99 | 192.168.2.6 |
| Apr 27, 2025 09:53:14.911879063 CEST | 49687 | 443 | 192.168.2.6 | 104.21.30.99 |
| Apr 27, 2025 09:53:14.911916971 CEST | 49687 | 443 | 192.168.2.6 | 104.21.30.99 |
| Apr 27, 2025 09:53:14.913628101 CEST | 49687 | 443 | 192.168.2.6 | 104.21.30.99 |
| Apr 27, 2025 09:53:14.913651943 CEST | 443 | 49687 | 104.21.30.99 | 192.168.2.6 |
| Apr 27, 2025 09:53:14.913662910 CEST | 49687 | 443 | 192.168.2.6 | 104.21.30.99 |
| Apr 27, 2025 09:53:14.913702965 CEST | 49687 | 443 | 192.168.2.6 | 104.21.30.99 |
| Apr 27, 2025 09:53:14.915987968 CEST | 49688 | 443 | 192.168.2.6 | 104.21.30.99 |
| Apr 27, 2025 09:53:14.916028023 CEST | 443 | 49688 | 104.21.30.99 | 192.168.2.6 |
| Apr 27, 2025 09:53:14.916110039 CEST | 49688 | 443 | 192.168.2.6 | 104.21.30.99 |
| Apr 27, 2025 09:53:14.916434050 CEST | 49688 | 443 | 192.168.2.6 | 104.21.30.99 |
| Apr 27, 2025 09:53:14.916449070 CEST | 443 | 49688 | 104.21.30.99 | 192.168.2.6 |
| Apr 27, 2025 09:53:15.203181982 CEST | 443 | 49688 | 104.21.30.99 | 192.168.2.6 |
| Apr 27, 2025 09:53:15.203252077 CEST | 49688 | 443 | 192.168.2.6 | 104.21.30.99 |
| Apr 27, 2025 09:53:15.203839064 CEST | 49688 | 443 | 192.168.2.6 | 104.21.30.99 |
| Apr 27, 2025 09:53:15.203849077 CEST | 443 | 49688 | 104.21.30.99 | 192.168.2.6 |
| Apr 27, 2025 09:53:15.204673052 CEST | 49688 | 443 | 192.168.2.6 | 104.21.30.99 |
| Apr 27, 2025 09:53:15.204679012 CEST | 443 | 49688 | 104.21.30.99 | 192.168.2.6 |
| Apr 27, 2025 09:53:16.244218111 CEST | 443 | 49688 | 104.21.30.99 | 192.168.2.6 |
| Apr 27, 2025 09:53:16.244311094 CEST | 443 | 49688 | 104.21.30.99 | 192.168.2.6 |
| Apr 27, 2025 09:53:16.244350910 CEST | 49688 | 443 | 192.168.2.6 | 104.21.30.99 |
| Apr 27, 2025 09:53:16.244663000 CEST | 49688 | 443 | 192.168.2.6 | 104.21.30.99 |
| Apr 27, 2025 09:53:16.244904041 CEST | 49688 | 443 | 192.168.2.6 | 104.21.30.99 |
| Apr 27, 2025 09:53:16.244919062 CEST | 443 | 49688 | 104.21.30.99 | 192.168.2.6 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Apr 27, 2025 09:53:13.345904112 CEST | 65493 | 53 | 192.168.2.6 | 1.1.1.1 |
| Apr 27, 2025 09:53:13.546075106 CEST | 53 | 65493 | 1.1.1.1 | 192.168.2.6 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Apr 27, 2025 09:53:13.345904112 CEST | 192.168.2.6 | 1.1.1.1 | 0x1bcb | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Apr 27, 2025 09:53:13.546075106 CEST | 1.1.1.1 | 192.168.2.6 | 0x1bcb | No error (0) | 104.21.30.99 | A (IP address) | IN (0x0001) | false | ||
| Apr 27, 2025 09:53:13.546075106 CEST | 1.1.1.1 | 192.168.2.6 | 0x1bcb | No error (0) | 172.67.172.186 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.6 | 49687 | 104.21.30.99 | 443 | 4040 | C:\Users\user\AppData\Local\Temp\is-EOPTJ.tmp\Ro4bYKEVnD.tmp |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-27 07:53:13 UTC | 210 | OUT | |
| 2025-04-27 07:53:14 UTC | 252 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.6 | 49688 | 104.21.30.99 | 443 | 4040 | C:\Users\user\AppData\Local\Temp\is-EOPTJ.tmp\Ro4bYKEVnD.tmp |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2025-04-27 07:53:15 UTC | 209 | OUT | |
| 2025-04-27 07:53:16 UTC | 252 | IN | |
| 2025-04-27 07:53:16 UTC | 2 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 03:53:05 |
| Start date: | 27/04/2025 |
| Path: | C:\Users\user\Desktop\Ro4bYKEVnD.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1e0000 |
| File size: | 1'914'433 bytes |
| MD5 hash: | 3B364BA7695B8CA0FACCB7F3559A7E42 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 03:53:05 |
| Start date: | 27/04/2025 |
| Path: | C:\Users\user\AppData\Local\Temp\is-EOPTJ.tmp\Ro4bYKEVnD.tmp |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xd90000 |
| File size: | 3'518'976 bytes |
| MD5 hash: | 4A66BFB87A90F5CE57AE24992CF676C5 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Antivirus matches: |
|
| Reputation: | low |
| Has exited: | true |
⊘No disassembly
