Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
uGfpJynSWM

Overview

General Information

Sample Name:uGfpJynSWM (renamed file extension from none to exe)
Analysis ID:679146
MD5:eb84aeef20ea974bf207dd6df8446567
SHA1:624a1e8510a1d7f3ff05693c30d724f19aaf5a1a
SHA256:9f532c8749bc71b3fc723d42f86300ae5a583515817da2aad40c858f163d01f8
Tags:exe
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Yara detected Vidar stealer
Antivirus detection for URL or domain
Writes to foreign memory regions
.NET source code references suspicious native API functions
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • uGfpJynSWM.exe (PID: 6360 cmdline: "C:\Users\user\Desktop\uGfpJynSWM.exe" MD5: EB84AEEF20EA974BF207DD6DF8446567)
    • cvtres.exe (PID: 6392 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe MD5: C09985AE74F0882F208D75DE27770DFA)
  • cleanup

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://t.me/korstonsales", "https://climatejustice.social/@ffoleg94"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
    00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Vidar_114258d5unknownunknown
    • 0xcae6:$a2: *wallet*.dat
    • 0xcd09:$b1: CC\%s_%s.txt
    • 0xcd51:$b2: History\%s_%s.txt
    • 0xcd39:$b3: Autofill\%s_%s.txt
    00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Vidar_114258d5unknownunknown
      • 0x3ee76:$a2: *wallet*.dat
      • 0x3f099:$b1: CC\%s_%s.txt
      • 0x3f0e1:$b2: History\%s_%s.txt
      • 0x3f0c9:$b3: Autofill\%s_%s.txt
      00000001.00000000.334068069.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        Click to see the 14 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.uGfpJynSWM.exe.3be5530.2.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          0.2.uGfpJynSWM.exe.3be5530.2.unpackWindows_Trojan_Vidar_114258d5unknownunknown
          • 0x3d676:$a2: *wallet*.dat
          • 0x3d899:$b1: CC\%s_%s.txt
          • 0x3d8e1:$b2: History\%s_%s.txt
          • 0x3d8c9:$b3: Autofill\%s_%s.txt
          1.0.cvtres.exe.400000.3.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            1.0.cvtres.exe.400000.3.raw.unpackWindows_Trojan_Vidar_114258d5unknownunknown
            • 0x3ee76:$a2: *wallet*.dat
            • 0x3f099:$b1: CC\%s_%s.txt
            • 0x3f0e1:$b2: History\%s_%s.txt
            • 0x3f0c9:$b3: Autofill\%s_%s.txt
            1.0.cvtres.exe.400000.4.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              Click to see the 23 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: uGfpJynSWM.exeVirustotal: Detection: 67%Perma Link
              Source: uGfpJynSWM.exeMetadefender: Detection: 31%Perma Link
              Source: uGfpJynSWM.exeReversingLabs: Detection: 80%
              Antivirus detection for URL or domain
              Source: http://45.159.249.4/1474h.dllAvira URL Cloud: Label: malware
              Source: http://45.159.249.4/1474stem32Avira URL Cloud: Label: malware
              Source: http://45.159.249.4/1474NAvira URL Cloud: Label: malware
              Source: http://45.159.249.4/=:Avira URL Cloud: Label: malware
              Source: https://climatejustice.social/@ffoleg94Avira URL Cloud: Label: malware
              Source: http://45.159.249.4/1474Avira URL Cloud: Label: malware
              Source: http://45.159.249.4/147474RAvira URL Cloud: Label: malware
              Source: http://45.159.249.4/1474bAvira URL Cloud: Label: malware
              Source: http://45.159.249.4/1474lAvira URL Cloud: Label: malware
              Source: http://45.159.249.4/1474uAvira URL Cloud: Label: malware
              Source: http://45.159.249.4/1474xAvira URL Cloud: Label: malware
              Source: http://45.159.249.4:80Avira URL Cloud: Label: malware
              Machine Learning detection for sample
              Source: uGfpJynSWM.exeJoe Sandbox ML: detected
              Source: 1.0.cvtres.exe.400000.0.unpackAvira: Label: TR/AD.GenSteal.nsaqr
              Source: 1.0.cvtres.exe.400000.3.unpackAvira: Label: TR/AD.GenSteal.nsaqr
              Source: 1.0.cvtres.exe.400000.4.unpackAvira: Label: TR/AD.GenSteal.nsaqr
              Source: 1.0.cvtres.exe.400000.2.unpackAvira: Label: TR/AD.GenSteal.nsaqr
              Source: 1.0.cvtres.exe.400000.1.unpackAvira: Label: TR/AD.GenSteal.nsaqr
              Source: 1.0.cvtres.exe.400000.5.unpackAvira: Label: TR/AD.GenSteal.nsaqr
              Source: 1.0.cvtres.exe.400000.0.unpackMalware Configuration Extractor: Vidar {"C2 url": ["https://t.me/korstonsales", "https://climatejustice.social/@ffoleg94"]}
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040B7EC lstrcatA,lstrcatA,lstrcatA,CloseHandle,Sleep,OpenEventA,CreateEventA,lstrcatA,lstrcatA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,Sleep,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,CreateThread,CreateThread,Sleep,Sleep,CloseHandle,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040E80D _malloc,_memmove,_malloc,CryptUnprotectData,_memmove,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040E3F0 _memset,lstrlen,CryptStringToBinaryA,_memmove,lstrcatA,lstrcatA,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040E575 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040E5CE CryptUnprotectData,LocalAlloc,_memmove,LocalFree,
              Source: uGfpJynSWM.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49765 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 167.86.107.75:443 -> 192.168.2.7:49766 version: TLS 1.2
              Source: uGfpJynSWM.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: VBZXBVZXBNSDMHBDSJ67327632.pdb source: uGfpJynSWM.exe
              Source: Binary string: VBZXBVZXBNSDMHBDSJ67327632.pdbh) source: uGfpJynSWM.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0041208D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,lstrcatA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,_memset,_memset,_memset,_memset,_memset,_memset,FindNextFileA,FindClose,_memset,lstrcatA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040C955 lstrcatA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,GetFileAttributesA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00411117 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,FindNextFileA,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_004101E9 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_sprintf,_memset,wsprintfA,StrCmpCA,StrCmpCA,GetFileAttributesA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_004162AB __EH_prolog3_GS,FindFirstFileW,FindNextFileW,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00408B15 __EH_prolog3_GS,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,_memset,lstrcatA,lstrlen,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0041048F wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040954D wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,lstrcpy,lstrcatA,lstrcatA,StrCmpCA,wsprintfA,wsprintfA,lstrlen,_strtok_s,PathMatchSpecA,CoInitialize,_strtok_s,PathMatchSpecA,lstrcpy,lstrcatA,PathFindFileNameA,lstrcatA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,lstrcpy,lstrcatA,lstrcatA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,CoInitialize,PathMatchSpecA,lstrcpy,PathMatchSpecA,lstrcpy,FindNextFileA,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00411DA6 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,_memset,lstrcatA,lstrcatA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00409ADF lstrcatA,lstrcatA,lstrcatA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetLogicalDriveStringsA,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: https://t.me/korstonsales
              Source: Malware configuration extractorURLs: https://climatejustice.social/@ffoleg94
              Source: Joe Sandbox ViewASN Name: CONTABODE CONTABODE
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.me
              Source: global trafficHTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.social
              Source: global trafficHTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
              Source: global trafficHTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=IE12lf0Aiww%2FO2SHgNYf6X8ktxvGiUwFuvpakzTKg55PVj3wQxbOx8QbPNu%2BbA1ljKtplQtfpHSjetQM3MX253iMB2kbLm3xNEhgwBeB%2F1eCW8Wg13ePrm5lWBQfL9FAO02eO7J9l3dW3s6HTqeP4cis2esq7DldbRI0JLHXWe51XjtZNzvE6RX%2BUXAkx0ez6ASRzCFL8XG1b53DHaPoYf9LXuHN45UIQQKGgtGvY8K1mMZsTqoEdXlHxIHPmSknkSeuS38vHUAtiNgsrwJoiv1FJ7nyRHySt6rMdHZwhHdc3ptf6PDZ0wBxvwMpVHuFlqdHAXbX%2FUb%2Bmlizb1luBXM%3D--UaPP34RL8MYYb6Tj--nidR%2BdAjAGmnnhmujvS6WQ%3D%3D
              Source: global trafficHTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
              Source: global trafficHTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=3rSSEQhY%2BR%2ByBXGg%2FZ7vjc6lT5LBYSBRTm4v10Vjq3ue%2BjwBExu9w58N8ClT%2Bud5pLw%2FhNpc0ZVmhbGFmRwVbdBlbgslSN94eAItWDOu4CGgiK9jhd3mHMacn3wAdie7Kxd1jN1PXBqcxNNL004FuuBE8ZcXHZ9KeIX6GtzzFfvUtnGWm8ZnLLwl53QYxoy96Xw8%2BDQyXocErXsPhQdIg%2FpxcTsHw5r3GkFxULvXrHFqPB166JKLVDREPTkxqTmFOYedLa6uPEB2T4kW8V44pB5aEoVFQGo6vkNDPnAvIGvofiJ%2FGZzi5%2FYGT7rR2OuS9SAL1tKkIZTobYnVx%2Fquwbo%3D--ciXPLxNa31c7%2FJvd--PL1p0wGZ8YwXdexsQfoBoQ%3D%3D
              Source: global trafficHTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
              Source: global trafficHTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=cBV6gswXNvy8Hgb%2BvExlczZjstftQa27zJ%2ByonVRi5vw9q44kYaXOHqqk%2FMhqSyxc2K1n3IXUv4kERfPbDEZOwE6NFx%2BLntMjgu1MWeXu90ji40Xeo7Tz0u9MgjPeSND%2BppXUEiqV%2Bou0NkQvBHoflX27u%2BLD6qQzJ6oEhtEEA7VVKadgTfzBP2a0zRCmF4SsemcSDzT8BNNzs1M%2BIr4CTeavXuTu%2BJCm0uuMkUySIWpjXI2ILBRTS6oqhKWITt4DN8y09XOU2uhmLZARu%2BXQUXiFg8MhEuyus2jpZ3LM2BaLgmhu4lCR67q728X8Wn%2Bl%2FdyVOgV5qfUpjC%2F2Xeeaxs%3D--9MBRf%2FPU0zFwfS96--LxGMiLJEI8rWcXno6EKaag%3D%3D
              Source: global trafficHTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
              Source: global trafficHTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=odijTynxlktrze7IgYOSVyYGax6MLuq%2BHgXXNKVkWj0EmP%2BY%2BYajeG%2F8FkitzpankLQzKOs7zUEdBhjbxOzpdZ1RpsOQGZ1AUSKbXvelp9WMXNXnJ654jBiZtol1X4q0pNgUdviAwoWtj%2FRytZuF3icv9tA2rrhSHuj8RNt7upfkwzVVGdrp1OipqNMvxNGxOGsFr55qZoPRd7OunaK4YDlwg%2Bc1dFbtqJ%2FwmLTyaTlwPgipiHfY3D96mosQe3LYewtprF6rsACbNZQUOPaPNuvOAKe1MffUWL9jfeHvRGne%2Frrk4sQKfhRHzSDToiAhNgEMrluTU%2FqXba1%2FBYcmyoU%3D--bxICJGAgGqamQv1Z--NCklHYqUpYEpY8rfNxpO7g%3D%3D
              Source: global trafficHTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
              Source: global trafficHTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=G8wdgwz%2FDemSpy0Da1ZLqVdSh5XC%2FhOntkD9%2FioEKONmGFQbKw3ZbiJ4RIMQvyl5QKxN%2FpcDH0nKadQ0yXDwXyz6yqDcLvbVjYrc1VwLIggpvLXohspOLTi9YyRFkDXD1U6%2Fzrzrb4LoA5rAsIFcowDfc23g9dzpYcSLczI6VlHA0lfP8JjHOwarQxEdzM6akhIz0PxsXrVBHQQArBfIyixEHqMzgVy%2FgvPIRcQ2qdVLKMgTPmDwVbQ0%2BqoNguC6M%2F7xjoKMMQknPlrQIslHVR5u8qBY9lIeeNK373jl%2B82kCofXgGW%2BvK4Vwx2GKefGraC9M1B%2Bz7G9H6WpaKFziTw%3D--Ffkg6BiJ3LNw7A7D--YyCOAf66iro8NmL254gNlw%3D%3D
              Source: Joe Sandbox ViewIP Address: 167.86.107.75 167.86.107.75
              Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49884
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49883
              Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49854 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49883 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49855
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49854
              Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49884 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594536976.0000000004D50000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594439750.0000000004D06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.249.4/1474
              Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.249.4/147474R
              Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.249.4/1474N
              Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.249.4/1474b
              Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.249.4/1474h.dll
              Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.249.4/1474l
              Source: cvtres.exe, 00000001.00000002.594439750.0000000004D06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.249.4/1474stem32
              Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.249.4/1474u
              Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.249.4/1474x
              Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.249.4/=:
              Source: cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.249.4:80
              Source: uGfpJynSWM.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: uGfpJynSWM.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: uGfpJynSWM.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
              Source: uGfpJynSWM.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: uGfpJynSWM.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.340494604.0000000004D0E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341146688.0000000004D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.c
              Source: uGfpJynSWM.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: uGfpJynSWM.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
              Source: uGfpJynSWM.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: uGfpJynSWM.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: uGfpJynSWM.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
              Source: uGfpJynSWM.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: uGfpJynSWM.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
              Source: uGfpJynSWM.exeString found in binary or memory: http://ocsp.digicert.com0A
              Source: uGfpJynSWM.exeString found in binary or memory: http://ocsp.digicert.com0C
              Source: uGfpJynSWM.exeString found in binary or memory: http://ocsp.digicert.com0N
              Source: uGfpJynSWM.exeString found in binary or memory: http://ocsp.digicert.com0X
              Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.global
              Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.rocks
              Source: cvtres.exe, 00000001.00000003.341135942.0000000004D07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.social
              Source: cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.social/
              Source: cvtres.exe, 00000001.00000003.526458800.0000000004D54000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594549794.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341127759.0000000004D02000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572585218.0000000004D75000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594578967.0000000004D75000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341146688.0000000004D09000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594439750.0000000004D06000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341135942.0000000004D07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.social/.well-known/webfinger?resource=acct%3Affoleg94%40climatejustice.social
              Source: cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.social/avatars/original/missing.png
              Source: cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594549794.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526464880.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.social/custom.css
              Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.social/tags/gitea"
              Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.social/tags/gitlab"
              Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.social/tags/grunewald"
              Source: cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526458800.0000000004D54000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594549794.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341127759.0000000004D02000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572585218.0000000004D75000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594578967.0000000004D75000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341146688.0000000004D09000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594439750.0000000004D06000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341135942.0000000004D07000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.social/users/ffoleg94
              Source: cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.social/users/ffoleg94/followers
              Source: cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.social/users/ffoleg94/following
              Source: cvtres.exe, 00000001.00000003.341135942.0000000004D07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.social;
              Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.joinmastodon.org/
              Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.joinmastodon.org/client/intro/
              Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.340436007.0000000004D01000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572125764.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.479685777.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.386980069.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433280864.0000000004D4F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
              Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://funk.climatejustice.global
              Source: cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mastodon/mastodon
              Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://joinmastodon.org/
              Source: cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://joinmastodon.org/apps
              Source: uGfpJynSWM.exe, 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, uGfpJynSWM.exe, 00000000.00000002.336360720.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.340436007.0000000004D01000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572125764.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.340494604.0000000004D0E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000000.333395548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594439750.0000000004D06000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.479685777.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.386980069.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433280864.0000000004D4F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/korstonsales
              Source: uGfpJynSWM.exe, 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, uGfpJynSWM.exe, 00000000.00000002.336360720.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000000.333395548.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://t.me/korstonsaleshttps://climatejustice.social/
              Source: cvtres.exe, 00000001.00000003.340494604.0000000004D0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/korstonsalesi
              Source: cvtres.exe, 00000001.00000003.433280864.0000000004D4F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telegram.org/img/t_logo.png
              Source: cvtres.exe, 00000001.00000003.386988114.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433280864.0000000004D4F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.telegram.org
              Source: uGfpJynSWM.exeString found in binary or memory: https://www.digicert.com/CPS0
              Source: unknownDNS traffic detected: queries for: t.me
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040A1C1 DeleteUrlCacheEntry,DeleteUrlCacheEntry,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,
              Source: global trafficHTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.me
              Source: global trafficHTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.social
              Source: global trafficHTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
              Source: global trafficHTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=IE12lf0Aiww%2FO2SHgNYf6X8ktxvGiUwFuvpakzTKg55PVj3wQxbOx8QbPNu%2BbA1ljKtplQtfpHSjetQM3MX253iMB2kbLm3xNEhgwBeB%2F1eCW8Wg13ePrm5lWBQfL9FAO02eO7J9l3dW3s6HTqeP4cis2esq7DldbRI0JLHXWe51XjtZNzvE6RX%2BUXAkx0ez6ASRzCFL8XG1b53DHaPoYf9LXuHN45UIQQKGgtGvY8K1mMZsTqoEdXlHxIHPmSknkSeuS38vHUAtiNgsrwJoiv1FJ7nyRHySt6rMdHZwhHdc3ptf6PDZ0wBxvwMpVHuFlqdHAXbX%2FUb%2Bmlizb1luBXM%3D--UaPP34RL8MYYb6Tj--nidR%2BdAjAGmnnhmujvS6WQ%3D%3D
              Source: global trafficHTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
              Source: global trafficHTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=3rSSEQhY%2BR%2ByBXGg%2FZ7vjc6lT5LBYSBRTm4v10Vjq3ue%2BjwBExu9w58N8ClT%2Bud5pLw%2FhNpc0ZVmhbGFmRwVbdBlbgslSN94eAItWDOu4CGgiK9jhd3mHMacn3wAdie7Kxd1jN1PXBqcxNNL004FuuBE8ZcXHZ9KeIX6GtzzFfvUtnGWm8ZnLLwl53QYxoy96Xw8%2BDQyXocErXsPhQdIg%2FpxcTsHw5r3GkFxULvXrHFqPB166JKLVDREPTkxqTmFOYedLa6uPEB2T4kW8V44pB5aEoVFQGo6vkNDPnAvIGvofiJ%2FGZzi5%2FYGT7rR2OuS9SAL1tKkIZTobYnVx%2Fquwbo%3D--ciXPLxNa31c7%2FJvd--PL1p0wGZ8YwXdexsQfoBoQ%3D%3D
              Source: global trafficHTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
              Source: global trafficHTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=cBV6gswXNvy8Hgb%2BvExlczZjstftQa27zJ%2ByonVRi5vw9q44kYaXOHqqk%2FMhqSyxc2K1n3IXUv4kERfPbDEZOwE6NFx%2BLntMjgu1MWeXu90ji40Xeo7Tz0u9MgjPeSND%2BppXUEiqV%2Bou0NkQvBHoflX27u%2BLD6qQzJ6oEhtEEA7VVKadgTfzBP2a0zRCmF4SsemcSDzT8BNNzs1M%2BIr4CTeavXuTu%2BJCm0uuMkUySIWpjXI2ILBRTS6oqhKWITt4DN8y09XOU2uhmLZARu%2BXQUXiFg8MhEuyus2jpZ3LM2BaLgmhu4lCR67q728X8Wn%2Bl%2FdyVOgV5qfUpjC%2F2Xeeaxs%3D--9MBRf%2FPU0zFwfS96--LxGMiLJEI8rWcXno6EKaag%3D%3D
              Source: global trafficHTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
              Source: global trafficHTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=odijTynxlktrze7IgYOSVyYGax6MLuq%2BHgXXNKVkWj0EmP%2BY%2BYajeG%2F8FkitzpankLQzKOs7zUEdBhjbxOzpdZ1RpsOQGZ1AUSKbXvelp9WMXNXnJ654jBiZtol1X4q0pNgUdviAwoWtj%2FRytZuF3icv9tA2rrhSHuj8RNt7upfkwzVVGdrp1OipqNMvxNGxOGsFr55qZoPRd7OunaK4YDlwg%2Bc1dFbtqJ%2FwmLTyaTlwPgipiHfY3D96mosQe3LYewtprF6rsACbNZQUOPaPNuvOAKe1MffUWL9jfeHvRGne%2Frrk4sQKfhRHzSDToiAhNgEMrluTU%2FqXba1%2FBYcmyoU%3D--bxICJGAgGqamQv1Z--NCklHYqUpYEpY8rfNxpO7g%3D%3D
              Source: global trafficHTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
              Source: global trafficHTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=G8wdgwz%2FDemSpy0Da1ZLqVdSh5XC%2FhOntkD9%2FioEKONmGFQbKw3ZbiJ4RIMQvyl5QKxN%2FpcDH0nKadQ0yXDwXyz6yqDcLvbVjYrc1VwLIggpvLXohspOLTi9YyRFkDXD1U6%2Fzrzrb4LoA5rAsIFcowDfc23g9dzpYcSLczI6VlHA0lfP8JjHOwarQxEdzM6akhIz0PxsXrVBHQQArBfIyixEHqMzgVy%2FgvPIRcQ2qdVLKMgTPmDwVbQ0%2BqoNguC6M%2F7xjoKMMQknPlrQIslHVR5u8qBY9lIeeNK373jl%2B82kCofXgGW%2BvK4Vwx2GKefGraC9M1B%2Bz7G9H6WpaKFziTw%3D--Ffkg6BiJ3LNw7A7D--YyCOAf66iro8NmL254gNlw%3D%3D
              Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49765 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 167.86.107.75:443 -> 192.168.2.7:49766 version: TLS 1.2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_004166F5 GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,
              Source: uGfpJynSWM.exe, 00000000.00000002.335835109.0000000000EE9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.uGfpJynSWM.exe.3be5530.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 1.0.cvtres.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 1.0.cvtres.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 1.0.cvtres.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 0.2.uGfpJynSWM.exe.3be5530.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 1.2.cvtres.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 1.0.cvtres.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 1.0.cvtres.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 00000001.00000000.334068069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 00000001.00000000.333395548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 00000001.00000000.333726198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 00000000.00000002.336360720.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: Process Memory Space: uGfpJynSWM.exe PID: 6360, type: MEMORYSTRMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: Process Memory Space: cvtres.exe PID: 6392, type: MEMORYSTRMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: uGfpJynSWM.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: 0.2.uGfpJynSWM.exe.3be5530.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 1.0.cvtres.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 1.0.cvtres.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 1.0.cvtres.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 0.2.uGfpJynSWM.exe.3be5530.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 1.2.cvtres.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 1.0.cvtres.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 1.0.cvtres.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 00000001.00000000.334068069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 00000001.00000000.333395548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 00000001.00000000.333726198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 00000000.00000002.336360720.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: Process Memory Space: uGfpJynSWM.exe PID: 6360, type: MEMORYSTRMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: Process Memory Space: cvtres.exe PID: 6392, type: MEMORYSTRMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B2550
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B29F0
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B1C10
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B0448
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013BC88F
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B9330
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013BEB10
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B2F70
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013BA680
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B3EC0
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B5928
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B5918
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B29E0
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B5C30
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B5C20
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B907E
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B90A8
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B64A8
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B6498
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013BC89C
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B1088
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B6F31
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013BAB29
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013BAB1A
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B6F48
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B5FD8
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B5FC8
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B0FC0
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B6230
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013BCE06
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013BA671
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013BCE6A
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B6AA9
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013BAA85
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0042C072
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040781A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0042B085
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_004320B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0042B8B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0041E960
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00419970
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040593E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040513E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_004062D9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00431B5F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0041BB33
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_004334C4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0042BC8A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0042B51A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040665A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0043160E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0041C6DE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0043278C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: String function: 0042083E appears 34 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: String function: 00403B11 appears 80 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: String function: 00427300 appears 47 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: String function: 004207D5 appears 39 times
              Source: uGfpJynSWM.exe, 00000000.00000002.335835109.0000000000EE9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs uGfpJynSWM.exe
              Source: uGfpJynSWM.exe, 00000000.00000000.326996035.0000000000884000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVBZXBVZXBNSDMHBDSJ67327632.exeV vs uGfpJynSWM.exe
              Source: uGfpJynSWM.exeBinary or memory string: OriginalFilenameVBZXBVZXBNSDMHBDSJ67327632.exeV vs uGfpJynSWM.exe
              Source: uGfpJynSWM.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: uGfpJynSWM.exeStatic PE information: invalid certificate
              Source: uGfpJynSWM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: uGfpJynSWM.exeVirustotal: Detection: 67%
              Source: uGfpJynSWM.exeMetadefender: Detection: 31%
              Source: uGfpJynSWM.exeReversingLabs: Detection: 80%
              Source: uGfpJynSWM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Users\user\Desktop\uGfpJynSWM.exe "C:\Users\user\Desktop\uGfpJynSWM.exe"
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uGfpJynSWM.exe.logJump to behavior
              Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@2/3
              Source: uGfpJynSWM.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00415A22 __EH_prolog3_GS,CreateToolhelp32Snapshot,Process32First,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,Process32Next,CloseHandle,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: uGfpJynSWM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: uGfpJynSWM.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: uGfpJynSWM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: VBZXBVZXBNSDMHBDSJ67327632.pdb source: uGfpJynSWM.exe
              Source: Binary string: VBZXBVZXBNSDMHBDSJ67327632.pdbh) source: uGfpJynSWM.exe
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B131D push ds; iretd
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B123F push ds; iretd
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B127C push ds; iretd
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B126A push ds; iretd
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B1A65 push ss; iretd
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B1A4E push ss; iretd
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B12A7 push ds; iretd
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B1A99 push ss; iretd
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B1290 push ds; iretd
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B12ED push ds; iretd
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B12D6 push ds; iretd
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B12C3 push ds; iretd
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00420874 push ecx; ret
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00427345 push ecx; ret
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0041899F LoadLibraryA,Sleep,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,
              Source: uGfpJynSWM.exeStatic PE information: real checksum: 0x65142 should be: 0x619f4
              Source: initial sampleStatic PE information: section name: .text entropy: 7.888541504684198

              Hooking and other Techniques for Hiding and Protection

              barindex
              Icon mismatch, binary includes an icon from a different legit application in order to fool users
              Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (92).png
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0041899F LoadLibraryA,Sleep,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\uGfpJynSWM.exe TID: 6380Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 6396Thread sleep time: -600000s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00414F0E __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,GetSystemInfo,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0041208D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,lstrcatA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,_memset,_memset,_memset,_memset,_memset,_memset,FindNextFileA,FindClose,_memset,lstrcatA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040C955 lstrcatA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,GetFileAttributesA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00411117 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,FindNextFileA,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_004101E9 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_sprintf,_memset,wsprintfA,StrCmpCA,StrCmpCA,GetFileAttributesA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_004162AB __EH_prolog3_GS,FindFirstFileW,FindNextFileW,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00408B15 __EH_prolog3_GS,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,_memset,lstrcatA,lstrlen,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0041048F wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040954D wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,lstrcpy,lstrcatA,lstrcatA,StrCmpCA,wsprintfA,wsprintfA,lstrlen,_strtok_s,PathMatchSpecA,CoInitialize,_strtok_s,PathMatchSpecA,lstrcpy,lstrcatA,PathFindFileNameA,lstrcatA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,lstrcpy,lstrcatA,lstrcatA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,CoInitialize,PathMatchSpecA,lstrcpy,PathMatchSpecA,lstrcpy,FindNextFileA,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00411DA6 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,_memset,lstrcatA,lstrcatA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 120000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00409ADF lstrcatA,lstrcatA,lstrcatA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetLogicalDriveStringsA,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeAPI call chain: ExitProcess graph end node
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeAPI call chain: ExitProcess graph end node
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeAPI call chain: ExitProcess graph end node
              Source: uGfpJynSWM.exe, 00000000.00000002.337519094.0000000004070000.00000004.00000800.00020000.00000000.sdmp, uGfpJynSWM.exe, 00000000.00000002.337246414.0000000003F85000.00000004.00000800.00020000.00000000.sdmp, uGfpJynSWM.exe, 00000000.00000002.337026902.0000000003E9A000.00000004.00000800.00020000.00000000.sdmp, uGfpJynSWM.exe, 00000000.00000002.336750642.0000000003D91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %QDHgFSv
              Source: uGfpJynSWM.exe, 00000000.00000002.337932491.000000000415B000.00000004.00000800.00020000.00000000.sdmp, uGfpJynSWM.exe, 00000000.00000002.338200749.0000000004223000.00000004.00000800.00020000.00000000.sdmp, uGfpJynSWM.exe, 00000000.00000002.336549703.0000000003CC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %uGSvAQDHgFSvAQA
              Source: cvtres.exe, 00000001.00000002.594418105.0000000004CF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: uGfpJynSWM.exe, 00000000.00000002.338696445.00000000042EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %uGSvAQDHgFSvAQABAAAAibhYrwEAibhcrwEAibhsrwEAi0QkDIteSIPAKugj0///i0QkDItOSIPABFCLQQToruP//4tGSFnoOun//4tOSImGkAAAADPAObmkrwYAX1t0BbgAAAAFwgQAVYvsUYNl/ABTVleL8L8AQAAA6xuD+/90KFONhpQAAABQi87offn//zvDdSUBXfxXjZ6UAAAA6P/9//+L2IXbddOLRfy
              Source: cvtres.exe, 00000001.00000002.594418105.0000000004CF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-USn

              Anti Debugging

              barindex
              Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013BE628 CheckRemoteDebuggerPresent,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00423890 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0041899F LoadLibraryA,Sleep,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00414C66 __EH_prolog3_GS,GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,HeapAlloc,wsprintfA,
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeMemory allocated: page read and write | page guard
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00423890 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0041DA9B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00428C1D SetUnhandledExceptionFilter,

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 401000
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 435000
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 443000
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 459000
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 48B0008
              .NET source code references suspicious native API functions
              Source: uGfpJynSWM.exe, MJCKVKLUIOR/MJCKVKLUIOR.csReference to suspicious API methods: ('\\x08', 'GetProcAddress@kernel32'), ('\t', 'LoadLibraryA@kernel32')
              Source: uGfpJynSWM.exe, A/u000f.csReference to suspicious API methods: ('\t', 'GetProcAddress@kernel32.dll'), ('\\x1D', 'OpenProcess@kernel32.dll'), ('\\x08', 'GetProcAddress@kernel32.dll'), ('\\x1A', 'GetProcAddress@kernel32.dll'), ('\\x03', 'LoadLibrary@kernel32.dll'), ('\\x18', 'GetProcAddress@kernel32.dll'), ('\\x11', 'GetProcAddress@kernel32.dll'), ('\\x15', 'GetProcAddress@kernel32.dll')
              Source: 0.0.uGfpJynSWM.exe.830000.0.unpack, MJCKVKLUIOR/MJCKVKLUIOR.csReference to suspicious API methods: ('\\x08', 'GetProcAddress@kernel32'), ('\t', 'LoadLibraryA@kernel32')
              Source: 0.0.uGfpJynSWM.exe.830000.0.unpack, A/u000f.csReference to suspicious API methods: ('\t', 'GetProcAddress@kernel32.dll'), ('\\x1D', 'OpenProcess@kernel32.dll'), ('\\x08', 'GetProcAddress@kernel32.dll'), ('\\x1A', 'GetProcAddress@kernel32.dll'), ('\\x03', 'LoadLibrary@kernel32.dll'), ('\\x18', 'GetProcAddress@kernel32.dll'), ('\\x11', 'GetProcAddress@kernel32.dll'), ('\\x15', 'GetProcAddress@kernel32.dll')
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 protect: page execute and read and write
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
              Source: uGfpJynSWM.exe, 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Progman
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeQueries volume information: C:\Users\user\Desktop\uGfpJynSWM.exe VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: GetProcessHeap,HeapAlloc,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,_memset,LocalFree,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: GetLocaleInfoA,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00415890 __EH_prolog3_GS,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00415890 __EH_prolog3_GS,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040BE20 GetUserNameA,ExitProcess,

              Stealing of Sensitive Information

              barindex
              Yara detected Vidar stealer
              Source: Yara matchFile source: 0.2.uGfpJynSWM.exe.3be5530.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.uGfpJynSWM.exe.3be5530.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.cvtres.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.334068069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.333395548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.333726198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.336360720.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: uGfpJynSWM.exe PID: 6360, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 6392, type: MEMORYSTR
              Source: Yara matchFile source: 00000001.00000002.594144374.0000000004C97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Yara detected Vidar stealer
              Source: Yara matchFile source: 0.2.uGfpJynSWM.exe.3be5530.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.uGfpJynSWM.exe.3be5530.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.cvtres.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.334068069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.333395548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.333726198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.336360720.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: uGfpJynSWM.exe PID: 6360, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 6392, type: MEMORYSTR

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts11
              Native API              		Path Interception312
              Process Injection              		11
              Masquerading              		1
              Input Capture              		2
              System Time Discovery              		Remote Services1
              Screen Capture              		Exfiltration Over Other Network Medium21
              Encrypted Channel              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
              Disable or Modify Tools              		LSASS Memory131
              Security Software Discovery              		Remote Desktop Protocol1
              Input Capture              		Exfiltration Over Bluetooth2
              Ingress Tool Transfer              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
              Virtualization/Sandbox Evasion              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin Shares1
              Archive Collected Data              		Automated Exfiltration2
              Non-Application Layer Protocol              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)312
              Process Injection              		NTDS2
              Process Discovery              		Distributed Component Object ModelInput CaptureScheduled Transfer13
              Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common4
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items3
              Software Packing              		DCSync1
              Remote System Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
              File and Directory Discovery              		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow24
              System Information Discovery              		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              uGfpJynSWM.exe68%VirustotalBrowse
              uGfpJynSWM.exe31%MetadefenderBrowse
              uGfpJynSWM.exe81%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
              uGfpJynSWM.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              1.0.cvtres.exe.400000.0.unpack100%AviraTR/AD.GenSteal.nsaqrDownload File
              1.0.cvtres.exe.400000.3.unpack100%AviraTR/AD.GenSteal.nsaqrDownload File
              1.0.cvtres.exe.400000.4.unpack100%AviraTR/AD.GenSteal.nsaqrDownload File
              0.2.uGfpJynSWM.exe.3be5530.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              1.0.cvtres.exe.400000.2.unpack100%AviraTR/AD.GenSteal.nsaqrDownload File
              1.0.cvtres.exe.400000.1.unpack100%AviraTR/AD.GenSteal.nsaqrDownload File
              1.0.cvtres.exe.400000.5.unpack100%AviraTR/AD.GenSteal.nsaqrDownload File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://climatejustice.social;0%Avira URL Cloudsafe
              https://climatejustice.social/.well-known/webfinger?resource=acct%3Affoleg94%40climatejustice.social0%Avira URL Cloudsafe
              http://45.159.249.4/1474h.dll100%Avira URL Cloudmalware
              http://45.159.249.4/1474stem32100%Avira URL Cloudmalware
              https://climatejustice.social0%Avira URL Cloudsafe
              http://45.159.249.4/1474N100%Avira URL Cloudmalware
              http://45.159.249.4/=:100%Avira URL Cloudmalware
              https://funk.climatejustice.global0%Avira URL Cloudsafe
              https://climatejustice.social/@ffoleg94100%Avira URL Cloudmalware
              https://climatejustice.social/users/ffoleg94/followers0%Avira URL Cloudsafe
              http://45.159.249.4/1474100%Avira URL Cloudmalware
              http://45.159.249.4/147474R100%Avira URL Cloudmalware
              http://45.159.249.4/1474b100%Avira URL Cloudmalware
              https://climatejustice.social/users/ffoleg94/following0%Avira URL Cloudsafe
              https://climatejustice.social/custom.css0%Avira URL Cloudsafe
              http://45.159.249.4/1474l100%Avira URL Cloudmalware
              https://climatejustice.social/tags/grunewald&quot;0%Avira URL Cloudsafe
              https://climatejustice.rocks0%Avira URL Cloudsafe
              http://45.159.249.4/1474u100%Avira URL Cloudmalware
              https://climatejustice.social/avatars/original/missing.png0%Avira URL Cloudsafe
              https://climatejustice.social/tags/gitlab&quot;0%Avira URL Cloudsafe
              https://climatejustice.social/users/ffoleg940%Avira URL Cloudsafe
              http://crl.microsoft.c0%Avira URL Cloudsafe
              https://climatejustice.social/tags/gitea&quot;0%Avira URL Cloudsafe
              https://climatejustice.social/0%Avira URL Cloudsafe
              http://45.159.249.4/1474x100%Avira URL Cloudmalware
              https://climatejustice.global0%Avira URL Cloudsafe
              http://45.159.249.4:80100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              t.me
              		149.154.167.99
              		truefalse
                		high
                climatejustice.social
                		167.86.107.75
                		truetrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://climatejustice.social/@ffoleg94true
                  • Avira URL Cloud: malware
                  		unknown
                  https://t.me/korstonsalesfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://climatejustice.social;cvtres.exe, 00000001.00000003.341135942.0000000004D07000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    https://climatejustice.social/.well-known/webfinger?resource=acct%3Affoleg94%40climatejustice.socialcvtres.exe, 00000001.00000003.526458800.0000000004D54000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594549794.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341127759.0000000004D02000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572585218.0000000004D75000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594578967.0000000004D75000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341146688.0000000004D09000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594439750.0000000004D06000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341135942.0000000004D07000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://45.159.249.4/1474h.dllcvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://web.telegram.orgcvtres.exe, 00000001.00000003.386988114.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433280864.0000000004D4F000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://45.159.249.4/1474stem32cvtres.exe, 00000001.00000002.594439750.0000000004D06000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://climatejustice.socialcvtres.exe, 00000001.00000003.341135942.0000000004D07000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://45.159.249.4/1474Ncvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://telegram.org/img/t_logo.pngcvtres.exe, 00000001.00000003.433280864.0000000004D4F000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://45.159.249.4/=:cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://funk.climatejustice.globalcvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://t.me/korstonsaleshttps://climatejustice.social/uGfpJynSWM.exe, 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, uGfpJynSWM.exe, 00000000.00000002.336360720.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000000.333395548.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                          		high
                          https://climatejustice.social/users/ffoleg94/followerscvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://45.159.249.4/1474cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594536976.0000000004D50000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594439750.0000000004D06000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://45.159.249.4/147474Rcvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://45.159.249.4/1474bcvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://github.com/mastodon/mastodoncvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://climatejustice.social/users/ffoleg94/followingcvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://joinmastodon.org/appscvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://climatejustice.social/custom.csscvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594549794.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526464880.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://45.159.249.4/1474lcvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://climatejustice.social/tags/grunewald&quot;cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://docs.joinmastodon.org/client/intro/cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://climatejustice.rockscvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://45.159.249.4/1474ucvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://docs.joinmastodon.org/cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://climatejustice.social/avatars/original/missing.pngcvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://climatejustice.social/tags/gitlab&quot;cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://climatejustice.social/users/ffoleg94cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526458800.0000000004D54000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594549794.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341127759.0000000004D02000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572585218.0000000004D75000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594578967.0000000004D75000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341146688.0000000004D09000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594439750.0000000004D06000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341135942.0000000004D07000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://crl.microsoft.ccvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://climatejustice.social/tags/gitea&quot;cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://joinmastodon.org/cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://climatejustice.social/cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://45.159.249.4/1474xcvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://climatejustice.globalcvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://t.me/korstonsalesicvtres.exe, 00000001.00000003.340494604.0000000004D0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://45.159.249.4:80cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: malware
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      45.159.249.4
                                      		unknownRussian Federation
                                      		44676VMAGE-ASRUfalse
                                      167.86.107.75
                                      		climatejustice.socialGermany
                                      		51167CONTABODEtrue
                                      149.154.167.99
                                      		t.meUnited Kingdom
                                      		62041TELEGRAMRUfalse

                                      General Information

                                      Joe Sandbox Version:35.0.0 Citrine
                                      Analysis ID:679146
                                      Start date and time: 05/08/202210:48:112022-08-05 10:48:11 +02:00
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 6m 52s
                                      Hypervisor based Inspection enabled:false
                                      Report type:light
                                      Sample file name:uGfpJynSWM (renamed file extension from none to exe)
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:20
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@3/1@2/3
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HDC Information:
                                      • Successful, ratio: 99.8% (good quality ratio 96.3%)
                                      • Quality average: 82.2%
                                      • Quality standard deviation: 28.2%
                                      HCA Information:
                                      • Successful, ratio: 100%
                                      • Number of executed functions: 0
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                      • TCP Packets have been reduced to 100
                                      • Excluded IPs from analysis (whitelisted): 23.211.4.86, 23.211.6.115
                                      • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      10:49:12API Interceptor1x Sleep call for process: uGfpJynSWM.exe modified
                                      10:49:38API Interceptor5x Sleep call for process: cvtres.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASNs

                                      No context

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uGfpJynSWM.exe.log

                                      Download File
                                      Process:C:\Users\user\Desktop\uGfpJynSWM.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):226
                                      Entropy (8bit):5.3467126928258955
                                      Encrypted:false
                                      SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2LDY3U21v:Q3La/KDLI4MWuPk21v
                                      MD5:DD8B7A943A5D834CEEAB90A6BBBF4781
                                      SHA1:2BED8D47DF1C0FF76B40811E5F11298BD2D06389
                                      SHA-256:E1D0A304B16BE51AE361E392A678D887AB0B76630B42A12D252EDC0484F0333B
                                      SHA-512:24167174EA259CAF57F65B9B9B9C113DD944FC957DB444C2F66BC656EC2E6565EFE4B4354660A5BE85CE4847434B3BDD4F7E05A9E9D61F4CC99FF0284DAA1C87
                                      Malicious:true
                                      Reputation:moderate, very likely benign file
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):7.77740759573974
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                      • Win32 Executable (generic) a (10002005/4) 49.97%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      • DOS Executable Generic (2002/1) 0.01%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:uGfpJynSWM.exe
                                      File size:374960
                                      MD5:eb84aeef20ea974bf207dd6df8446567
                                      SHA1:624a1e8510a1d7f3ff05693c30d724f19aaf5a1a
                                      SHA256:9f532c8749bc71b3fc723d42f86300ae5a583515817da2aad40c858f163d01f8
                                      SHA512:b2cf0b9aaacfc8e2fd6c517c0e49ff977b44097904cdf84a7d2a8324fc9525d0937442bf433e9a442e46914caf529b3e37d86097a36a761291e13c100aa30d3a
                                      SSDEEP:6144:wZJyvX/Kbhi5cqHYUAze34brlMoiGmWMG7u7isZaozdV4vMqmKEVDA:UJyvki3HYeMrlvKG7QiWbV4vMqmKF
                                      TLSH:7784F09D3681758FC446FEF59AB01D145620BC6B0717C243E8B73A7C9A3D28BDE811AE
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.b..............0..............)... ...@....@.. ..............................BQ....`................................

                                      File Icon

                                      Icon Hash:0f4d494919151b03

                                      Static PE Info

                                      General

                                      Entrypoint:0x45298e
                                      Entrypoint Section:.text
                                      Digitally signed:true
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x62D65AB0 [Tue Jul 19 07:18:08 2022 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Authenticode Signature

                                      Signature Valid:false
                                      Signature Issuer:CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
                                      Signature Validation Error:The digital signature of the object did not verify
                                      Error Number:-2146869232
                                      Not Before, Not After
                                      • 4/1/2020 5:00:00 PM 3/9/2023 4:00:00 AM
                                      Subject Chain
                                      • CN=Avast Software s.r.o., OU=RE stapler cistodc, O=Avast Software s.r.o., L=Praha, C=CZ
                                      Version:3
                                      Thumbprint MD5:58F27306512AAEE9028766C21733D912
                                      Thumbprint SHA-1:DB4336A6DC808C8F6A4944FA8E8D6A9E703F8915
                                      Thumbprint SHA-256:C2DCD22E0E7CB9619DF76810B301291CF07A18DF244C05D059A8BA2137E34CFE
                                      Serial:0970EF4BAD5CC44A1C2BC3D96401674C

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x529400x4b.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x540000x848e.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x594000x24b0.rsrc
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x5e0000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x528ec0x1c.text
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000x509940x50a00False0.9173994670542636data7.888541504684198IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0x540000x848e0x8600False0.285185401119403data5.202876902230195IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x5e0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_ICON0x541d80x468GLS_BINARY_LSB_FIRST
                                      RT_ICON0x546400x10a8data
                                      RT_ICON0x556e80x25a8data
                                      RT_ICON0x57c900x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0
                                      RT_GROUP_ICON0x5beb80x3edata
                                      RT_VERSION0x5bef80x3acdata
                                      RT_MANIFEST0x5c2a40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Aug 5, 2022 10:49:17.171144009 CEST49765443192.168.2.7149.154.167.99
                                      Aug 5, 2022 10:49:17.171211958 CEST44349765149.154.167.99192.168.2.7
                                      Aug 5, 2022 10:49:17.171312094 CEST49765443192.168.2.7149.154.167.99
                                      Aug 5, 2022 10:49:17.193044901 CEST49765443192.168.2.7149.154.167.99
                                      Aug 5, 2022 10:49:17.193099022 CEST44349765149.154.167.99192.168.2.7
                                      Aug 5, 2022 10:49:17.262348890 CEST44349765149.154.167.99192.168.2.7
                                      Aug 5, 2022 10:49:17.262528896 CEST49765443192.168.2.7149.154.167.99
                                      Aug 5, 2022 10:49:17.581129074 CEST49765443192.168.2.7149.154.167.99
                                      Aug 5, 2022 10:49:17.581168890 CEST44349765149.154.167.99192.168.2.7
                                      Aug 5, 2022 10:49:17.581739902 CEST44349765149.154.167.99192.168.2.7
                                      Aug 5, 2022 10:49:17.582654953 CEST49765443192.168.2.7149.154.167.99
                                      Aug 5, 2022 10:49:17.585340977 CEST49765443192.168.2.7149.154.167.99
                                      Aug 5, 2022 10:49:17.627368927 CEST44349765149.154.167.99192.168.2.7
                                      Aug 5, 2022 10:49:17.636874914 CEST44349765149.154.167.99192.168.2.7
                                      Aug 5, 2022 10:49:17.636929035 CEST44349765149.154.167.99192.168.2.7
                                      Aug 5, 2022 10:49:17.636996984 CEST44349765149.154.167.99192.168.2.7
                                      Aug 5, 2022 10:49:17.637042046 CEST44349765149.154.167.99192.168.2.7
                                      Aug 5, 2022 10:49:17.637079954 CEST49765443192.168.2.7149.154.167.99
                                      Aug 5, 2022 10:49:17.637162924 CEST49765443192.168.2.7149.154.167.99
                                      Aug 5, 2022 10:49:17.646790028 CEST49765443192.168.2.7149.154.167.99
                                      Aug 5, 2022 10:49:17.646811008 CEST44349765149.154.167.99192.168.2.7
                                      Aug 5, 2022 10:49:17.822324038 CEST49766443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:17.822375059 CEST44349766167.86.107.75192.168.2.7
                                      Aug 5, 2022 10:49:17.822464943 CEST49766443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:17.823045969 CEST49766443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:17.823062897 CEST44349766167.86.107.75192.168.2.7
                                      Aug 5, 2022 10:49:17.881386042 CEST44349766167.86.107.75192.168.2.7
                                      Aug 5, 2022 10:49:17.881527901 CEST49766443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:17.889517069 CEST49766443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:17.889543056 CEST44349766167.86.107.75192.168.2.7
                                      Aug 5, 2022 10:49:17.889785051 CEST44349766167.86.107.75192.168.2.7
                                      Aug 5, 2022 10:49:17.889859915 CEST49766443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:17.891252995 CEST49766443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:17.931379080 CEST44349766167.86.107.75192.168.2.7
                                      Aug 5, 2022 10:49:17.989860058 CEST44349766167.86.107.75192.168.2.7
                                      Aug 5, 2022 10:49:17.989950895 CEST44349766167.86.107.75192.168.2.7
                                      Aug 5, 2022 10:49:17.989989042 CEST44349766167.86.107.75192.168.2.7
                                      Aug 5, 2022 10:49:17.990004063 CEST49766443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:17.990036011 CEST44349766167.86.107.75192.168.2.7
                                      Aug 5, 2022 10:49:17.990055084 CEST49766443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:17.990101099 CEST44349766167.86.107.75192.168.2.7
                                      Aug 5, 2022 10:49:17.990103006 CEST49766443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:17.990138054 CEST49766443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:17.990145922 CEST44349766167.86.107.75192.168.2.7
                                      Aug 5, 2022 10:49:17.990194082 CEST49766443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:17.990240097 CEST44349766167.86.107.75192.168.2.7
                                      Aug 5, 2022 10:49:17.990247965 CEST49766443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:17.990252018 CEST49766443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:17.990319014 CEST49766443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:17.990926981 CEST49766443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:17.990952015 CEST44349766167.86.107.75192.168.2.7
                                      Aug 5, 2022 10:49:18.076406002 CEST4976780192.168.2.745.159.249.4
                                      Aug 5, 2022 10:49:21.101856947 CEST4976780192.168.2.745.159.249.4
                                      Aug 5, 2022 10:49:27.102472067 CEST4976780192.168.2.745.159.249.4
                                      Aug 5, 2022 10:49:39.262178898 CEST49768443192.168.2.7149.154.167.99
                                      Aug 5, 2022 10:49:39.262228966 CEST44349768149.154.167.99192.168.2.7
                                      Aug 5, 2022 10:49:39.262325048 CEST49768443192.168.2.7149.154.167.99
                                      Aug 5, 2022 10:49:39.262857914 CEST49768443192.168.2.7149.154.167.99
                                      Aug 5, 2022 10:49:39.262883902 CEST44349768149.154.167.99192.168.2.7
                                      Aug 5, 2022 10:49:39.320316076 CEST44349768149.154.167.99192.168.2.7
                                      Aug 5, 2022 10:49:39.320477009 CEST49768443192.168.2.7149.154.167.99
                                      Aug 5, 2022 10:49:39.323276997 CEST49768443192.168.2.7149.154.167.99
                                      Aug 5, 2022 10:49:39.323291063 CEST44349768149.154.167.99192.168.2.7
                                      Aug 5, 2022 10:49:39.327929020 CEST49768443192.168.2.7149.154.167.99
                                      Aug 5, 2022 10:49:39.327943087 CEST44349768149.154.167.99192.168.2.7
                                      Aug 5, 2022 10:49:39.388520956 CEST44349768149.154.167.99192.168.2.7
                                      Aug 5, 2022 10:49:39.388573885 CEST44349768149.154.167.99192.168.2.7
                                      Aug 5, 2022 10:49:39.388657093 CEST44349768149.154.167.99192.168.2.7
                                      Aug 5, 2022 10:49:39.388684988 CEST44349768149.154.167.99192.168.2.7
                                      Aug 5, 2022 10:49:39.388708115 CEST49768443192.168.2.7149.154.167.99
                                      Aug 5, 2022 10:49:39.388721943 CEST49768443192.168.2.7149.154.167.99
                                      Aug 5, 2022 10:49:39.388786077 CEST49768443192.168.2.7149.154.167.99
                                      Aug 5, 2022 10:49:39.392898083 CEST49768443192.168.2.7149.154.167.99
                                      Aug 5, 2022 10:49:39.392926931 CEST44349768149.154.167.99192.168.2.7
                                      Aug 5, 2022 10:49:39.409035921 CEST49769443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:39.409100056 CEST44349769167.86.107.75192.168.2.7
                                      Aug 5, 2022 10:49:39.409226894 CEST49769443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:39.409776926 CEST49769443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:39.409800053 CEST44349769167.86.107.75192.168.2.7
                                      Aug 5, 2022 10:49:39.455121040 CEST44349769167.86.107.75192.168.2.7
                                      Aug 5, 2022 10:49:39.457098007 CEST49769443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:39.457684994 CEST49769443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:39.457705975 CEST44349769167.86.107.75192.168.2.7
                                      Aug 5, 2022 10:49:39.463613033 CEST49769443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:39.463638067 CEST44349769167.86.107.75192.168.2.7
                                      Aug 5, 2022 10:49:39.582288027 CEST44349769167.86.107.75192.168.2.7
                                      Aug 5, 2022 10:49:39.582314968 CEST44349769167.86.107.75192.168.2.7
                                      Aug 5, 2022 10:49:39.582376957 CEST44349769167.86.107.75192.168.2.7
                                      Aug 5, 2022 10:49:39.582446098 CEST49769443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:39.582518101 CEST44349769167.86.107.75192.168.2.7
                                      Aug 5, 2022 10:49:39.582587957 CEST49769443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:39.582602978 CEST44349769167.86.107.75192.168.2.7
                                      Aug 5, 2022 10:49:39.582655907 CEST49769443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:39.582688093 CEST49769443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:39.583306074 CEST49769443192.168.2.7167.86.107.75
                                      Aug 5, 2022 10:49:39.583337069 CEST44349769167.86.107.75192.168.2.7
                                      Aug 5, 2022 10:49:39.600704908 CEST4977080192.168.2.745.159.249.4
                                      Aug 5, 2022 10:49:42.588087082 CEST4977080192.168.2.745.159.249.4
                                      Aug 5, 2022 10:49:48.588609934 CEST4977080192.168.2.745.159.249.4
                                      Aug 5, 2022 10:50:00.857614994 CEST49786443192.168.2.7149.154.167.99

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Aug 5, 2022 10:49:17.122176886 CEST6033553192.168.2.78.8.8.8
                                      Aug 5, 2022 10:49:17.141352892 CEST53603358.8.8.8192.168.2.7
                                      Aug 5, 2022 10:49:17.786555052 CEST6097853192.168.2.78.8.8.8
                                      Aug 5, 2022 10:49:17.805754900 CEST53609788.8.8.8192.168.2.7

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                      Aug 5, 2022 10:49:17.122176886 CEST192.168.2.78.8.8.80xc715Standard query (0)t.meA (IP address)IN (0x0001)
                                      Aug 5, 2022 10:49:17.786555052 CEST192.168.2.78.8.8.80xd64aStandard query (0)climatejustice.socialA (IP address)IN (0x0001)

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                      Aug 5, 2022 10:49:17.141352892 CEST8.8.8.8192.168.2.70xc715No error (0)t.me149.154.167.99A (IP address)IN (0x0001)
                                      Aug 5, 2022 10:49:17.805754900 CEST8.8.8.8192.168.2.70xd64aNo error (0)climatejustice.social167.86.107.75A (IP address)IN (0x0001)

                                      HTTP Request Dependency Graph

                                      • t.me
                                      • climatejustice.social

                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      0192.168.2.749765149.154.167.99443C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                      TimestampkBytes transferredDirectionData
                                      2022-08-05 08:49:17 UTC0OUTGET /korstonsales HTTP/1.1
                                      Host: t.me
                                      2022-08-05 08:49:17 UTC0INHTTP/1.1 200 OK
                                      Server: nginx/1.18.0
                                      Date: Fri, 05 Aug 2022 08:49:17 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Content-Length: 9635
                                      Connection: close
                                      Set-Cookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560; expires=Sat, 06 Aug 2022 08:49:17 GMT; path=/; samesite=None; secure; HttpOnly
                                      Pragma: no-cache
                                      Cache-control: no-store
                                      X-Frame-Options: ALLOW-FROM https://web.telegram.org
                                      Content-Security-Policy: frame-ancestors https://web.telegram.org
                                      Strict-Transport-Security: max-age=35768000
                                      2022-08-05 08:49:17 UTC0INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 6b 6f 72 73 74 6f 6e 73 61 6c 65 73 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e
                                      Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @korstonsales</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.


                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      1192.168.2.749766167.86.107.75443C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                      TimestampkBytes transferredDirectionData
                                      2022-08-05 08:49:17 UTC9OUTGET /@ffoleg94 HTTP/1.1
                                      Host: climatejustice.social
                                      2022-08-05 08:49:17 UTC10INHTTP/1.1 200 OK
                                      Date: Fri, 05 Aug 2022 08:49:17 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Vary: Accept-Encoding
                                      Server: Mastodon
                                      X-Frame-Options: DENY
                                      X-Content-Type-Options: nosniff
                                      X-XSS-Protection: 0
                                      Permissions-Policy: interest-cohort=()
                                      Link: <https://climatejustice.social/.well-known/webfinger?resource=acct%3Affoleg94%40climatejustice.social>; rel="lrdd"; type="application/jrd+json", <https://climatejustice.social/users/ffoleg94>; rel="alternate"; type="application/activity+json"
                                      Vary: Accept, Accept-Encoding, Origin
                                      Cache-Control: max-age=0, public
                                      ETag: W/"35467f9a4afaaea4d698d19476026f40"
                                      Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://climatejustice.social; img-src 'self' https: data: blob: https://climatejustice.social; style-src 'self' https://climatejustice.social 'nonce-sOykySI0/v+BFinQ5Zv2HQ=='; media-src 'self' https: data: https://climatejustice.social; frame-src 'self' https:; manifest-src 'self' https://climatejustice.social; connect-src 'self' data: blob: https://climatejustice.social https://climatejustice.social wss://climatejustice.social; script-src 'self' https://climatejustice.social; child-src 'self' blob: https://climatejustice.social; worker-src 'self' blob: https://climatejustice.social
                                      Set-Cookie: _mastodon_session=IE12lf0Aiww%2FO2SHgNYf6X8ktxvGiUwFuvpakzTKg55PVj3wQxbOx8QbPNu%2BbA1ljKtplQtfpHSjetQM3MX253iMB2kbLm3xNEhgwBeB%2F1eCW8Wg13ePrm5lWBQfL9FAO02eO7J9l3dW3s6HTqeP4cis2esq7DldbRI0JLHXWe51XjtZNzvE6RX%2BUXAkx0ez6ASRzCFL8XG1b53DHaPoYf9LXuHN45UIQQKGgtGvY8K1mMZsTqoEdXlHxIHPmSknkSeuS38vHUAtiNgsrwJoiv1FJ7nyRHySt6rMdHZwhHdc3ptf6PDZ0wBxvwMpVHuFlqdHAXbX%2FUb%2Bmlizb1luBXM%3D--UaPP34RL8MYYb6Tj--nidR%2BdAjAGmnnhmujvS6WQ%3D%3D; path=/; HttpOnly; SameSite=Lax; secure
                                      X-Request-Id: 58ae802f-9e2b-4626-b42d-911de7da7729
                                      X-Runtime: 0.054172
                                      Strict-Transport-Security: max-age=63072000; includeSubDomains
                                      X-Cached: MISS
                                      Strict-Transport-Security: max-age=31536000
                                      2022-08-05 08:49:17 UTC11INData Raw: 36 35 35 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 27 65 6e 27 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 75 74 66 2d 38 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 27 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 27 20 72 65 6c 3d 27 69 63 6f 6e 27 20 74 79 70 65 3d 27 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2e 70 6e 67 27 20 72 65 6c 3d 27 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 27 20 73
                                      Data Ascii: 6550<!DOCTYPE html><html lang='en'><head><meta charset='utf-8'><meta content='width=device-width, initial-scale=1' name='viewport'><link href='/favicon.ico' rel='icon' type='image/x-icon'><link href='/apple-touch-icon.png' rel='apple-touch-icon' s
                                      2022-08-05 08:49:17 UTC26INData Raw: 22 3e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 3c 2f 61 3e 0d 0a 66 6f 72 20 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 20 67 72 6f 75 70 73 0d 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 75 6e 6b 2e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 66 75 6e 6b 2e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 3c 2f 61 3e 0d 0a 66 6f 72 20 70 6f 64 63 61 73 74 73 20 61 6e 64 20 6d 75 73 69 63 0d 0a 3c 2f 73 70 61 6e 3e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 27 65 6e 64 6f 72 73 65 6d 65 6e 74 73 2d 77 69 64 67 65 74 20 74 72 65 6e 64 73 2d 77 69 64 67 65 74 27 3e 0a 3c 68 34 20 63 6c 61 73
                                      Data Ascii: ">climatejustice.global</a>for climatejustice groups<a href="https://funk.climatejustice.global" target="_blank">funk.climatejustice.global</a>for podcasts and music</span></p></div></div><div class='endorsements-widget trends-widget'><h4 clas


                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      10192.168.2.749883149.154.167.99443C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                      TimestampkBytes transferredDirectionData
                                      2022-08-05 08:51:05 UTC188OUTGET /korstonsales HTTP/1.1
                                      Host: t.me
                                      Cookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
                                      2022-08-05 08:51:05 UTC188INHTTP/1.1 200 OK
                                      Server: nginx/1.18.0
                                      Date: Fri, 05 Aug 2022 08:51:05 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Content-Length: 9636
                                      Connection: close
                                      Pragma: no-cache
                                      Cache-control: no-store
                                      X-Frame-Options: ALLOW-FROM https://web.telegram.org
                                      Content-Security-Policy: frame-ancestors https://web.telegram.org
                                      Strict-Transport-Security: max-age=35768000
                                      2022-08-05 08:51:05 UTC188INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 6b 6f 72 73 74 6f 6e 73 61 6c 65 73 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e
                                      Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @korstonsales</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.


                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      11192.168.2.749884167.86.107.75443C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                      TimestampkBytes transferredDirectionData
                                      2022-08-05 08:51:05 UTC197OUTGET /@ffoleg94 HTTP/1.1
                                      Host: climatejustice.social
                                      Cookie: _mastodon_session=G8wdgwz%2FDemSpy0Da1ZLqVdSh5XC%2FhOntkD9%2FioEKONmGFQbKw3ZbiJ4RIMQvyl5QKxN%2FpcDH0nKadQ0yXDwXyz6yqDcLvbVjYrc1VwLIggpvLXohspOLTi9YyRFkDXD1U6%2Fzrzrb4LoA5rAsIFcowDfc23g9dzpYcSLczI6VlHA0lfP8JjHOwarQxEdzM6akhIz0PxsXrVBHQQArBfIyixEHqMzgVy%2FgvPIRcQ2qdVLKMgTPmDwVbQ0%2BqoNguC6M%2F7xjoKMMQknPlrQIslHVR5u8qBY9lIeeNK373jl%2B82kCofXgGW%2BvK4Vwx2GKefGraC9M1B%2Bz7G9H6WpaKFziTw%3D--Ffkg6BiJ3LNw7A7D--YyCOAf66iro8NmL254gNlw%3D%3D
                                      2022-08-05 08:51:05 UTC198INHTTP/1.1 200 OK
                                      Date: Fri, 05 Aug 2022 08:51:05 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Vary: Accept-Encoding
                                      Server: Mastodon
                                      X-Frame-Options: DENY
                                      X-Content-Type-Options: nosniff
                                      X-XSS-Protection: 0
                                      Permissions-Policy: interest-cohort=()
                                      Link: <https://climatejustice.social/.well-known/webfinger?resource=acct%3Affoleg94%40climatejustice.social>; rel="lrdd"; type="application/jrd+json", <https://climatejustice.social/users/ffoleg94>; rel="alternate"; type="application/activity+json"
                                      Vary: Accept, Accept-Encoding, Origin
                                      Cache-Control: max-age=0, public
                                      ETag: W/"bf6f9ea00d1e9729d002200dabef18b5"
                                      Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://climatejustice.social; img-src 'self' https: data: blob: https://climatejustice.social; style-src 'self' https://climatejustice.social 'nonce-hliGSyjpUnH3oaKgt9bOUg=='; media-src 'self' https: data: https://climatejustice.social; frame-src 'self' https:; manifest-src 'self' https://climatejustice.social; connect-src 'self' data: blob: https://climatejustice.social https://climatejustice.social wss://climatejustice.social; script-src 'self' https://climatejustice.social; child-src 'self' blob: https://climatejustice.social; worker-src 'self' blob: https://climatejustice.social
                                      Set-Cookie: _mastodon_session=F06HonUiNcv5pa3GP8LMm7nHCaKQodwYvwMe%2Be%2FR4qkkEl%2BZYMAoodG2UEkb6Zgxzv4gWsdfuooSoGoAFwH%2FpfPfyem2ws9sRh0fobZw9cTak1%2FJx%2FU8gXjoIV52mDV25d9G49vNv24HzmGy%2Bb2kFQDL4gd9zSDw10wOuhWBjFDg98K4X59aXa4gOJ45X07TfvczeZs1RE1AmMGHtTpE4T3hlu07LRp4qrg4OP1%2FrFDFRzq9F1Gacptxp1gCVFhLiB9K1Z9cC4Cp9VVNJaPR0ZOcMEf3mO7%2FAXWTAxKW9DKcZwFZeo%2F%2BmdtGhpH7I7%2Bkg7ch69hB4A24jelrR%2B3aJ3M%3D--liyMn3gInrF9zig5--LV%2F8jdZL17lO5jGMdMxb2g%3D%3D; path=/; HttpOnly; SameSite=Lax; secure
                                      X-Request-Id: 0a2f114a-b261-415d-9fce-3ccdc4f1b854
                                      X-Runtime: 0.060840
                                      Strict-Transport-Security: max-age=63072000; includeSubDomains
                                      X-Cached: MISS
                                      Strict-Transport-Security: max-age=31536000
                                      2022-08-05 08:51:05 UTC200INData Raw: 36 35 35 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 27 65 6e 27 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 75 74 66 2d 38 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 27 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 27 20 72 65 6c 3d 27 69 63 6f 6e 27 20 74 79 70 65 3d 27 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2e 70 6e 67 27 20 72 65 6c 3d 27 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 27 20 73
                                      Data Ascii: 6550<!DOCTYPE html><html lang='en'><head><meta charset='utf-8'><meta content='width=device-width, initial-scale=1' name='viewport'><link href='/favicon.ico' rel='icon' type='image/x-icon'><link href='/apple-touch-icon.png' rel='apple-touch-icon' s
                                      2022-08-05 08:51:05 UTC214INData Raw: 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 3c 2f 61 3e 0d 0a 66 6f 72 20 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 20 67 72 6f 75 70 73 0d 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 75 6e 6b 2e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 66 75 6e 6b 2e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 3c 2f 61 3e 0d 0a 66 6f 72 20 70 6f 64 63 61 73 74 73 20 61 6e 64 20 6d 75 73 69 63 0d 0a 3c 2f 73 70 61 6e 3e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 27 65 6e 64 6f 72 73 65 6d 65 6e 74 73 2d 77 69 64 67 65 74 20 74 72 65 6e 64 73 2d 77 69 64
                                      Data Ascii: target="_blank">climatejustice.global</a>for climatejustice groups<a href="https://funk.climatejustice.global" target="_blank">funk.climatejustice.global</a>for podcasts and music</span></p></div></div><div class='endorsements-widget trends-wid


                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      2192.168.2.749768149.154.167.99443C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                      TimestampkBytes transferredDirectionData
                                      2022-08-05 08:49:39 UTC37OUTGET /korstonsales HTTP/1.1
                                      Host: t.me
                                      Cookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
                                      2022-08-05 08:49:39 UTC37INHTTP/1.1 200 OK
                                      Server: nginx/1.18.0
                                      Date: Fri, 05 Aug 2022 08:49:39 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Content-Length: 9635
                                      Connection: close
                                      Pragma: no-cache
                                      Cache-control: no-store
                                      X-Frame-Options: ALLOW-FROM https://web.telegram.org
                                      Content-Security-Policy: frame-ancestors https://web.telegram.org
                                      Strict-Transport-Security: max-age=35768000
                                      2022-08-05 08:49:39 UTC37INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 6b 6f 72 73 74 6f 6e 73 61 6c 65 73 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e
                                      Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @korstonsales</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.


                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      3192.168.2.749769167.86.107.75443C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                      TimestampkBytes transferredDirectionData
                                      2022-08-05 08:49:39 UTC47OUTGET /@ffoleg94 HTTP/1.1
                                      Host: climatejustice.social
                                      Cookie: _mastodon_session=IE12lf0Aiww%2FO2SHgNYf6X8ktxvGiUwFuvpakzTKg55PVj3wQxbOx8QbPNu%2BbA1ljKtplQtfpHSjetQM3MX253iMB2kbLm3xNEhgwBeB%2F1eCW8Wg13ePrm5lWBQfL9FAO02eO7J9l3dW3s6HTqeP4cis2esq7DldbRI0JLHXWe51XjtZNzvE6RX%2BUXAkx0ez6ASRzCFL8XG1b53DHaPoYf9LXuHN45UIQQKGgtGvY8K1mMZsTqoEdXlHxIHPmSknkSeuS38vHUAtiNgsrwJoiv1FJ7nyRHySt6rMdHZwhHdc3ptf6PDZ0wBxvwMpVHuFlqdHAXbX%2FUb%2Bmlizb1luBXM%3D--UaPP34RL8MYYb6Tj--nidR%2BdAjAGmnnhmujvS6WQ%3D%3D
                                      2022-08-05 08:49:39 UTC47INHTTP/1.1 200 OK
                                      Date: Fri, 05 Aug 2022 08:49:39 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Vary: Accept-Encoding
                                      Server: Mastodon
                                      X-Frame-Options: DENY
                                      X-Content-Type-Options: nosniff
                                      X-XSS-Protection: 0
                                      Permissions-Policy: interest-cohort=()
                                      Link: <https://climatejustice.social/.well-known/webfinger?resource=acct%3Affoleg94%40climatejustice.social>; rel="lrdd"; type="application/jrd+json", <https://climatejustice.social/users/ffoleg94>; rel="alternate"; type="application/activity+json"
                                      Vary: Accept, Accept-Encoding, Origin
                                      Cache-Control: max-age=0, public
                                      ETag: W/"f271e218b8b5f4cd48ea9805ee1eaac6"
                                      Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://climatejustice.social; img-src 'self' https: data: blob: https://climatejustice.social; style-src 'self' https://climatejustice.social 'nonce-vZ9efujlufLRVX5ML9zhPQ=='; media-src 'self' https: data: https://climatejustice.social; frame-src 'self' https:; manifest-src 'self' https://climatejustice.social; connect-src 'self' data: blob: https://climatejustice.social https://climatejustice.social wss://climatejustice.social; script-src 'self' https://climatejustice.social; child-src 'self' blob: https://climatejustice.social; worker-src 'self' blob: https://climatejustice.social
                                      Set-Cookie: _mastodon_session=3rSSEQhY%2BR%2ByBXGg%2FZ7vjc6lT5LBYSBRTm4v10Vjq3ue%2BjwBExu9w58N8ClT%2Bud5pLw%2FhNpc0ZVmhbGFmRwVbdBlbgslSN94eAItWDOu4CGgiK9jhd3mHMacn3wAdie7Kxd1jN1PXBqcxNNL004FuuBE8ZcXHZ9KeIX6GtzzFfvUtnGWm8ZnLLwl53QYxoy96Xw8%2BDQyXocErXsPhQdIg%2FpxcTsHw5r3GkFxULvXrHFqPB166JKLVDREPTkxqTmFOYedLa6uPEB2T4kW8V44pB5aEoVFQGo6vkNDPnAvIGvofiJ%2FGZzi5%2FYGT7rR2OuS9SAL1tKkIZTobYnVx%2Fquwbo%3D--ciXPLxNa31c7%2FJvd--PL1p0wGZ8YwXdexsQfoBoQ%3D%3D; path=/; HttpOnly; SameSite=Lax; secure
                                      X-Request-Id: 8fa0a62b-eeaf-451b-a11c-63c7f250595d
                                      X-Runtime: 0.059514
                                      Strict-Transport-Security: max-age=63072000; includeSubDomains
                                      X-Cached: MISS
                                      Strict-Transport-Security: max-age=31536000
                                      2022-08-05 08:49:39 UTC49INData Raw: 36 35 35 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 27 65 6e 27 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 75 74 66 2d 38 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 27 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 27 20 72 65 6c 3d 27 69 63 6f 6e 27 20 74 79 70 65 3d 27 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2e 70 6e 67 27 20 72 65 6c 3d 27 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 27 20 73
                                      Data Ascii: 6550<!DOCTYPE html><html lang='en'><head><meta charset='utf-8'><meta content='width=device-width, initial-scale=1' name='viewport'><link href='/favicon.ico' rel='icon' type='image/x-icon'><link href='/apple-touch-icon.png' rel='apple-touch-icon' s
                                      2022-08-05 08:49:39 UTC63INData Raw: 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 3c 2f 61 3e 0d 0a 66 6f 72 20 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 20 67 72 6f 75 70 73 0d 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 75 6e 6b 2e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 66 75 6e 6b 2e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 3c 2f 61 3e 0d 0a 66 6f 72 20 70 6f 64 63 61 73 74 73 20 61 6e 64 20 6d 75 73 69 63 0d 0a 3c 2f 73 70 61 6e 3e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 27 65 6e 64 6f 72 73 65 6d 65 6e 74 73 2d 77 69 64 67 65 74 20 74 72 65 6e 64 73 2d 77 69 64 67 65 74 27
                                      Data Ascii: et="_blank">climatejustice.global</a>for climatejustice groups<a href="https://funk.climatejustice.global" target="_blank">funk.climatejustice.global</a>for podcasts and music</span></p></div></div><div class='endorsements-widget trends-widget'


                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      4192.168.2.749786149.154.167.99443C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                      TimestampkBytes transferredDirectionData
                                      2022-08-05 08:50:00 UTC75OUTGET /korstonsales HTTP/1.1
                                      Host: t.me
                                      Cookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
                                      2022-08-05 08:50:00 UTC75INHTTP/1.1 200 OK
                                      Server: nginx/1.18.0
                                      Date: Fri, 05 Aug 2022 08:50:00 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Content-Length: 9634
                                      Connection: close
                                      Pragma: no-cache
                                      Cache-control: no-store
                                      X-Frame-Options: ALLOW-FROM https://web.telegram.org
                                      Content-Security-Policy: frame-ancestors https://web.telegram.org
                                      Strict-Transport-Security: max-age=35768000
                                      2022-08-05 08:50:00 UTC75INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 6b 6f 72 73 74 6f 6e 73 61 6c 65 73 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e
                                      Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @korstonsales</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.


                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      5192.168.2.749787167.86.107.75443C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                      TimestampkBytes transferredDirectionData
                                      2022-08-05 08:50:01 UTC84OUTGET /@ffoleg94 HTTP/1.1
                                      Host: climatejustice.social
                                      Cookie: _mastodon_session=3rSSEQhY%2BR%2ByBXGg%2FZ7vjc6lT5LBYSBRTm4v10Vjq3ue%2BjwBExu9w58N8ClT%2Bud5pLw%2FhNpc0ZVmhbGFmRwVbdBlbgslSN94eAItWDOu4CGgiK9jhd3mHMacn3wAdie7Kxd1jN1PXBqcxNNL004FuuBE8ZcXHZ9KeIX6GtzzFfvUtnGWm8ZnLLwl53QYxoy96Xw8%2BDQyXocErXsPhQdIg%2FpxcTsHw5r3GkFxULvXrHFqPB166JKLVDREPTkxqTmFOYedLa6uPEB2T4kW8V44pB5aEoVFQGo6vkNDPnAvIGvofiJ%2FGZzi5%2FYGT7rR2OuS9SAL1tKkIZTobYnVx%2Fquwbo%3D--ciXPLxNa31c7%2FJvd--PL1p0wGZ8YwXdexsQfoBoQ%3D%3D
                                      2022-08-05 08:50:01 UTC85INHTTP/1.1 200 OK
                                      Date: Fri, 05 Aug 2022 08:50:01 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Vary: Accept-Encoding
                                      Server: Mastodon
                                      X-Frame-Options: DENY
                                      X-Content-Type-Options: nosniff
                                      X-XSS-Protection: 0
                                      Permissions-Policy: interest-cohort=()
                                      Link: <https://climatejustice.social/.well-known/webfinger?resource=acct%3Affoleg94%40climatejustice.social>; rel="lrdd"; type="application/jrd+json", <https://climatejustice.social/users/ffoleg94>; rel="alternate"; type="application/activity+json"
                                      Vary: Accept, Accept-Encoding, Origin
                                      Cache-Control: max-age=0, public
                                      ETag: W/"c2994c3008258a0f5f22e24f062e050b"
                                      Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://climatejustice.social; img-src 'self' https: data: blob: https://climatejustice.social; style-src 'self' https://climatejustice.social 'nonce-dLglWmkK2DXilNlj6PAYsA=='; media-src 'self' https: data: https://climatejustice.social; frame-src 'self' https:; manifest-src 'self' https://climatejustice.social; connect-src 'self' data: blob: https://climatejustice.social https://climatejustice.social wss://climatejustice.social; script-src 'self' https://climatejustice.social; child-src 'self' blob: https://climatejustice.social; worker-src 'self' blob: https://climatejustice.social
                                      Set-Cookie: _mastodon_session=cBV6gswXNvy8Hgb%2BvExlczZjstftQa27zJ%2ByonVRi5vw9q44kYaXOHqqk%2FMhqSyxc2K1n3IXUv4kERfPbDEZOwE6NFx%2BLntMjgu1MWeXu90ji40Xeo7Tz0u9MgjPeSND%2BppXUEiqV%2Bou0NkQvBHoflX27u%2BLD6qQzJ6oEhtEEA7VVKadgTfzBP2a0zRCmF4SsemcSDzT8BNNzs1M%2BIr4CTeavXuTu%2BJCm0uuMkUySIWpjXI2ILBRTS6oqhKWITt4DN8y09XOU2uhmLZARu%2BXQUXiFg8MhEuyus2jpZ3LM2BaLgmhu4lCR67q728X8Wn%2Bl%2FdyVOgV5qfUpjC%2F2Xeeaxs%3D--9MBRf%2FPU0zFwfS96--LxGMiLJEI8rWcXno6EKaag%3D%3D; path=/; HttpOnly; SameSite=Lax; secure
                                      X-Request-Id: 40155b8a-7a1e-4660-9353-f1d8198128fe
                                      X-Runtime: 0.101000
                                      Strict-Transport-Security: max-age=63072000; includeSubDomains
                                      X-Cached: MISS
                                      Strict-Transport-Security: max-age=31536000
                                      2022-08-05 08:50:01 UTC87INData Raw: 36 35 35 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 27 65 6e 27 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 75 74 66 2d 38 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 27 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 27 20 72 65 6c 3d 27 69 63 6f 6e 27 20 74 79 70 65 3d 27 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2e 70 6e 67 27 20 72 65 6c 3d 27 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 27 20 73
                                      Data Ascii: 6550<!DOCTYPE html><html lang='en'><head><meta charset='utf-8'><meta content='width=device-width, initial-scale=1' name='viewport'><link href='/favicon.ico' rel='icon' type='image/x-icon'><link href='/apple-touch-icon.png' rel='apple-touch-icon' s
                                      2022-08-05 08:50:01 UTC101INData Raw: 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 3c 2f 61 3e 0d 0a 66 6f 72 20 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 20 67 72 6f 75 70 73 0d 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 75 6e 6b 2e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 66 75 6e 6b 2e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 3c 2f 61 3e 0d 0a 66 6f 72 20 70 6f 64 63 61 73 74 73 20 61 6e 64 20 6d 75 73 69 63 0d 0a 3c 2f 73 70 61 6e 3e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 27 65 6e 64 6f 72 73 65 6d 65 6e 74 73 2d 77 69 64 67 65 74 20 74 72 65 6e 64 73 2d 77 69 64
                                      Data Ascii: target="_blank">climatejustice.global</a>for climatejustice groups<a href="https://funk.climatejustice.global" target="_blank">funk.climatejustice.global</a>for podcasts and music</span></p></div></div><div class='endorsements-widget trends-wid


                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      6192.168.2.749801149.154.167.99443C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                      TimestampkBytes transferredDirectionData
                                      2022-08-05 08:50:22 UTC112OUTGET /korstonsales HTTP/1.1
                                      Host: t.me
                                      Cookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
                                      2022-08-05 08:50:22 UTC112INHTTP/1.1 200 OK
                                      Server: nginx/1.18.0
                                      Date: Fri, 05 Aug 2022 08:50:22 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Content-Length: 9636
                                      Connection: close
                                      Pragma: no-cache
                                      Cache-control: no-store
                                      X-Frame-Options: ALLOW-FROM https://web.telegram.org
                                      Content-Security-Policy: frame-ancestors https://web.telegram.org
                                      Strict-Transport-Security: max-age=35768000
                                      2022-08-05 08:50:22 UTC113INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 6b 6f 72 73 74 6f 6e 73 61 6c 65 73 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e
                                      Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @korstonsales</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.


                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      7192.168.2.749802167.86.107.75443C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                      TimestampkBytes transferredDirectionData
                                      2022-08-05 08:50:22 UTC122OUTGET /@ffoleg94 HTTP/1.1
                                      Host: climatejustice.social
                                      Cookie: _mastodon_session=cBV6gswXNvy8Hgb%2BvExlczZjstftQa27zJ%2ByonVRi5vw9q44kYaXOHqqk%2FMhqSyxc2K1n3IXUv4kERfPbDEZOwE6NFx%2BLntMjgu1MWeXu90ji40Xeo7Tz0u9MgjPeSND%2BppXUEiqV%2Bou0NkQvBHoflX27u%2BLD6qQzJ6oEhtEEA7VVKadgTfzBP2a0zRCmF4SsemcSDzT8BNNzs1M%2BIr4CTeavXuTu%2BJCm0uuMkUySIWpjXI2ILBRTS6oqhKWITt4DN8y09XOU2uhmLZARu%2BXQUXiFg8MhEuyus2jpZ3LM2BaLgmhu4lCR67q728X8Wn%2Bl%2FdyVOgV5qfUpjC%2F2Xeeaxs%3D--9MBRf%2FPU0zFwfS96--LxGMiLJEI8rWcXno6EKaag%3D%3D
                                      2022-08-05 08:50:22 UTC123INHTTP/1.1 200 OK
                                      Date: Fri, 05 Aug 2022 08:50:22 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Vary: Accept-Encoding
                                      Server: Mastodon
                                      X-Frame-Options: DENY
                                      X-Content-Type-Options: nosniff
                                      X-XSS-Protection: 0
                                      Permissions-Policy: interest-cohort=()
                                      Link: <https://climatejustice.social/.well-known/webfinger?resource=acct%3Affoleg94%40climatejustice.social>; rel="lrdd"; type="application/jrd+json", <https://climatejustice.social/users/ffoleg94>; rel="alternate"; type="application/activity+json"
                                      Vary: Accept, Accept-Encoding, Origin
                                      Cache-Control: max-age=0, public
                                      ETag: W/"32c8b9e673b4aaa051f347271f6bf081"
                                      Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://climatejustice.social; img-src 'self' https: data: blob: https://climatejustice.social; style-src 'self' https://climatejustice.social 'nonce-HrEcTrDQt0VOPhA9Duc+Vw=='; media-src 'self' https: data: https://climatejustice.social; frame-src 'self' https:; manifest-src 'self' https://climatejustice.social; connect-src 'self' data: blob: https://climatejustice.social https://climatejustice.social wss://climatejustice.social; script-src 'self' https://climatejustice.social; child-src 'self' blob: https://climatejustice.social; worker-src 'self' blob: https://climatejustice.social
                                      Set-Cookie: _mastodon_session=odijTynxlktrze7IgYOSVyYGax6MLuq%2BHgXXNKVkWj0EmP%2BY%2BYajeG%2F8FkitzpankLQzKOs7zUEdBhjbxOzpdZ1RpsOQGZ1AUSKbXvelp9WMXNXnJ654jBiZtol1X4q0pNgUdviAwoWtj%2FRytZuF3icv9tA2rrhSHuj8RNt7upfkwzVVGdrp1OipqNMvxNGxOGsFr55qZoPRd7OunaK4YDlwg%2Bc1dFbtqJ%2FwmLTyaTlwPgipiHfY3D96mosQe3LYewtprF6rsACbNZQUOPaPNuvOAKe1MffUWL9jfeHvRGne%2Frrk4sQKfhRHzSDToiAhNgEMrluTU%2FqXba1%2FBYcmyoU%3D--bxICJGAgGqamQv1Z--NCklHYqUpYEpY8rfNxpO7g%3D%3D; path=/; HttpOnly; SameSite=Lax; secure
                                      X-Request-Id: 5a371a80-1412-4305-80b6-62f3908a4fec
                                      X-Runtime: 0.068325
                                      Strict-Transport-Security: max-age=63072000; includeSubDomains
                                      X-Cached: MISS
                                      Strict-Transport-Security: max-age=31536000
                                      2022-08-05 08:50:22 UTC125INData Raw: 36 35 35 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 27 65 6e 27 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 75 74 66 2d 38 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 27 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 27 20 72 65 6c 3d 27 69 63 6f 6e 27 20 74 79 70 65 3d 27 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2e 70 6e 67 27 20 72 65 6c 3d 27 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 27 20 73
                                      Data Ascii: 6550<!DOCTYPE html><html lang='en'><head><meta charset='utf-8'><meta content='width=device-width, initial-scale=1' name='viewport'><link href='/favicon.ico' rel='icon' type='image/x-icon'><link href='/apple-touch-icon.png' rel='apple-touch-icon' s
                                      2022-08-05 08:50:22 UTC139INData Raw: 5f 62 6c 61 6e 6b 22 3e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 3c 2f 61 3e 0d 0a 66 6f 72 20 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 20 67 72 6f 75 70 73 0d 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 75 6e 6b 2e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 66 75 6e 6b 2e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 3c 2f 61 3e 0d 0a 66 6f 72 20 70 6f 64 63 61 73 74 73 20 61 6e 64 20 6d 75 73 69 63 0d 0a 3c 2f 73 70 61 6e 3e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 27 65 6e 64 6f 72 73 65 6d 65 6e 74 73 2d 77 69 64 67 65 74 20 74 72 65 6e 64 73 2d 77 69 64 67 65 74 27 3e 0a 3c 68
                                      Data Ascii: _blank">climatejustice.global</a>for climatejustice groups<a href="https://funk.climatejustice.global" target="_blank">funk.climatejustice.global</a>for podcasts and music</span></p></div></div><div class='endorsements-widget trends-widget'><h


                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      8192.168.2.749854149.154.167.99443C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                      TimestampkBytes transferredDirectionData
                                      2022-08-05 08:50:44 UTC150OUTGET /korstonsales HTTP/1.1
                                      Host: t.me
                                      Cookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
                                      2022-08-05 08:50:44 UTC150INHTTP/1.1 200 OK
                                      Server: nginx/1.18.0
                                      Date: Fri, 05 Aug 2022 08:50:44 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Content-Length: 9636
                                      Connection: close
                                      Pragma: no-cache
                                      Cache-control: no-store
                                      X-Frame-Options: ALLOW-FROM https://web.telegram.org
                                      Content-Security-Policy: frame-ancestors https://web.telegram.org
                                      Strict-Transport-Security: max-age=35768000
                                      2022-08-05 08:50:44 UTC150INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 6b 6f 72 73 74 6f 6e 73 61 6c 65 73 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e
                                      Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @korstonsales</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.


                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      9192.168.2.749855167.86.107.75443C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                      TimestampkBytes transferredDirectionData
                                      2022-08-05 08:50:44 UTC160OUTGET /@ffoleg94 HTTP/1.1
                                      Host: climatejustice.social
                                      Cookie: _mastodon_session=odijTynxlktrze7IgYOSVyYGax6MLuq%2BHgXXNKVkWj0EmP%2BY%2BYajeG%2F8FkitzpankLQzKOs7zUEdBhjbxOzpdZ1RpsOQGZ1AUSKbXvelp9WMXNXnJ654jBiZtol1X4q0pNgUdviAwoWtj%2FRytZuF3icv9tA2rrhSHuj8RNt7upfkwzVVGdrp1OipqNMvxNGxOGsFr55qZoPRd7OunaK4YDlwg%2Bc1dFbtqJ%2FwmLTyaTlwPgipiHfY3D96mosQe3LYewtprF6rsACbNZQUOPaPNuvOAKe1MffUWL9jfeHvRGne%2Frrk4sQKfhRHzSDToiAhNgEMrluTU%2FqXba1%2FBYcmyoU%3D--bxICJGAgGqamQv1Z--NCklHYqUpYEpY8rfNxpO7g%3D%3D
                                      2022-08-05 08:50:44 UTC160INHTTP/1.1 200 OK
                                      Date: Fri, 05 Aug 2022 08:50:44 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Vary: Accept-Encoding
                                      Server: Mastodon
                                      X-Frame-Options: DENY
                                      X-Content-Type-Options: nosniff
                                      X-XSS-Protection: 0
                                      Permissions-Policy: interest-cohort=()
                                      Link: <https://climatejustice.social/.well-known/webfinger?resource=acct%3Affoleg94%40climatejustice.social>; rel="lrdd"; type="application/jrd+json", <https://climatejustice.social/users/ffoleg94>; rel="alternate"; type="application/activity+json"
                                      Vary: Accept, Accept-Encoding, Origin
                                      Cache-Control: max-age=0, public
                                      ETag: W/"caf4cc37237e7fc1bf6428a925b5bae0"
                                      Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://climatejustice.social; img-src 'self' https: data: blob: https://climatejustice.social; style-src 'self' https://climatejustice.social 'nonce-i/lixRy9GKJYqoH2UuhdCg=='; media-src 'self' https: data: https://climatejustice.social; frame-src 'self' https:; manifest-src 'self' https://climatejustice.social; connect-src 'self' data: blob: https://climatejustice.social https://climatejustice.social wss://climatejustice.social; script-src 'self' https://climatejustice.social; child-src 'self' blob: https://climatejustice.social; worker-src 'self' blob: https://climatejustice.social
                                      Set-Cookie: _mastodon_session=G8wdgwz%2FDemSpy0Da1ZLqVdSh5XC%2FhOntkD9%2FioEKONmGFQbKw3ZbiJ4RIMQvyl5QKxN%2FpcDH0nKadQ0yXDwXyz6yqDcLvbVjYrc1VwLIggpvLXohspOLTi9YyRFkDXD1U6%2Fzrzrb4LoA5rAsIFcowDfc23g9dzpYcSLczI6VlHA0lfP8JjHOwarQxEdzM6akhIz0PxsXrVBHQQArBfIyixEHqMzgVy%2FgvPIRcQ2qdVLKMgTPmDwVbQ0%2BqoNguC6M%2F7xjoKMMQknPlrQIslHVR5u8qBY9lIeeNK373jl%2B82kCofXgGW%2BvK4Vwx2GKefGraC9M1B%2Bz7G9H6WpaKFziTw%3D--Ffkg6BiJ3LNw7A7D--YyCOAf66iro8NmL254gNlw%3D%3D; path=/; HttpOnly; SameSite=Lax; secure
                                      X-Request-Id: fb01facc-65ef-4503-9b0d-12323d7b4f20
                                      X-Runtime: 0.060382
                                      Strict-Transport-Security: max-age=63072000; includeSubDomains
                                      X-Cached: MISS
                                      Strict-Transport-Security: max-age=31536000
                                      2022-08-05 08:50:44 UTC162INData Raw: 36 35 35 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 27 65 6e 27 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 75 74 66 2d 38 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 27 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 27 20 72 65 6c 3d 27 69 63 6f 6e 27 20 74 79 70 65 3d 27 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2e 70 6e 67 27 20 72 65 6c 3d 27 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 27 20 73
                                      Data Ascii: 6550<!DOCTYPE html><html lang='en'><head><meta charset='utf-8'><meta content='width=device-width, initial-scale=1' name='viewport'><link href='/favicon.ico' rel='icon' type='image/x-icon'><link href='/apple-touch-icon.png' rel='apple-touch-icon' s
                                      2022-08-05 08:50:44 UTC176INData Raw: 3d 22 5f 62 6c 61 6e 6b 22 3e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 3c 2f 61 3e 0d 0a 66 6f 72 20 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 20 67 72 6f 75 70 73 0d 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 75 6e 6b 2e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 66 75 6e 6b 2e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 3c 2f 61 3e 0d 0a 66 6f 72 20 70 6f 64 63 61 73 74 73 20 61 6e 64 20 6d 75 73 69 63 0d 0a 3c 2f 73 70 61 6e 3e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 27 65 6e 64 6f 72 73 65 6d 65 6e 74 73 2d 77 69 64 67 65 74 20 74 72 65 6e 64 73 2d 77 69 64 67 65 74 27 3e 0a
                                      Data Ascii: ="_blank">climatejustice.global</a>for climatejustice groups<a href="https://funk.climatejustice.global" target="_blank">funk.climatejustice.global</a>for podcasts and music</span></p></div></div><div class='endorsements-widget trends-widget'>


                                      Statistics

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:10:49:10
                                      Start date:05/08/2022
                                      Path:C:\Users\user\Desktop\uGfpJynSWM.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\uGfpJynSWM.exe"
                                      Imagebase:0x830000
                                      File size:374960 bytes
                                      MD5 hash:EB84AEEF20EA974BF207DD6DF8446567
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Vidar_114258d5, Description: unknown, Source: 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.336360720.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Vidar_114258d5, Description: unknown, Source: 00000000.00000002.336360720.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      Reputation:low

                                      General

                                      Target ID:1
                                      Start time:10:49:12
                                      Start date:05/08/2022
                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                      Imagebase:0xb0000
                                      File size:43176 bytes
                                      MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Vidar_114258d5, Description: unknown, Source: 00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000000.334068069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Vidar_114258d5, Description: unknown, Source: 00000001.00000000.334068069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000000.333395548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Vidar_114258d5, Description: unknown, Source: 00000001.00000000.333395548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Vidar_114258d5, Description: unknown, Source: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000000.333726198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Vidar_114258d5, Description: unknown, Source: 00000001.00000000.333726198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.594144374.0000000004C97000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:moderate

                                      Disassembly

                                      No disassembly