Analysis Overview
SHA256
e607e52cb362cdca751c9cf27c91b8f5087649c720d49fd31ee925176107e501
Threat Level: Known bad
The file resemblec2.exe was found to be: Known bad.
Malicious Activity Summary
Orcus family
Orcus
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Drops desktop.ini file(s)
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-13 04:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-13 04:02
Reported
2025-01-13 04:17
Platform
win7-20240903-en
Max time kernel
896s
Max time network
901s
Command Line
Signatures
Orcus
Orcus family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\idk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\idk.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\idk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\resemblec2.exe
C:\Users\Admin\AppData\Local\Temp\resemblec2.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\resemble.py
C:\Users\Admin\AppData\Local\Temp\idk.exe
"C:\Users\Admin\AppData\Local\Temp\idk.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\resemble.py"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.69.157.220:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.157.220:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.157.220:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.157.220:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.157.220:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.157.220:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.69.115.178:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.115.178:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.115.178:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.115.178:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.115.178:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.68.171.119:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.69.115.178:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.68.171.119:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
Files
memory/2484-0-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp
memory/2484-1-0x0000000000DE0000-0x0000000000E8E000-memory.dmp
memory/2484-4-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\idk.exe
| MD5 | c0f4b33fab9864dfebccb1f7621ac76a |
| SHA1 | 9e65684a22bae25570f019366657a83522434590 |
| SHA256 | ce59e3370985a4b7f243de0fb67848bcb223781077dee528e2f4adb8e9d8d656 |
| SHA512 | 6cd5672e2b3615ebb94fb96de29fe1b2cbfa81c1e18080ad6fbb48b25457481e17d8919823970e5bd1e230e2e8c76d379a515551e35bdc10f305d3349ab3cefe |
memory/2484-10-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\resemble.py
| MD5 | 23f1fabaef532d89fcb6d5bb14a36ef3 |
| SHA1 | 679a82ed172d49f298bf07b6fa0de9b6c2ce0046 |
| SHA256 | e4410bc67b1ee8af2df456713b85040917b8cf749fb7d660feeb625b25ec9c51 |
| SHA512 | 96e2baa6ce0220b9ad167b60220c683d5b080a9ba9a2e4d320aae6989f4aa2d241f8078e69bdd2da39a20d9b57ae84240da912d29e5e1db36cc90cf6a0537458 |
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 9d02a0c762957fabaa9463b762115d2a |
| SHA1 | b35edeb9109258329ea2a821f32ff55215efdf0a |
| SHA256 | 2598a413ec3b6ae90046b88249b2207e9775357081f045b06dcbfc37b5938407 |
| SHA512 | 35c0b389d077ec8beb41ae76694a816cb64ddf2016cb227ef04d3339914f32277416b53014b255159cef8979db1776fff94599ff3664729dcdb8798977a9829c |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-13 04:02
Reported
2025-01-13 04:17
Platform
win10v2004-20241007-en
Max time kernel
888s
Max time network
893s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\resemblec2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\idk.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\idk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\idk.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\idk.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\idk.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\idk.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\idk.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\idk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\resemblec2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 316 wrote to memory of 4636 | N/A | C:\Users\Admin\AppData\Local\Temp\resemblec2.exe | C:\Users\Admin\AppData\Local\Temp\idk.exe |
| PID 316 wrote to memory of 4636 | N/A | C:\Users\Admin\AppData\Local\Temp\resemblec2.exe | C:\Users\Admin\AppData\Local\Temp\idk.exe |
| PID 316 wrote to memory of 4636 | N/A | C:\Users\Admin\AppData\Local\Temp\resemblec2.exe | C:\Users\Admin\AppData\Local\Temp\idk.exe |
| PID 4636 wrote to memory of 4944 | N/A | C:\Users\Admin\AppData\Local\Temp\idk.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 4636 wrote to memory of 4944 | N/A | C:\Users\Admin\AppData\Local\Temp\idk.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 4636 wrote to memory of 4944 | N/A | C:\Users\Admin\AppData\Local\Temp\idk.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\resemblec2.exe
C:\Users\Admin\AppData\Local\Temp\resemblec2.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\idk.exe
"C:\Users\Admin\AppData\Local\Temp\idk.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.69.115.178:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.115.178:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.115.178:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.115.178:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.115.178:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.69.157.220:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.157.220:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.157.220:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.157.220:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.157.220:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.68.171.119:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.68.171.119:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.69.115.178:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.115.178:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.115.178:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.115.178:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.115.178:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 52.28.247.255:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.109:19196 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.66.38.117:19196 | 6.tcp.eu.ngrok.io | tcp |
Files
memory/316-0-0x00007FF8563B3000-0x00007FF8563B5000-memory.dmp
memory/316-1-0x0000000000E90000-0x0000000000F3E000-memory.dmp
memory/316-4-0x00007FF8563B0000-0x00007FF856E71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\idk.exe
| MD5 | c0f4b33fab9864dfebccb1f7621ac76a |
| SHA1 | 9e65684a22bae25570f019366657a83522434590 |
| SHA256 | ce59e3370985a4b7f243de0fb67848bcb223781077dee528e2f4adb8e9d8d656 |
| SHA512 | 6cd5672e2b3615ebb94fb96de29fe1b2cbfa81c1e18080ad6fbb48b25457481e17d8919823970e5bd1e230e2e8c76d379a515551e35bdc10f305d3349ab3cefe |
memory/316-17-0x00007FF8563B0000-0x00007FF856E71000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2025-01-13 04:02
Reported
2025-01-13 04:02
Platform
android-x64-20240910-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2025-01-13 04:02
Reported
2025-01-13 04:02
Platform
debian9-armhf-20240611-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/resemblec2.exe
[/tmp/resemblec2.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"]
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2025-01-13 04:02
Reported
2025-01-13 04:02
Platform
android-x86-arm-20240624-en
Max time network
4s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2025-01-13 04:02
Reported
2025-01-13 04:02
Platform
android-x64-arm64-20240624-en
Max time network
6s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| GB | 216.58.212.238:443 | tcp | |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2025-01-13 04:02
Reported
2025-01-13 04:02
Platform
macos-20241106-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2025-01-13 04:02
Reported
2025-01-13 04:02
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
0s
Max time network
3s
Command Line
Signatures
Processes
/tmp/resemblec2.exe
[/tmp/resemblec2.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"]
Network
| Country | Destination | Domain | Proto |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| US | 1.1.1.1:53 | extensions.gnome.org | udp |
| US | 1.1.1.1:53 | extensions.gnome.org | udp |
| US | 1.1.1.1:53 | ingress.openshift.gnome.org | udp |
| US | 34.237.119.141:443 | extensions.gnome.org | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2025-01-13 04:02
Reported
2025-01-13 04:02
Platform
debian9-mipsbe-20240611-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/resemblec2.exe
[/tmp/resemblec2.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"]
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2025-01-13 04:02
Reported
2025-01-13 04:02
Platform
debian9-mipsel-20240611-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/resemblec2.exe
[/tmp/resemblec2.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"]