Windows Analysis Report
uGfpJynSWM

Overview

General Information

Sample Name: uGfpJynSWM (renamed file extension from none to exe)
Analysis ID: 679146
MD5: eb84aeef20ea974bf207dd6df8446567
SHA1: 624a1e8510a1d7f3ff05693c30d724f19aaf5a1a
SHA256: 9f532c8749bc71b3fc723d42f86300ae5a583515817da2aad40c858f163d01f8
Tags: exe
Infos:

Detection

Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Yara detected Vidar stealer
Antivirus detection for URL or domain
Writes to foreign memory regions
.NET source code references suspicious native API functions
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: uGfpJynSWM.exe Virustotal: Detection: 67% Perma Link
Source: uGfpJynSWM.exe Metadefender: Detection: 31% Perma Link
Source: uGfpJynSWM.exe ReversingLabs: Detection: 80%
Antivirus detection for URL or domain
Source: http://45.159.249.4/1474h.dll Avira URL Cloud: Label: malware
Source: http://45.159.249.4/1474stem32 Avira URL Cloud: Label: malware
Source: http://45.159.249.4/1474N Avira URL Cloud: Label: malware
Source: http://45.159.249.4/=: Avira URL Cloud: Label: malware
Source: https://climatejustice.social/@ffoleg94 Avira URL Cloud: Label: malware
Source: http://45.159.249.4/1474 Avira URL Cloud: Label: malware
Source: http://45.159.249.4/147474R Avira URL Cloud: Label: malware
Source: http://45.159.249.4/1474b Avira URL Cloud: Label: malware
Source: http://45.159.249.4/1474l Avira URL Cloud: Label: malware
Source: http://45.159.249.4/1474u Avira URL Cloud: Label: malware
Source: http://45.159.249.4/1474x Avira URL Cloud: Label: malware
Source: http://45.159.249.4:80 Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: uGfpJynSWM.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.0.cvtres.exe.400000.0.unpack Avira: Label: TR/AD.GenSteal.nsaqr
Source: 1.0.cvtres.exe.400000.3.unpack Avira: Label: TR/AD.GenSteal.nsaqr
Source: 1.0.cvtres.exe.400000.4.unpack Avira: Label: TR/AD.GenSteal.nsaqr
Source: 1.0.cvtres.exe.400000.2.unpack Avira: Label: TR/AD.GenSteal.nsaqr
Source: 1.0.cvtres.exe.400000.1.unpack Avira: Label: TR/AD.GenSteal.nsaqr
Source: 1.0.cvtres.exe.400000.5.unpack Avira: Label: TR/AD.GenSteal.nsaqr
Source: 1.0.cvtres.exe.400000.0.unpack Malware Configuration Extractor: Vidar {"C2 url": ["https://t.me/korstonsales", "https://climatejustice.social/@ffoleg94"]}
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0040B7EC lstrcatA,lstrcatA,lstrcatA,CloseHandle,Sleep,OpenEventA,CreateEventA,lstrcatA,lstrcatA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,Sleep,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,CreateThread,CreateThread,Sleep,Sleep,CloseHandle, 1_2_0040B7EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0040E80D _malloc,_memmove,_malloc,CryptUnprotectData,_memmove, 1_2_0040E80D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0040E3F0 _memset,lstrlen,CryptStringToBinaryA,_memmove,lstrcatA,lstrcatA, 1_2_0040E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0040E575 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 1_2_0040E575
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0040E5CE CryptUnprotectData,LocalAlloc,_memmove,LocalFree, 1_2_0040E5CE
Uses 32bit PE files
Source: uGfpJynSWM.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49765 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.86.107.75:443 -> 192.168.2.7:49766 version: TLS 1.2
Source: uGfpJynSWM.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: VBZXBVZXBNSDMHBDSJ67327632.pdb source: uGfpJynSWM.exe
Source: Binary string: VBZXBVZXBNSDMHBDSJ67327632.pdbh) source: uGfpJynSWM.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0041208D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,lstrcatA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,_memset,_memset,_memset,_memset,_memset,_memset,FindNextFileA,FindClose,_memset,lstrcatA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA, 1_2_0041208D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0040C955 lstrcatA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,GetFileAttributesA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 1_2_0040C955
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_00411117 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 1_2_00411117
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_004101E9 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_sprintf,_memset,wsprintfA,StrCmpCA,StrCmpCA,GetFileAttributesA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 1_2_004101E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_004162AB __EH_prolog3_GS,FindFirstFileW,FindNextFileW, 1_2_004162AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_00408B15 __EH_prolog3_GS,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,_memset,lstrcatA,lstrlen, 1_2_00408B15
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0041048F wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 1_2_0041048F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0040954D wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,lstrcpy,lstrcatA,lstrcatA,StrCmpCA,wsprintfA,wsprintfA,lstrlen,_strtok_s,PathMatchSpecA,CoInitialize,_strtok_s,PathMatchSpecA,lstrcpy,lstrcatA,PathFindFileNameA,lstrcatA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,lstrcpy,lstrcatA,lstrcatA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,CoInitialize,PathMatchSpecA,lstrcpy,PathMatchSpecA,lstrcpy,FindNextFileA,FindClose, 1_2_0040954D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_00411DA6 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,_memset,lstrcatA,lstrcatA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 1_2_00411DA6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_00409ADF lstrcatA,lstrcatA,lstrcatA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetLogicalDriveStringsA,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen, 1_2_00409ADF
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_013BE430
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_013BE800
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_013BD728
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_013BD71E

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://t.me/korstonsales
Source: Malware configuration extractor URLs: https://climatejustice.social/@ffoleg94
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CONTABODE CONTABODE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.me
Source: global traffic HTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.social
Source: global traffic HTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
Source: global traffic HTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=IE12lf0Aiww%2FO2SHgNYf6X8ktxvGiUwFuvpakzTKg55PVj3wQxbOx8QbPNu%2BbA1ljKtplQtfpHSjetQM3MX253iMB2kbLm3xNEhgwBeB%2F1eCW8Wg13ePrm5lWBQfL9FAO02eO7J9l3dW3s6HTqeP4cis2esq7DldbRI0JLHXWe51XjtZNzvE6RX%2BUXAkx0ez6ASRzCFL8XG1b53DHaPoYf9LXuHN45UIQQKGgtGvY8K1mMZsTqoEdXlHxIHPmSknkSeuS38vHUAtiNgsrwJoiv1FJ7nyRHySt6rMdHZwhHdc3ptf6PDZ0wBxvwMpVHuFlqdHAXbX%2FUb%2Bmlizb1luBXM%3D--UaPP34RL8MYYb6Tj--nidR%2BdAjAGmnnhmujvS6WQ%3D%3D
Source: global traffic HTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
Source: global traffic HTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=3rSSEQhY%2BR%2ByBXGg%2FZ7vjc6lT5LBYSBRTm4v10Vjq3ue%2BjwBExu9w58N8ClT%2Bud5pLw%2FhNpc0ZVmhbGFmRwVbdBlbgslSN94eAItWDOu4CGgiK9jhd3mHMacn3wAdie7Kxd1jN1PXBqcxNNL004FuuBE8ZcXHZ9KeIX6GtzzFfvUtnGWm8ZnLLwl53QYxoy96Xw8%2BDQyXocErXsPhQdIg%2FpxcTsHw5r3GkFxULvXrHFqPB166JKLVDREPTkxqTmFOYedLa6uPEB2T4kW8V44pB5aEoVFQGo6vkNDPnAvIGvofiJ%2FGZzi5%2FYGT7rR2OuS9SAL1tKkIZTobYnVx%2Fquwbo%3D--ciXPLxNa31c7%2FJvd--PL1p0wGZ8YwXdexsQfoBoQ%3D%3D
Source: global traffic HTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
Source: global traffic HTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=cBV6gswXNvy8Hgb%2BvExlczZjstftQa27zJ%2ByonVRi5vw9q44kYaXOHqqk%2FMhqSyxc2K1n3IXUv4kERfPbDEZOwE6NFx%2BLntMjgu1MWeXu90ji40Xeo7Tz0u9MgjPeSND%2BppXUEiqV%2Bou0NkQvBHoflX27u%2BLD6qQzJ6oEhtEEA7VVKadgTfzBP2a0zRCmF4SsemcSDzT8BNNzs1M%2BIr4CTeavXuTu%2BJCm0uuMkUySIWpjXI2ILBRTS6oqhKWITt4DN8y09XOU2uhmLZARu%2BXQUXiFg8MhEuyus2jpZ3LM2BaLgmhu4lCR67q728X8Wn%2Bl%2FdyVOgV5qfUpjC%2F2Xeeaxs%3D--9MBRf%2FPU0zFwfS96--LxGMiLJEI8rWcXno6EKaag%3D%3D
Source: global traffic HTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
Source: global traffic HTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=odijTynxlktrze7IgYOSVyYGax6MLuq%2BHgXXNKVkWj0EmP%2BY%2BYajeG%2F8FkitzpankLQzKOs7zUEdBhjbxOzpdZ1RpsOQGZ1AUSKbXvelp9WMXNXnJ654jBiZtol1X4q0pNgUdviAwoWtj%2FRytZuF3icv9tA2rrhSHuj8RNt7upfkwzVVGdrp1OipqNMvxNGxOGsFr55qZoPRd7OunaK4YDlwg%2Bc1dFbtqJ%2FwmLTyaTlwPgipiHfY3D96mosQe3LYewtprF6rsACbNZQUOPaPNuvOAKe1MffUWL9jfeHvRGne%2Frrk4sQKfhRHzSDToiAhNgEMrluTU%2FqXba1%2FBYcmyoU%3D--bxICJGAgGqamQv1Z--NCklHYqUpYEpY8rfNxpO7g%3D%3D
Source: global traffic HTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
Source: global traffic HTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=G8wdgwz%2FDemSpy0Da1ZLqVdSh5XC%2FhOntkD9%2FioEKONmGFQbKw3ZbiJ4RIMQvyl5QKxN%2FpcDH0nKadQ0yXDwXyz6yqDcLvbVjYrc1VwLIggpvLXohspOLTi9YyRFkDXD1U6%2Fzrzrb4LoA5rAsIFcowDfc23g9dzpYcSLczI6VlHA0lfP8JjHOwarQxEdzM6akhIz0PxsXrVBHQQArBfIyixEHqMzgVy%2FgvPIRcQ2qdVLKMgTPmDwVbQ0%2BqoNguC6M%2F7xjoKMMQknPlrQIslHVR5u8qBY9lIeeNK373jl%2B82kCofXgGW%2BvK4Vwx2GKefGraC9M1B%2Bz7G9H6WpaKFziTw%3D--Ffkg6BiJ3LNw7A7D--YyCOAf66iro8NmL254gNlw%3D%3D
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 167.86.107.75 167.86.107.75
Source: Joe Sandbox View IP Address: 149.154.167.99 149.154.167.99
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.249.4
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.249.4
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.249.4
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.249.4
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.249.4
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.249.4
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.249.4
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.249.4
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.249.4
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.249.4
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.249.4
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.249.4
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.249.4
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.249.4
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.249.4
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.249.4
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.249.4
Source: unknown TCP traffic detected without corresponding DNS query: 45.159.249.4
Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594536976.0000000004D50000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594439750.0000000004D06000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.159.249.4/1474
Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.159.249.4/147474R
Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.159.249.4/1474N
Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.159.249.4/1474b
Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.159.249.4/1474h.dll
Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.159.249.4/1474l
Source: cvtres.exe, 00000001.00000002.594439750.0000000004D06000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.159.249.4/1474stem32
Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.159.249.4/1474u
Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.159.249.4/1474x
Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.159.249.4/=:
Source: cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.159.249.4:80
Source: uGfpJynSWM.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: uGfpJynSWM.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: uGfpJynSWM.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: uGfpJynSWM.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: uGfpJynSWM.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.340494604.0000000004D0E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341146688.0000000004D09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft.c
Source: uGfpJynSWM.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: uGfpJynSWM.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: uGfpJynSWM.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: uGfpJynSWM.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: uGfpJynSWM.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: uGfpJynSWM.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: uGfpJynSWM.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: uGfpJynSWM.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: uGfpJynSWM.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: uGfpJynSWM.exe String found in binary or memory: http://ocsp.digicert.com0N
Source: uGfpJynSWM.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://climatejustice.global
Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://climatejustice.rocks
Source: cvtres.exe, 00000001.00000003.341135942.0000000004D07000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://climatejustice.social
Source: cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://climatejustice.social/
Source: cvtres.exe, 00000001.00000003.526458800.0000000004D54000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594549794.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341127759.0000000004D02000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572585218.0000000004D75000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594578967.0000000004D75000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341146688.0000000004D09000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594439750.0000000004D06000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341135942.0000000004D07000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://climatejustice.social/.well-known/webfinger?resource=acct%3Affoleg94%40climatejustice.social
Source: cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://climatejustice.social/avatars/original/missing.png
Source: cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594549794.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526464880.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://climatejustice.social/custom.css
Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://climatejustice.social/tags/gitea"
Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://climatejustice.social/tags/gitlab"
Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://climatejustice.social/tags/grunewald"
Source: cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526458800.0000000004D54000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594549794.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341127759.0000000004D02000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572585218.0000000004D75000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594578967.0000000004D75000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341146688.0000000004D09000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594439750.0000000004D06000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341135942.0000000004D07000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://climatejustice.social/users/ffoleg94
Source: cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://climatejustice.social/users/ffoleg94/followers
Source: cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://climatejustice.social/users/ffoleg94/following
Source: cvtres.exe, 00000001.00000003.341135942.0000000004D07000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://climatejustice.social;
Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.joinmastodon.org/
Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.joinmastodon.org/client/intro/
Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.340436007.0000000004D01000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572125764.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.479685777.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.386980069.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433280864.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://funk.climatejustice.global
Source: cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/mastodon/mastodon
Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://joinmastodon.org/
Source: cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://joinmastodon.org/apps
Source: uGfpJynSWM.exe, 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, uGfpJynSWM.exe, 00000000.00000002.336360720.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.340436007.0000000004D01000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572125764.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.340494604.0000000004D0E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000000.333395548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594439750.0000000004D06000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.479685777.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.386980069.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433280864.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/korstonsales
Source: uGfpJynSWM.exe, 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, uGfpJynSWM.exe, 00000000.00000002.336360720.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000000.333395548.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/korstonsaleshttps://climatejustice.social/
Source: cvtres.exe, 00000001.00000003.340494604.0000000004D0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/korstonsalesi
Source: cvtres.exe, 00000001.00000003.433280864.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://telegram.org/img/t_logo.png
Source: cvtres.exe, 00000001.00000003.386988114.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433280864.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.telegram.org
Source: uGfpJynSWM.exe String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown DNS traffic detected: queries for: t.me
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0040A1C1 DeleteUrlCacheEntry,DeleteUrlCacheEntry,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 1_2_0040A1C1
Source: global traffic HTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.me
Source: global traffic HTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.social
Source: global traffic HTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
Source: global traffic HTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=IE12lf0Aiww%2FO2SHgNYf6X8ktxvGiUwFuvpakzTKg55PVj3wQxbOx8QbPNu%2BbA1ljKtplQtfpHSjetQM3MX253iMB2kbLm3xNEhgwBeB%2F1eCW8Wg13ePrm5lWBQfL9FAO02eO7J9l3dW3s6HTqeP4cis2esq7DldbRI0JLHXWe51XjtZNzvE6RX%2BUXAkx0ez6ASRzCFL8XG1b53DHaPoYf9LXuHN45UIQQKGgtGvY8K1mMZsTqoEdXlHxIHPmSknkSeuS38vHUAtiNgsrwJoiv1FJ7nyRHySt6rMdHZwhHdc3ptf6PDZ0wBxvwMpVHuFlqdHAXbX%2FUb%2Bmlizb1luBXM%3D--UaPP34RL8MYYb6Tj--nidR%2BdAjAGmnnhmujvS6WQ%3D%3D
Source: global traffic HTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
Source: global traffic HTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=3rSSEQhY%2BR%2ByBXGg%2FZ7vjc6lT5LBYSBRTm4v10Vjq3ue%2BjwBExu9w58N8ClT%2Bud5pLw%2FhNpc0ZVmhbGFmRwVbdBlbgslSN94eAItWDOu4CGgiK9jhd3mHMacn3wAdie7Kxd1jN1PXBqcxNNL004FuuBE8ZcXHZ9KeIX6GtzzFfvUtnGWm8ZnLLwl53QYxoy96Xw8%2BDQyXocErXsPhQdIg%2FpxcTsHw5r3GkFxULvXrHFqPB166JKLVDREPTkxqTmFOYedLa6uPEB2T4kW8V44pB5aEoVFQGo6vkNDPnAvIGvofiJ%2FGZzi5%2FYGT7rR2OuS9SAL1tKkIZTobYnVx%2Fquwbo%3D--ciXPLxNa31c7%2FJvd--PL1p0wGZ8YwXdexsQfoBoQ%3D%3D
Source: global traffic HTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
Source: global traffic HTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=cBV6gswXNvy8Hgb%2BvExlczZjstftQa27zJ%2ByonVRi5vw9q44kYaXOHqqk%2FMhqSyxc2K1n3IXUv4kERfPbDEZOwE6NFx%2BLntMjgu1MWeXu90ji40Xeo7Tz0u9MgjPeSND%2BppXUEiqV%2Bou0NkQvBHoflX27u%2BLD6qQzJ6oEhtEEA7VVKadgTfzBP2a0zRCmF4SsemcSDzT8BNNzs1M%2BIr4CTeavXuTu%2BJCm0uuMkUySIWpjXI2ILBRTS6oqhKWITt4DN8y09XOU2uhmLZARu%2BXQUXiFg8MhEuyus2jpZ3LM2BaLgmhu4lCR67q728X8Wn%2Bl%2FdyVOgV5qfUpjC%2F2Xeeaxs%3D--9MBRf%2FPU0zFwfS96--LxGMiLJEI8rWcXno6EKaag%3D%3D
Source: global traffic HTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
Source: global traffic HTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=odijTynxlktrze7IgYOSVyYGax6MLuq%2BHgXXNKVkWj0EmP%2BY%2BYajeG%2F8FkitzpankLQzKOs7zUEdBhjbxOzpdZ1RpsOQGZ1AUSKbXvelp9WMXNXnJ654jBiZtol1X4q0pNgUdviAwoWtj%2FRytZuF3icv9tA2rrhSHuj8RNt7upfkwzVVGdrp1OipqNMvxNGxOGsFr55qZoPRd7OunaK4YDlwg%2Bc1dFbtqJ%2FwmLTyaTlwPgipiHfY3D96mosQe3LYewtprF6rsACbNZQUOPaPNuvOAKe1MffUWL9jfeHvRGne%2Frrk4sQKfhRHzSDToiAhNgEMrluTU%2FqXba1%2FBYcmyoU%3D--bxICJGAgGqamQv1Z--NCklHYqUpYEpY8rfNxpO7g%3D%3D
Source: global traffic HTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
Source: global traffic HTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=G8wdgwz%2FDemSpy0Da1ZLqVdSh5XC%2FhOntkD9%2FioEKONmGFQbKw3ZbiJ4RIMQvyl5QKxN%2FpcDH0nKadQ0yXDwXyz6yqDcLvbVjYrc1VwLIggpvLXohspOLTi9YyRFkDXD1U6%2Fzrzrb4LoA5rAsIFcowDfc23g9dzpYcSLczI6VlHA0lfP8JjHOwarQxEdzM6akhIz0PxsXrVBHQQArBfIyixEHqMzgVy%2FgvPIRcQ2qdVLKMgTPmDwVbQ0%2BqoNguC6M%2F7xjoKMMQknPlrQIslHVR5u8qBY9lIeeNK373jl%2B82kCofXgGW%2BvK4Vwx2GKefGraC9M1B%2Bz7G9H6WpaKFziTw%3D--Ffkg6BiJ3LNw7A7D--YyCOAf66iro8NmL254gNlw%3D%3D
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49765 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.86.107.75:443 -> 192.168.2.7:49766 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_004166F5 GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow, 1_2_004166F5
Creates a DirectInput object (often for capturing keystrokes)
Source: uGfpJynSWM.exe, 00000000.00000002.335835109.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.uGfpJynSWM.exe.3be5530.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 1.0.cvtres.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 1.0.cvtres.exe.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 1.0.cvtres.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 0.2.uGfpJynSWM.exe.3be5530.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 1.2.cvtres.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 1.0.cvtres.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 1.0.cvtres.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 00000001.00000000.334068069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 00000001.00000000.333395548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 00000001.00000000.333726198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: 00000000.00000002.336360720.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: Process Memory Space: uGfpJynSWM.exe PID: 6360, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Source: Process Memory Space: cvtres.exe PID: 6392, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
Uses 32bit PE files
Source: uGfpJynSWM.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 0.2.uGfpJynSWM.exe.3be5530.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 1.0.cvtres.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 1.0.cvtres.exe.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 1.0.cvtres.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 0.2.uGfpJynSWM.exe.3be5530.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 1.2.cvtres.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 1.0.cvtres.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 1.0.cvtres.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 00000001.00000000.334068069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 00000001.00000000.333395548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 00000001.00000000.333726198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: 00000000.00000002.336360720.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: Process Memory Space: uGfpJynSWM.exe PID: 6360, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Source: Process Memory Space: cvtres.exe PID: 6392, type: MEMORYSTR Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B2550 0_2_013B2550
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B29F0 0_2_013B29F0
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B1C10 0_2_013B1C10
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B0448 0_2_013B0448
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013BC88F 0_2_013BC88F
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B9330 0_2_013B9330
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013BEB10 0_2_013BEB10
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B2F70 0_2_013B2F70
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013BA680 0_2_013BA680
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B3EC0 0_2_013B3EC0
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B5928 0_2_013B5928
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B5918 0_2_013B5918
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B29E0 0_2_013B29E0
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B5C30 0_2_013B5C30
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B5C20 0_2_013B5C20
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B907E 0_2_013B907E
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B90A8 0_2_013B90A8
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B64A8 0_2_013B64A8
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B6498 0_2_013B6498
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013BC89C 0_2_013BC89C
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B1088 0_2_013B1088
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B6F31 0_2_013B6F31
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013BAB29 0_2_013BAB29
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013BAB1A 0_2_013BAB1A
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B6F48 0_2_013B6F48
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B5FD8 0_2_013B5FD8
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B5FC8 0_2_013B5FC8
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B0FC0 0_2_013B0FC0
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B6230 0_2_013B6230
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013BCE06 0_2_013BCE06
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013BA671 0_2_013BA671
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013BCE6A 0_2_013BCE6A
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B6AA9 0_2_013B6AA9
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013BAA85 0_2_013BAA85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0042C072 1_2_0042C072
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0040781A 1_2_0040781A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0042B085 1_2_0042B085
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_004320B0 1_2_004320B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0042B8B8 1_2_0042B8B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0041E960 1_2_0041E960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_00419970 1_2_00419970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0040593E 1_2_0040593E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0040513E 1_2_0040513E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_004062D9 1_2_004062D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_00431B5F 1_2_00431B5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0041BB33 1_2_0041BB33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_004334C4 1_2_004334C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0042BC8A 1_2_0042BC8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0042B51A 1_2_0042B51A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0040665A 1_2_0040665A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0043160E 1_2_0043160E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0041C6DE 1_2_0041C6DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0043278C 1_2_0043278C
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: String function: 0042083E appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: String function: 00403B11 appears 80 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: String function: 00427300 appears 47 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: String function: 004207D5 appears 39 times
Sample file is different than original file name gathered from version info
Source: uGfpJynSWM.exe, 00000000.00000002.335835109.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs uGfpJynSWM.exe
Source: uGfpJynSWM.exe, 00000000.00000000.326996035.0000000000884000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameVBZXBVZXBNSDMHBDSJ67327632.exeV vs uGfpJynSWM.exe
Source: uGfpJynSWM.exe Binary or memory string: OriginalFilenameVBZXBVZXBNSDMHBDSJ67327632.exeV vs uGfpJynSWM.exe
PE file contains strange resources
Source: uGfpJynSWM.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE / OLE file has an invalid certificate
Source: uGfpJynSWM.exe Static PE information: invalid certificate
Source: uGfpJynSWM.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: uGfpJynSWM.exe Virustotal: Detection: 67%
Source: uGfpJynSWM.exe Metadefender: Detection: 31%
Source: uGfpJynSWM.exe ReversingLabs: Detection: 80%
Source: uGfpJynSWM.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\uGfpJynSWM.exe "C:\Users\user\Desktop\uGfpJynSWM.exe"
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\uGfpJynSWM.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uGfpJynSWM.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@3/1@2/3
Source: uGfpJynSWM.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_00415A22 __EH_prolog3_GS,CreateToolhelp32Snapshot,Process32First,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,Process32Next,CloseHandle, 1_2_00415A22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\uGfpJynSWM.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: uGfpJynSWM.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: uGfpJynSWM.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: uGfpJynSWM.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: VBZXBVZXBNSDMHBDSJ67327632.pdb source: uGfpJynSWM.exe
Source: Binary string: VBZXBVZXBNSDMHBDSJ67327632.pdbh) source: uGfpJynSWM.exe
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B131D push ds; iretd 0_2_013B131F
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B123F push ds; iretd 0_2_013B1240
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B127C push ds; iretd 0_2_013B1282
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B126A push ds; iretd 0_2_013B126B
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B1A65 push ss; iretd 0_2_013B1A67
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B1A4E push ss; iretd 0_2_013B1A50
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B12A7 push ds; iretd 0_2_013B12AD
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B1A99 push ss; iretd 0_2_013B1A9A
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B1290 push ds; iretd 0_2_013B1296
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B12ED push ds; iretd 0_2_013B12EF
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B12D6 push ds; iretd 0_2_013B12D8
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013B12C3 push ds; iretd 0_2_013B12C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_00420874 push ecx; ret 1_2_00420887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_00427345 push ecx; ret 1_2_00427358
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0041899F LoadLibraryA,Sleep,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress, 1_2_0041899F
PE file contains an invalid checksum
Source: uGfpJynSWM.exe Static PE information: real checksum: 0x65142 should be: 0x619f4
Source: initial sample Static PE information: section name: .text entropy: 7.888541504684198

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download (92).png
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0041899F LoadLibraryA,Sleep,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress, 1_2_0041899F
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\uGfpJynSWM.exe TID: 6380 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 6396 Thread sleep time: -600000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_00414F0E __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,GetSystemInfo, 1_2_00414F0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0041208D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,lstrcatA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,_memset,_memset,_memset,_memset,_memset,_memset,FindNextFileA,FindClose,_memset,lstrcatA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA, 1_2_0041208D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0040C955 lstrcatA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,GetFileAttributesA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 1_2_0040C955
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_00411117 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 1_2_00411117
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_004101E9 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_sprintf,_memset,wsprintfA,StrCmpCA,StrCmpCA,GetFileAttributesA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 1_2_004101E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_004162AB __EH_prolog3_GS,FindFirstFileW,FindNextFileW, 1_2_004162AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_00408B15 __EH_prolog3_GS,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,_memset,lstrcatA,lstrlen, 1_2_00408B15
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0041048F wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 1_2_0041048F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0040954D wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,lstrcpy,lstrcatA,lstrcatA,StrCmpCA,wsprintfA,wsprintfA,lstrlen,_strtok_s,PathMatchSpecA,CoInitialize,_strtok_s,PathMatchSpecA,lstrcpy,lstrcatA,PathFindFileNameA,lstrcatA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,lstrcpy,lstrcatA,lstrcatA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,CoInitialize,PathMatchSpecA,lstrcpy,PathMatchSpecA,lstrcpy,FindNextFileA,FindClose, 1_2_0040954D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_00411DA6 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,_memset,lstrcatA,lstrcatA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 1_2_00411DA6
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_00409ADF lstrcatA,lstrcatA,lstrcatA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetLogicalDriveStringsA,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen, 1_2_00409ADF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe API call chain: ExitProcess graph end node
Source: uGfpJynSWM.exe, 00000000.00000002.337519094.0000000004070000.00000004.00000800.00020000.00000000.sdmp, uGfpJynSWM.exe, 00000000.00000002.337246414.0000000003F85000.00000004.00000800.00020000.00000000.sdmp, uGfpJynSWM.exe, 00000000.00000002.337026902.0000000003E9A000.00000004.00000800.00020000.00000000.sdmp, uGfpJynSWM.exe, 00000000.00000002.336750642.0000000003D91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %QDHgFSv
Source: uGfpJynSWM.exe, 00000000.00000002.337932491.000000000415B000.00000004.00000800.00020000.00000000.sdmp, uGfpJynSWM.exe, 00000000.00000002.338200749.0000000004223000.00000004.00000800.00020000.00000000.sdmp, uGfpJynSWM.exe, 00000000.00000002.336549703.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %uGSvAQDHgFSvAQA
Source: cvtres.exe, 00000001.00000002.594418105.0000000004CF7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: uGfpJynSWM.exe, 00000000.00000002.338696445.00000000042EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %uGSvAQDHgFSvAQABAAAAibhYrwEAibhcrwEAibhsrwEAi0QkDIteSIPAKugj0///i0QkDItOSIPABFCLQQToruP//4tGSFnoOun//4tOSImGkAAAADPAObmkrwYAX1t0BbgAAAAFwgQAVYvsUYNl/ABTVleL8L8AQAAA6xuD+/90KFONhpQAAABQi87offn//zvDdSUBXfxXjZ6UAAAA6P/9//+L2IXbddOLRfy
Source: cvtres.exe, 00000001.00000002.594418105.0000000004CF7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-USn

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Code function: 0_2_013BE628 CheckRemoteDebuggerPresent, 0_2_013BE628
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_00423890 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00423890
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0041899F LoadLibraryA,Sleep,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress, 1_2_0041899F
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_00414C66 __EH_prolog3_GS,GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,HeapAlloc,wsprintfA, 1_2_00414C66
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_00423890 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00423890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0041DA9B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0041DA9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_00428C1D SetUnhandledExceptionFilter, 1_2_00428C1D

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 435000 Jump to behavior
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 443000 Jump to behavior
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 459000 Jump to behavior
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 48B0008 Jump to behavior
.NET source code references suspicious native API functions
Source: uGfpJynSWM.exe, MJCKVKLUIOR/MJCKVKLUIOR.cs Reference to suspicious API methods: ('\\x08', 'GetProcAddress@kernel32'), ('\t', 'LoadLibraryA@kernel32')
Source: uGfpJynSWM.exe, A/u000f.cs Reference to suspicious API methods: ('\t', 'GetProcAddress@kernel32.dll'), ('\\x1D', 'OpenProcess@kernel32.dll'), ('\\x08', 'GetProcAddress@kernel32.dll'), ('\\x1A', 'GetProcAddress@kernel32.dll'), ('\\x03', 'LoadLibrary@kernel32.dll'), ('\\x18', 'GetProcAddress@kernel32.dll'), ('\\x11', 'GetProcAddress@kernel32.dll'), ('\\x15', 'GetProcAddress@kernel32.dll')
Source: 0.0.uGfpJynSWM.exe.830000.0.unpack, MJCKVKLUIOR/MJCKVKLUIOR.cs Reference to suspicious API methods: ('\\x08', 'GetProcAddress@kernel32'), ('\t', 'LoadLibraryA@kernel32')
Source: 0.0.uGfpJynSWM.exe.830000.0.unpack, A/u000f.cs Reference to suspicious API methods: ('\t', 'GetProcAddress@kernel32.dll'), ('\\x1D', 'OpenProcess@kernel32.dll'), ('\\x08', 'GetProcAddress@kernel32.dll'), ('\\x1A', 'GetProcAddress@kernel32.dll'), ('\\x03', 'LoadLibrary@kernel32.dll'), ('\\x18', 'GetProcAddress@kernel32.dll'), ('\\x11', 'GetProcAddress@kernel32.dll'), ('\\x15', 'GetProcAddress@kernel32.dll')
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Jump to behavior
Source: uGfpJynSWM.exe, 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Progman
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Queries volume information: C:\Users\user\Desktop\uGfpJynSWM.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea, 1_2_0042E8D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_0042A969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: GetProcessHeap,HeapAlloc,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,_memset,LocalFree, 1_2_0041593C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 1_2_0042E9B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free, 1_2_0042A249
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 1_2_0042AA5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW, 1_2_00429283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 1_2_0042AB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 1_2_0042AB05
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement, 1_2_00421BE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 1_2_0042AD31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 1_2_0042A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 1_2_004295ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 1_2_0042ADF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 1_2_0042AE58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: GetLocaleInfoA, 1_2_00422ED2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 1_2_0042AE94
Source: C:\Users\user\Desktop\uGfpJynSWM.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_00415890 __EH_prolog3_GS,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime, 1_2_00415890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_00415890 __EH_prolog3_GS,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime, 1_2_00415890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Code function: 1_2_0040BE20 GetUserNameA,ExitProcess, 1_2_0040BE20

Stealing of Sensitive Information
barindex
Yara detected Vidar stealer
Source: Yara match File source: 0.2.uGfpJynSWM.exe.3be5530.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.uGfpJynSWM.exe.3be5530.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.cvtres.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.334068069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.333395548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.333726198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.336360720.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: uGfpJynSWM.exe PID: 6360, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cvtres.exe PID: 6392, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: 00000001.00000002.594144374.0000000004C97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Vidar stealer
Source: Yara match File source: 0.2.uGfpJynSWM.exe.3be5530.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.uGfpJynSWM.exe.3be5530.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.cvtres.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.334068069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.333395548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.333726198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.336360720.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: uGfpJynSWM.exe PID: 6360, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cvtres.exe PID: 6392, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.159.249.4
 unknown Russian Federation
44676 VMAGE-ASRU false
167.86.107.75
 climatejustice.social Germany
51167 CONTABODE true
149.154.167.99
 t.me United Kingdom
62041 TELEGRAMRU false

Contacted Domains

Name IP Active
t.me 149.154.167.99 true
climatejustice.social 167.86.107.75 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://climatejustice.social/@ffoleg94 true
  • Avira URL Cloud: malware
 unknown
https://t.me/korstonsales false
    		high