Edit tour

Windows Analysis Report
http://www.telegram-gd.com/

Overview

General Information

Sample URL:	http://www.telegram-gd.com/
Analysis ID:	1589337
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected ZipBomb

AI detected suspicious URL

Downloads suspicious files via Chrome

PE file contains section with special chars

Switches to a custom stack to bypass stack traces

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a process in suspended mode (likely to inject code)

Drops PE files

Entry point lies outside standard sections

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

System is w10x64

chrome.exe (PID: 6024 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3732 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=2000,i,17727096617257468248,15794474977771889975,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

unarchiver.exe (PID: 3992 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\shater.zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 4348 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\3orywyhy.gn2" "C:\Users\user\Downloads\shater.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 5568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6888 cmdline: "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

shater.exe (PID: 6912 cmdline: C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe MD5: D08BDF8F0948938687A6E0C1044E1962)

chrome.exe (PID: 6508 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://www.telegram-gd.com/" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\Downloads\b50add30-32dd-4a3b-80b7-9353c2bcf7ee.tmp	JoeSecurity_ZipBomb	Yara detected ZipBomb	Joe Security
C:\Users\user\Downloads\73c1b1fc-0e18-48dd-8730-e3811dedf735.tmp	JoeSecurity_ZipBomb	Yara detected ZipBomb	Joe Security
C:\Users\user\Downloads\6d02d947-acc6-49aa-a9ac-9af46163f28d.tmp	JoeSecurity_ZipBomb	Yara detected ZipBomb	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: http://www.telegram-gd.com/

Avira URL Cloud: detection malicious, Label: phishing

Phishing

AI detected suspicious URL

Source: URL	Joe Sandbox AI: AI detected Brand spoofing attempt in URL: http://www.telegram-gd.com
Source: URL	Joe Sandbox AI: AI detected Typosquatting in URL: http://www.telegram-gd.com

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: 7za.exe, 00000008.00000003.2455666082.0000000000B40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 7za.exe, 00000008.00000003.2455666082.0000000000B40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 7za.exe, 00000008.00000003.2455666082.0000000000B40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 7za.exe, 00000008.00000003.2455666082.0000000000B40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 7za.exe, 00000008.00000003.2455666082.0000000000B40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 7za.exe, 00000008.00000003.2455666082.0000000000B40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 7za.exe, 00000008.00000003.2455666082.0000000000B40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 7za.exe, 00000008.00000003.2455666082.0000000000B40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 7za.exe, 00000008.00000003.2455666082.0000000000B40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X

System Summary

Downloads suspicious files via Chrome

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File dump: C:\Users\user\Downloads\shater.zip (copy)

Jump to dropped file

PE file contains section with special chars

Source: shater.exe.8.dr	Static PE information: section name: .g=V
Source: shater.exe.8.dr	Static PE information: section name: .g\O

Source: classification engine

Classification label: mal72.evad.win@33/37@0/18

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\b50add30-32dd-4a3b-80b7-9353c2bcf7ee.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5568:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=2000,i,17727096617257468248,15794474977771889975,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://www.telegram-gd.com/"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\shater.zip"
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\3orywyhy.gn2" "C:\Users\user\Downloads\shater.zip"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=2000,i,17727096617257468248,15794474977771889975,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\shater.zip"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\3orywyhy.gn2" "C:\Users\user\Downloads\shater.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe	Section loaded: wldp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: initial sample

Static PE information: section where entry point is pointing to: .g\O

Source: shater.exe.8.dr	Static PE information: section name: .g=V
Source: shater.exe.8.dr	Static PE information: section name: .TNH
Source: shater.exe.8.dr	Static PE information: section name: .g\O

Source: C:\Windows\SysWOW64\7za.exe

File created: C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected ZipBomb

Source: Yara match	File source: C:\Users\user\Downloads\b50add30-32dd-4a3b-80b7-9353c2bcf7ee.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\Downloads\73c1b1fc-0e18-48dd-8730-e3811dedf735.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\Downloads\6d02d947-acc6-49aa-a9ac-9af46163f28d.tmp, type: DROPPED

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe	API/Special instruction interceptor: Address: 76943E5
Source: C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe	API/Special instruction interceptor: Address: 7F4DB6C
Source: C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe	API/Special instruction interceptor: Address: 7FB78FE
Source: C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe	API/Special instruction interceptor: Address: 76751CD
Source: C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe	API/Special instruction interceptor: Address: 4492A88
Source: C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe	API/Special instruction interceptor: Address: 4455F74
Source: C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe	API/Special instruction interceptor: Address: 44B5284
Source: C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe	API/Special instruction interceptor: Address: 775AA2D
Source: C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe	API/Special instruction interceptor: Address: 7FC2449
Source: C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe	API/Special instruction interceptor: Address: 75B9660

Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 1300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 4FD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 7_2_00F5B1D6 GetSystemInfo,

7_2_00F5B1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\3orywyhy.gn2" "C:\Users\user\Downloads\shater.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	113 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://www.telegram-gd.com/	100%	Avira URL Cloud	phishing

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe	8%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.telegram-gd.com/	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
199.91.74.208	unknown	United States	21859	ZNETUS	false
90.84.161.16	unknown	France	5511	OPENTRANSITFR	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
108.177.15.84	unknown	United States	15169	GOOGLEUS	false
172.217.16.206	unknown	United States	15169	GOOGLEUS	false
104.21.80.1	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.193.48	unknown	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.131	unknown	United States	15169	GOOGLEUS	false
104.21.96.1	unknown	United States	13335	CLOUDFLARENETUS	false
90.84.161.20	unknown	France	5511	OPENTRANSITFR	false
35.190.80.1	unknown	United States	15169	GOOGLEUS	false
43.132.105.108	unknown	Japan	4249	LILLY-ASUS	false
104.21.20.160	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.186.99	unknown	United States	15169	GOOGLEUS	false
172.217.18.100	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4
192.168.2.5

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589337
Start date and time:	2025-01-12 01:18:48 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://www.telegram-gd.com/
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.evad.win@33/37@0/18
EGA Information:	Failed
HCA Information:	Successful, ratio: 84% Number of executed functions: 46 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: http://www.telegram-gd.com/

Simulations

Behavior and APIs

⊘No simulations

LLM Input / Output

Input	Output
URL: http://www.telegram-gd.com Model: Joe Sandbox AI	{ "typosquatting": true, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": true, "third_party_hosting": true }
URL: http://www.telegram-gd.com
URL: https://www.telegram-gd.com/static/js/jquery.js... Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": "This appears to be the minified version of the jQuery library, which is a widely-used and trusted JavaScript library. The code does not contain any high-risk indicators such as dynamic code execution, data exfiltration, or suspicious redirects. The behaviors observed are typical of a legitimate JavaScript library, including DOM manipulation, event handling, and utility functions. While the code is obfuscated, this is a common practice for minified libraries to improve performance. Overall, this script poses a low risk and is likely a benign, widely-used JavaScript library." }
/!jQuery v3.3.1 \| (c) JS Foundation and other contributors \| jquery.org/license/!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(e,t){"use strict";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return"function"==typeof t&&"number"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t\|\|r).createElement("script");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+"":"object"==typeof e\|\|"function"==typeof e?l[c.call(e)]\|\|"object":typeof e}var b="3.3.1",w=function(e,t){return new w.fn.init(e,t)},T=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g;w.fn=w.prototype={jquery:"3.3.1",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject\|\|this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]\|\|{},s=1,u=arguments.length,l=!1;for("boolean"==typeof a&&(l=a,a=arguments[s]\|\|{},s++),"object"==typeof a\|\|g(a)\|\|(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)\|\|(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:"jQuery"+("3.3.1"+Math.random()).replace(/\D/g,""),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e\|\|"[object Object]"!==c.call(e))&&(!(t=i(e))\|\|"function"==typeof(n=f.call(t,"constructor")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?"":(e+"").replace(T,"")},makeArray:function(e,t){var n=t\|\|[];return null!=e&&(C(Object(e))?w.merge(n,"string"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),"function"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each("Boolean Number String Function Array Date RegExp Object Error Symbol".split(" "),function(e,t){l["[object "+t+"]"]=t.toLowerCase()});function C(e){var t=!!e&&"length"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&("array"===n\|\|0===t\|\|"number"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b="sizzle"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;retur
URL: https://www.telegram-gd.com/static/js/public.js... Model: Joe Sandbox AI	{ "risk_score": 2, "reasoning": "The provided JavaScript code appears to be a benign script that handles basic user interface functionality, such as a 'back to top' button and device-specific download links. It does not exhibit any high-risk behaviors like dynamic code execution, data exfiltration, or suspicious redirects. The script uses common jQuery methods and browser APIs, which are considered low-risk. While it includes some moderate-risk indicators like aggressive DOM manipulation, the overall context suggests this is a legitimate implementation of common web development practices." }
$('#to-top').click(function() { $('body,html').animate({scrollTop:0},1); return false; }); $(window).scroll(function() { const scrollTop = $(window).scrollTop(); const windowHeight = $(window).height(); if (scrollTop > 200 ) { $('#to-top').fadeIn(1).css('display', 'flex'); } else { $('#to-top').fadeOut(1).css('display', 'none'); } }); // function getOperatingSystem() { var userAgent = navigator.userAgent \|\| navigator.vendor \|\| window.opera; if (/android/i.test(userAgent)) { return "android"; } if (/iPad\|iPhone\|iPod/.test(userAgent) && !window.MSStream) { return "ios"; } return "pc"; } if(getOperatingSystem()=="android"){ $(".down-link").css("display",'none') $(".down-link.android").css("display",'inline-block') } if(getOperatingSystem()=="ios"){ $(".down-link").css("display",'none') $(".down-link.ios").css("display",'inline-block') } // $("header .nav.open").on("touchmove",function(event){ event.preventDefault(); }) $('#nav-btn').click(function(){ if ($(this).hasClass('open')) { $(this).removeClass('open') $('header .nav').removeClass('open') } else { $(this).addClass('open') $('header .nav').addClass('open') } })
URL: https://www.telegram-gd.com/ Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Telegram", "prominent_button_name": " Telegram", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": true, "contains_fake_security_alerts": false }

URL: https://www.telegram-gd.com/ Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	62891960
Entropy (8bit):	7.997907680828508
Encrypted:	true
SSDEEP:	786432:77srvs1bSCxuEKvJCDAJ8W/Db6RvFosNCGtXoVaC3DIRJO734MD7EoBRwyV87/U0:3srB0XW/Dm9FFj0KJ04M0Tv7UmNUKBQc
MD5:	D08BDF8F0948938687A6E0C1044E1962
SHA1:	3D36EADA36219A56229A310174A94656C01EF002
SHA-256:	D26E5D31133EA655D4DD0066EF5A850015B20D754ABC5FFC34A1D721D2D3101C
SHA-512:	7EB70D1C8D8281CD020288D3C5728DAFC30385F834984B85803D900C9279AF19DB88ED8E4B07D98C8C7B04D0D739E9A0F00E67595010D8A8A1ABCC13E4C2E5F7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{g.................t...h.......[............@...........................@......R....@..................................n..h.....>..............n...9....@..................................... .>.@............................................text....r.......................... ..`.rdata..PV..........................@..@.data...$...........................@....g=V....a0p......................... ..`.TNH................................@....g\O.....~... ...................... ..`.rsrc.........>.....................@..@.reloc........@......f..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\unarchiver.log

Download File

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1433
Entropy (8bit):	5.071052052825446
Encrypted:	false
SSDEEP:	24:LZAqSYffhgiJogiJjWIpmgiJogiJUwOgiJfKgiJogiJFTASYgiJbKgiJTSYgiJo7:LZAqnhgGogGbogGogGpOgGygGogGpcgy
MD5:	F09E0C303A0BE9769D3B95D8B60ABF60
SHA1:	E417871E529F06C10C446B7E15B48548DA4935F2
SHA-256:	59538ECFF9A72199F1B98E18E655DBA48FE3640BD15734ABE88241F8C63E07FF
SHA-512:	A82CEB59BBCE5CF3A6DEBAE21B6B9CC3C7572B823BD982EF7B9F0DFA5B9FD8C8DD3C7FFB5E731C7023CC0628FC7EE3946C27DBFB651A59F287ACEBF684119CE6
Malicious:	false
Reputation:	low
Preview:	01/11/2025 7:20 PM: Unpack: C:\Users\user\Downloads\shater.zip..01/11/2025 7:20 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\3orywyhy.gn2..01/11/2025 7:20 PM: Received from standard out: ..01/11/2025 7:20 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..01/11/2025 7:20 PM: Received from standard out: ..01/11/2025 7:20 PM: Received from standard out: Scanning the drive for archives:..01/11/2025 7:20 PM: Received from standard out: 1 file, 62506228 bytes (60 MiB)..01/11/2025 7:20 PM: Received from standard out: ..01/11/2025 7:20 PM: Received from standard out: Extracting archive: C:\Users\user\Downloads\shater.zip..01/11/2025 7:20 PM: Received from standard out: --..01/11/2025 7:20 PM: Received from standard out: Path = C:\Users\user\Downloads\shater.zip..01/11/2025 7:20 PM: Received from standard out: Type = zip..01/11/2025 7:20 PM: Received from standard out: Physical Size = 62506228..01/11/2025 7:20 PM: Received from standard o

C:\Users\user\Downloads\6d02d947-acc6-49aa-a9ac-9af46163f28d.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	15878
Entropy (8bit):	7.9820935497762715
Encrypted:	false
SSDEEP:	384:jgWa2pZ6u6GWVrJqYchD2fyXwu4Mf2syUY7cMZDEtPTTG:Zxsu6GWrJu2fVu4M1ylPDEtPTTG
MD5:	23F5295748B895D0BF4B38A15C8367F3
SHA1:	A7A9A394C2D53B01496EC16618FEEF3CFDF5D5E0
SHA-256:	70CF35DB75C0F59B08ADB11FEC2D99F9EE82DC0FD425AEC03516D2FF5002D1FB
SHA-512:	A0E9C1394B32D6A52973C13156ACBBA675998FBB11B104FDFB2F67B5E675ACB6269E4A66CFF048CD5990E6F004D50E436BE47CD8365FE04D883D9357513359E3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_ZipBomb, Description: Yara detected ZipBomb, Source: C:\Users\user\Downloads\6d02d947-acc6-49aa-a9ac-9af46163f28d.tmp, Author: Joe Security
Reputation:	low
Preview:	PK.........&Z.<.~..........shater.exe.y<To.7<....2..f....f4...l....i.2.e.L....H.../1.d...!.%C...}.k\|..}.~........u.W.....\.:..y.sM.>q....`..@...a.=.1..#..-S.X.).j.(.qj...:vN...SG..:..p...S!...=.R..Iu..=.'N..1......2\m1.'.I...G.{...Q...i.&D........>....#...k'.E1.1...9..1q....vgA..k.RFa.........8(Hx..m.w>....5P.%.0k.0....P..&a..#..P..&..0.9r).......B..P.`......9..i/.?...yX..F.f.huN.b.V....n.+..........S.^...^h?....a[/u..tX/..[h.]..a.A.0...5...}.;...6.m......\.Zx.g.........=F.0R..............IiKO..W...H_....%~.x....3..'.<\.g)$.1.%/.O.[.F.....ce...~6^.o.R...}..R.W..........&..%..7..]&[xG..iE.t.I......8r.5...]Z.5..$K..2..$yXA.........V.Zh.f...6..h..........{.......w).Q.U .Kj.........@......1.:...e.0........@.6:.,G .....?.,.X.....2.Jb..\.a.....b.......bP.Q.......N..b.u.).........S..C.C...h....(Y..fl.5\.......H.qR..N.eX@..............s....XUtI.$".6..'..U..W.Y?....W..].1-.\.I.+.r9.n..........:.i....WrX#...H#L..`9.z.n....R...F7....7..,....p.v.....U.pn.9B%.-...

C:\Users\user\Downloads\73c1b1fc-0e18-48dd-8730-e3811dedf735.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	7698
Entropy (8bit):	7.9682614377655145
Encrypted:	false
SSDEEP:	192:jgO1oQg2IwZUvN88/an37CGWVr54fs987YchD2f3CnXwn9:jgWa2pZ6u6GWVrJqYchD2fyXw9
MD5:	B5450D3A0106CAFD79BB0739EE068A0E
SHA1:	FA64376E8FF79B55703B1B0A071CF177F394DB2F
SHA-256:	B716B2CDD6B10700236D917056004CD783641F977779ABB3F83CA991401BD739
SHA-512:	8204E3B804B4D53FC40FBE1B9181B2F538F47F23A2573A590128D4DFB56CE6414781BE4F29240B7757843336551BAE5606CA86C3A79F127E828CE80234FCE02C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_ZipBomb, Description: Yara detected ZipBomb, Source: C:\Users\user\Downloads\73c1b1fc-0e18-48dd-8730-e3811dedf735.tmp, Author: Joe Security
Reputation:	low
Preview:	PK.........&Z.<.~..........shater.exe.y<To.7<....2..f....f4...l....i.2.e.L....H.../1.d...!.%C...}.k\|..}.~........u.W.....\.:..y.sM.>q....`..@...a.=.1..#..-S.X.).j.(.qj...:vN...SG..:..p...S!...=.R..Iu..=.'N..1......2\m1.'.I...G.{...Q...i.&D........>....#...k'.E1.1...9..1q....vgA..k.RFa.........8(Hx..m.w>....5P.%.0k.0....P..&a..#..P..&..0.9r).......B..P.`......9..i/.?...yX..F.f.huN.b.V....n.+..........S.^...^h?....a[/u..tX/..[h.]..a.A.0...5...}.;...6.m......\.Zx.g.........=F.0R..............IiKO..W...H_....%~.x....3..'.<\.g)$.1.%/.O.[.F.....ce...~6^.o.R...}..R.W..........&..%..7..]&[xG..iE.t.I......8r.5...]Z.5..$K..2..$yXA.........V.Zh.f...6..h..........{.......w).Q.U .Kj.........@......1.:...e.0........@.6:.,G .....?.,.X.....2.Jb..\.a.....b.......bP.Q.......N..b.u.).........S..C.C...h....(Y..fl.5\.......H.qR..N.eX@..............s....XUtI.$".6..'..U..W.Y?....W..].1-.\.I.+.r9.n..........:.i....WrX#...H#L..`9.z.n....R...F7....7..,....p.v.....U.pn.9B%.-...

C:\Users\user\Downloads\b50add30-32dd-4a3b-80b7-9353c2bcf7ee.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	7698
Entropy (8bit):	7.9682614377655145
Encrypted:	false
SSDEEP:	192:jgO1oQg2IwZUvN88/an37CGWVr54fs987YchD2f3CnXwn9:jgWa2pZ6u6GWVrJqYchD2fyXw9
MD5:	B5450D3A0106CAFD79BB0739EE068A0E
SHA1:	FA64376E8FF79B55703B1B0A071CF177F394DB2F
SHA-256:	B716B2CDD6B10700236D917056004CD783641F977779ABB3F83CA991401BD739
SHA-512:	8204E3B804B4D53FC40FBE1B9181B2F538F47F23A2573A590128D4DFB56CE6414781BE4F29240B7757843336551BAE5606CA86C3A79F127E828CE80234FCE02C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_ZipBomb, Description: Yara detected ZipBomb, Source: C:\Users\user\Downloads\b50add30-32dd-4a3b-80b7-9353c2bcf7ee.tmp, Author: Joe Security
Reputation:	low
Preview:	PK.........&Z.<.~..........shater.exe.y<To.7<....2..f....f4...l....i.2.e.L....H.../1.d...!.%C...}.k\|..}.~........u.W.....\.:..y.sM.>q....`..@...a.=.1..#..-S.X.).j.(.qj...:vN...SG..:..p...S!...=.R..Iu..=.'N..1......2\m1.'.I...G.{...Q...i.&D........>....#...k'.E1.1...9..1q....vgA..k.RFa.........8(Hx..m.w>....5P.%.0k.0....P..&a..#..P..&..0.9r).......B..P.`......9..i/.?...yX..F.f.huN.b.V....n.+..........S.^...^h?....a[/u..tX/..[h.]..a.A.0...5...}.;...6.m......\.Zx.g.........=F.0R..............IiKO..W...H_....%~.x....3..'.<\.g)$.1.%/.O.[.F.....ce...~6^.o.R...}..R.W..........&..%..7..]&[xG..iE.t.I......8r.5...]Z.5..$K..2..$yXA.........V.Zh.f...6..h..........{.......w).Q.U .Kj.........@......1.:...e.0........@.6:.,G .....?.,.X.....2.Jb..\.a.....b.......bP.Q.......N..b.u.).........S..C.C...h....(Y..fl.5\.......H.qR..N.eX@..............s....XUtI.$".6..'..U..W.Y?....W..].1-.\.I.+.r9.n..........:.i....WrX#...H#L..`9.z.n....R...F7....7..,....p.v.....U.pn.9B%.-...

C:\Users\user\Downloads\shater (1).zip.crdownload

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	53072818
Entropy (8bit):	7.91404587209446
Encrypted:	false
SSDEEP:	786432:t5zyzBk7zmMNMcyv3edyfmkjrvCN/tmiFSqndoj+6BBUhT4rbYgVDICBPqc18pp:fyzJWdkjrKNtdBo0TqYgmTPL
MD5:	59F9361E017FBE163D770E8219D66DB6
SHA1:	6933496A302E2FE5A5AE9A0E09D9F37458C40D90
SHA-256:	62F6C2B2FDABDE3F8CDD9825923BDB372A31AA7210500157470BD51E70814D2A
SHA-512:	3E1D380F9A9F28AE6C257B8F421102CD7BB2691B5738015A751601278494D316D9279729C8FAA964F87A7D3582504A084D6C505ABE0415882EC2233A26BC4F7E
Malicious:	false
Reputation:	low
Preview:	PK.........&Z.<.~..........shater.exe.y<To.7<....2..f....f4...l....i.2.e.L....H.../1.d...!.%C...}.k\|..}.~........u.W.....\.:..y.sM.>q....`..@...a.=.1..#..-S.X.).j.(.qj...:vN...SG..:..p...S!...=.R..Iu..=.'N..1......2\m1.'.I...G.{...Q...i.&D........>....#...k'.E1.1...9..1q....vgA..k.RFa.........8(Hx..m.w>....5P.%.0k.0....P..&a..#..P..&..0.9r).......B..P.`......9..i/.?...yX..F.f.huN.b.V....n.+..........S.^...^h?....a[/u..tX/..[h.]..a.A.0...5...}.;...6.m......\.Zx.g.........=F.0R..............IiKO..W...H_....%~.x....3..'.<\.g)$.1.%/.O.[.F.....ce...~6^.o.R...}..R.W..........&..%..7..]&[xG..iE.t.I......8r.5...]Z.5..$K..2..$yXA.........V.Zh.f...6..h..........{.......w).Q.U .Kj.........@......1.:...e.0........@.6:.,G .....?.,.X.....2.Jb..\.a.....b.......bP.Q.......N..b.u.).........S..C.C...h....(Y..fl.5\.......H.qR..N.eX@..............s....XUtI.$".6..'..U..W.Y?....W..].1-.\.I.+.r9.n..........:.i....WrX#...H#L..`9.z.n....R...F7....7..,....p.v.....U.pn.9B%.-...

C:\Users\user\Downloads\shater (2).zip.crdownload

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	23806770
Entropy (8bit):	7.922984832383541
Encrypted:	false
SSDEEP:	393216:tX56P6bzyzkIPDHAr8ToylFR6zVwMYkBIqcB6yv3eKYhsbQM93MkjDXvCGS:t5zyzBk7zmMNMcyv3edyfmkjrvCN
MD5:	8219ED0EFCB0B053DFA58F5495F261AA
SHA1:	D92086ADF4EF7DCFB1EB71AF6560AE106F0F2D1E
SHA-256:	8F0CC8E0CD9AA6BB3BC01A37DF46B599922AB4B5A60AC30AA8C73FAE9EFE68EF
SHA-512:	07A1A26DAA57C0D96498BAEB29D8E8B79B8A71DFEE0FFA1A6D5E8791242EAA093B73083E14AD846AB1E90AB137784162D3E759E0C7314D0AFACCE2EB4A452031
Malicious:	false
Reputation:	low
Preview:	PK.........&Z.<.~..........shater.exe.y<To.7<....2..f....f4...l....i.2.e.L....H.../1.d...!.%C...}.k\|..}.~........u.W.....\.:..y.sM.>q....`..@...a.=.1..#..-S.X.).j.(.qj...:vN...SG..:..p...S!...=.R..Iu..=.'N..1......2\m1.'.I...G.{...Q...i.&D........>....#...k'.E1.1...9..1q....vgA..k.RFa.........8(Hx..m.w>....5P.%.0k.0....P..&a..#..P..&..0.9r).......B..P.`......9..i/.?...yX..F.f.huN.b.V....n.+..........S.^...^h?....a[/u..tX/..[h.]..a.A.0...5...}.;...6.m......\.Zx.g.........=F.0R..............IiKO..W...H_....%~.x....3..'.<\.g)$.1.%/.O.[.F.....ce...~6^.o.R...}..R.W..........&..%..7..]&[xG..iE.t.I......8r.5...]Z.5..$K..2..$yXA.........V.Zh.f...6..h..........{.......w).Q.U .Kj.........@......1.:...e.0........@.6:.,G .....?.,.X.....2.Jb..\.a.....b.......bP.Q.......N..b.u.).........S..C.C...h....(Y..fl.5\.......H.qR..N.eX@..............s....XUtI.$".6..'..U..W.Y?....W..].1-.\.I.+.r9.n..........:.i....WrX#...H#L..`9.z.n....R...F7....7..,....p.v.....U.pn.9B%.-...

C:\Users\user\Downloads\shater (3).zip.crdownload

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	4672654
Entropy (8bit):	7.943416422576459
Encrypted:	false
SSDEEP:	98304:tXJd7Ro5xlMIVgiYISdhjyspy8lCF1RBVCc6IGu5jN/HArC:tX5oXlPpYV/j5pyzRKc6IGuDHAr
MD5:	A9EF852D891960F6E251EC6B08A1AAD6
SHA1:	BCDC7C1FA6A84FCCA2A0444FAC4075BFC4E8BF3F
SHA-256:	7B6FA5DC7FC452AF37398D402D670852C6A62398D87E376224C61AB2D6A0D006
SHA-512:	02859946671F0E2791AC3C5A50A0A7332D43EC6500D7D32BDE58E694E6961ADD2F17E282C6BC7894B22451255FA177CEF472EC8B3461707C0C1E51B1AD1635DD
Malicious:	false
Reputation:	low
Preview:	PK.........&Z.<.~..........shater.exe.y<To.7<....2..f....f4...l....i.2.e.L....H.../1.d...!.%C...}.k\|..}.~........u.W.....\.:..y.sM.>q....`..@...a.=.1..#..-S.X.).j.(.qj...:vN...SG..:..p...S!...=.R..Iu..=.'N..1......2\m1.'.I...G.{...Q...i.&D........>....#...k'.E1.1...9..1q....vgA..k.RFa.........8(Hx..m.w>....5P.%.0k.0....P..&a..#..P..&..0.9r).......B..P.`......9..i/.?...yX..F.f.huN.b.V....n.+..........S.^...^h?....a[/u..tX/..[h.]..a.A.0...5...}.;...6.m......\.Zx.g.........=F.0R..............IiKO..W...H_....%~.x....3..'.<\.g)$.1.%/.O.[.F.....ce...~6^.o.R...}..R.W..........&..%..7..]&[xG..iE.t.I......8r.5...]Z.5..$K..2..$yXA.........V.Zh.f...6..h..........{.......w).Q.U .Kj.........@......1.:...e.0........@.6:.,G .....?.,.X.....2.Jb..\.a.....b.......bP.Q.......N..b.u.).........S..C.C...h....(Y..fl.5\.......H.qR..N.eX@..............s....XUtI.$".6..'..U..W.Y?....W..].1-.\.I.+.r9.n..........:.i....WrX#...H#L..`9.z.n....R...F7....7..,....p.v.....U.pn.9B%.-...

C:\Users\user\Downloads\shater.zip (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	62506228
Entropy (8bit):	7.999978556244661
Encrypted:	true
SSDEEP:	786432:t5zyzBk7zmMNMcyv3edyfmkjrvCN/tmiFSqndoj+6BBUhT4rbYgVDICBPqc18pp0:fyzJWdkjrKNtdBo0TqYgmTPL/ebSwR
MD5:	115C3122F43560D183BF64DF477C0475
SHA1:	EA54DAC9BEBE5DCAC44D68AD09E792790BB5C20A
SHA-256:	B7441EDB597F80DDC54CC93A144BCA4D16F122CB197AD3D87D861DCD9D729351
SHA-512:	C97C124D85639B7BF43DFE25F7681EFDB52D568303548BA44BF564BA482AE508A31065A352303714C2D200FB33EF9E0615B2D5AC866C2CB15B374E2E811545A7
Malicious:	true
Reputation:	low
Preview:	PK.........&Z.<.~..........shater.exe.y<To.7<....2..f....f4...l....i.2.e.L....H.../1.d...!.%C...}.k\|..}.~........u.W.....\.:..y.sM.>q....`..@...a.=.1..#..-S.X.).j.(.qj...:vN...SG..:..p...S!...=.R..Iu..=.'N..1......2\m1.'.I...G.{...Q...i.&D........>....#...k'.E1.1...9..1q....vgA..k.RFa.........8(Hx..m.w>....5P.%.0k.0....P..&a..#..P..&..0.9r).......B..P.`......9..i/.?...yX..F.f.huN.b.V....n.+..........S.^...^h?....a[/u..tX/..[h.]..a.A.0...5...}.;...6.m......\.Zx.g.........=F.0R..............IiKO..W...H_....%~.x....3..'.<\.g)$.1.%/.O.[.F.....ce...~6^.o.R...}..R.W..........&..%..7..]&[xG..iE.t.I......8r.5...]Z.5..$K..2..$yXA.........V.Zh.f...6..h..........{.......w).Q.U .Kj.........@......1.:...e.0........@.6:.,G .....?.,.X.....2.Jb..\.a.....b.......bP.Q.......N..b.u.).........S..C.C...h....(Y..fl.5\.......H.qR..N.eX@..............s....XUtI.$".6..'..U..W.Y?....W..].1-.\.I.+.r9.n..........:.i....WrX#...H#L..`9.z.n....R...F7....7..,....p.v.....U.pn.9B%.-...

C:\Users\user\Downloads\shater.zip.crdownload

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	62506228
Entropy (8bit):	7.999978556244661
Encrypted:	true
SSDEEP:	786432:t5zyzBk7zmMNMcyv3edyfmkjrvCN/tmiFSqndoj+6BBUhT4rbYgVDICBPqc18pp0:fyzJWdkjrKNtdBo0TqYgmTPL/ebSwR
MD5:	115C3122F43560D183BF64DF477C0475
SHA1:	EA54DAC9BEBE5DCAC44D68AD09E792790BB5C20A
SHA-256:	B7441EDB597F80DDC54CC93A144BCA4D16F122CB197AD3D87D861DCD9D729351
SHA-512:	C97C124D85639B7BF43DFE25F7681EFDB52D568303548BA44BF564BA482AE508A31065A352303714C2D200FB33EF9E0615B2D5AC866C2CB15B374E2E811545A7
Malicious:	false
Reputation:	low
Preview:	PK.........&Z.<.~..........shater.exe.y<To.7<....2..f....f4...l....i.2.e.L....H.../1.d...!.%C...}.k\|..}.~........u.W.....\.:..y.sM.>q....`..@...a.=.1..#..-S.X.).j.(.qj...:vN...SG..:..p...S!...=.R..Iu..=.'N..1......2\m1.'.I...G.{...Q...i.&D........>....#...k'.E1.1...9..1q....vgA..k.RFa.........8(Hx..m.w>....5P.%.0k.0....P..&a..#..P..&..0.9r).......B..P.`......9..i/.?...yX..F.f.huN.b.V....n.+..........S.^...^h?....a[/u..tX/..[h.]..a.A.0...5...}.;...6.m......\.Zx.g.........=F.0R..............IiKO..W...H_....%~.x....3..'.<\.g)$.1.%/.O.[.F.....ce...~6^.o.R...}..R.W..........&..%..7..]&[xG..iE.t.I......8r.5...]Z.5..$K..2..$yXA.........V.Zh.f...6..h..........{.......w).Q.U .Kj.........@......1.:...e.0........@.6:.,G .....?.,.X.....2.Jb..\.a.....b.......bP.Q.......N..b.u.).........S..C.C...h....(Y..fl.5\.......H.qR..N.eX@..............s....XUtI.$".6..'..U..W.Y?....W..].1-.\.I.+.r9.n..........:.i....WrX#...H#L..`9.z.n....R...F7....7..,....p.v.....U.pn.9B%.-...

Chrome Cache Entry: 58

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1331
Entropy (8bit):	5.130415263980162
Encrypted:	false
SSDEEP:	24:sSaDlMfl2HgSE98vJ34apncroPi3i436P8oe6uPBoND7S:sSaDafoASE98vB5TP+JOCP+du
MD5:	EBB3C870BBCA875F5CEEDE01DFD5AC71
SHA1:	8CC3CDB83C7463D5F4610BE553B2CE9034DDB2A8
SHA-256:	5D980CE2F83A0AF6CECA8264539E0380FF235E8C621BCA2F22F1BC2DB9B4FA5F
SHA-512:	A7D4F42F3327F36392E306EB99199B8ABBE8AB64771D99C67D87F4650C051D9A780049C844F3DF4C03AD9F7E710DAC6FC367388CB1E4EE3B41B1DF5E0A7D2E1C
Malicious:	false
Reputation:	low
Preview:	$('#to-top').click(function() {.. $('body,html').animate({scrollTop:0},1);.. return false;..});....$(window).scroll(function() {.. const scrollTop = $(window).scrollTop();.. const windowHeight = $(window).height();.. if (scrollTop > 200 ) {.. $('#to-top').fadeIn(1).css('display', 'flex');.. } else {.. $('#to-top').fadeOut(1).css('display', 'none');.. }..});....// ........function getOperatingSystem() {.. var userAgent = navigator.userAgent \|\| navigator.vendor \|\| window.opera;.. if (/android/i.test(userAgent)) {.. return "android";.. }.. if (/iPad\|iPhone\|iPod/.test(userAgent) && !window.MSStream) {.. return "ios";.. }.. return "pc";..}....if(getOperatingSystem()=="android"){.. $(".down-link").css("display",'none').. $(".down-link.android").css("display",'inline-block')..}..if(getOperatingSystem()=="ios"){.. $(".down-link").css("display",'none').. $(".down-link.ios").css("display",'inline-block')..

Chrome Cache Entry: 59

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	5.157520760822341
Encrypted:	false
SSDEEP:	48:er7z41Fi4mXEJyfetrETUzkPPgl0TzcHdCC8ZzsVhRItkhXj4FOKWXG8Q:u7z41c4mXEpHzk3gqzNCBKwKWWB
MD5:	975B4112A366CCA6B9BF2C84E268268C
SHA1:	97992BEA1D222B36E9B77B1E0E2C9F0CFDE0CCF5
SHA-256:	181349B08B8DA309823B3B6A670CE13581FF82AF7B03DB71BA60C705D0620261
SHA-512:	1440CD81F276F753DE3B6DFC7851D569689E998F14C55DCE698F68B4487D36E18B9D010DE66EC791FC97704CCC674AB65B26AC46F298A97B664FFE7BCCC90034
Malicious:	false
Reputation:	low
Preview:	...... .... .........(... ...@..... ..................................................................+..+G.'..(..)..(..)..(..(..'..(G.+..........................................................................+..)..(..(..(..(..(..(..(..(..(..(..(..(..)..+..........................................................I..)..)..)..)..(..)..(..(..(..(..(..(..(..(..(..(..)..)..I..............................................+..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..+......................................,..+....)....)..)....)......)....)..)..)..)..)..)..)..)..)....--.............................+..+..............................................+..+......................I....+..............+....+..+..+..+..+..+....+......+....+..+....,..I..................+..+..+..+..+..+..+..+..

Chrome Cache Entry: 60

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 82 x 82, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4046
Entropy (8bit):	7.920916892238825
Encrypted:	false
SSDEEP:	96:RbRrGGHaQ56d4ddwpysPP5m20/JexcgBY9B3zFexTR3oAetdR:5ZGGHaa6addwpyw8JJz9FzQx9hetdR
MD5:	E67B727975AD821985059F20F52E0A0D
SHA1:	F64D5CA1F4AD157047E25D7C97E1AD3A67328F39
SHA-256:	6D8CF0D773DFC943BDA88D8F56B58BCEDF9E901BAC2F8F537677A1670A42F0E8
SHA-512:	87B653D978E2876A7E5EEB3DFAA9F368043BD70F3C184A18B9CA3F20D695E333A1DDA628ACEA981070BFCF41CD503BB2B82EAA1148DA2CD5B80826AB78D68051
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...R...R......,......sRGB.........IDATx^..p....wW..%K...;....!.G.mb......P..I..0..&i.:...LB..I8..BK.8C.r.......>.]..9...x.c\|.........i..Y.V.;..h$..........}.8......J-.+....I...$.>F.~.^.h....! G..H.D...7P.7.(..~..>w....;`..p.^......EQ)8.'....q..........>....0..n.7Y..+.o..?~\|..a.$..t.....@.q...../..1...q..a.f...m2.....U#P..4. ]..P./^.KOO_KQT.......Z.......5..(7.Z..~....$Z'.\....g.}v.D"y......\Q..b.SWW./33..P).."jp.....W.XA.8p.U.T.'......K3..t...w........<..~.'&H6p.O{{.....#8.?."..0..w....}.3...L1@r.Bbppp.B..aX.H.D..a...d.T?.0...hc.. Q.....%'N..GQ...<@.X....&Mz]......5....H...7o....D"Y....Z..n.r...+..<h.... .ylTv@.Z".<'jo.\..f...7..............K677.N....; ............Dt8n.vs_A.........5..e..Z...R..... .... az.B4../.T.#.Z.....r.Z}.W.B@.y...k.'M.t..0.@FV..t.a.!...*..x.\....q...p..0.k.eh...1.....F."9_....(..l.K$.t!......].`A.'..Z....,..o...?.Hh.v...$._9@...SJ.0....../W.V...C;I..q.G...].T..;6..Z".D......uxxx1..M....HT. .....u...H.F..JJJ..

Chrome Cache Entry: 61

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	GIF image data, version 89a, 301 x 240
Category:	downloaded
Size (bytes):	156249
Entropy (8bit):	7.608393473228352
Encrypted:	false
SSDEEP:	3072:TTpcMmfppWKA/htQCTa6h13S6Yor5rHHVIfMPMt764CUTaul51OYzDNK:T1cMMppO/w6D3SfortnVIfqMtkUTr5Fk
MD5:	8A7FCB18354643CD37C53ED3D45014D8
SHA1:	56A801636FD6A6AE563F90FBD765BEA8AB26C501
SHA-256:	7BEE57D569F9AA5F2FECCE78533DA1A0BAEBC86D446C04B4C58BFFBB99727AFD
SHA-512:	DC63E15A539BC51DE216A75F4E4F0CC2786C8F0A68741A6668ECEDEC59951DB7397AB7B02AC09E6893600F07BE050F28C84C379DDB6C0ABFF7038DD557385633
Malicious:	false
Reputation:	low
URL:	https://image.sanxiang-sh.com/tg-06/Untitled.gif
Preview:	GIF89a-.........l..$.....H..H..H........H.....H........U.........HH..H..HU..U.HU..U.$........l......U....$U...........U.lUl...l..l..l..lU..U.$....l..$UH....Ull.H..$$.H..HH.HH....H.....H.UH........H..HU.UHHUH$.H..H..Hl.....U...H$UH........UHlU.l.Hl.l.U....H...Ul$..l..l..lU..U.$..$UH.U$..H..$..l.$H.$H........H..H......$.U$........lH..H..HU..U$HU..U$$.$..$..$l......U...$$U$..........U$lUH$..$..l..l..l..lU.$....$l..$Ul..l..l..lH.lH.....H......l.Ul.........H..HU..UlHUl$.l..l..ll......U...l$Ul..........UllU.l.ll...Ul.U.........................................................................................................................................................................................................................................................!..NETSCAPE2.0.....!.......,....-.......M..H.....>.Rh..T..@D..C.Ol`\|.PcC..7b.x..H..O.\Y.U#<}r..IS.MS6k..9.'A......s.Q.H{.U...R.M.>.i..=5..#....t.....kY.b..EkV..t..Kw.\.w...Kg...b...R..@.T.+^....#K.L.q..}.f.KW.W.

Chrome Cache Entry: 62

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, comment: "CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 82", baseline, precision 8, 1024x607, components 3
Category:	dropped
Size (bytes):	111125
Entropy (8bit):	7.965807169323248
Encrypted:	false
SSDEEP:	3072:1Q7vuN6/0z5I2oJDb8kQMtEnrPHUBIO5a5BbR1wX7:yF0ODJDokQMCLHU0P6
MD5:	F259C331CB3DE1F8E04B2FF8D10B31A4
SHA1:	07E82849CFD34BBD84B801C01F643781014971B0
SHA-256:	DD971FABDEE03E3FF99F75A562FB9A93AC2AB282D3C667647E11C0CE958851DD
SHA-512:	FDD7F4EB834367CC36FA0C44E1C24DA9606715D949FDFB11D63374C99888281EA377897A1A9647AD93E06488937E81A02FE3FBDB187210753DBDD0D65AF3F973
Malicious:	false
Reputation:	low
Preview:	......JFIF.....`.`.....;CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 82....C.....................................!........'.."#%%%..),($+!$%$...C...........$...$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$......_...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(...(...(...(...(...f...\.f..f...5.i..j....g...9.4.`T.K.,..Fi..4X.;4f..3E..Fi........[...=i..u..=..5.?4f..R.P..Fi.....;4SsFE.:.J3@.E&is@..f...E..4.QFh...QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..Q.3@..f...E..4.QFh...Q.3@..f...E.P.E.P.E.P.E.

Chrome Cache Entry: 63

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	downloaded
Size (bytes):	86923
Entropy (8bit):	5.288942392211126
Encrypted:	false
SSDEEP:	1536:hLiBdiaWLOczCmZx6+VWuGzQNOzdn6x2RZd9SEnk9HB96c9Yo/NWLbVj3kC6tv:nkn6x2xe9NK6nC6N
MD5:	B72AFE07A6F6F477120F3B0803D0A983
SHA1:	78EF8329A917D65F8BEDF5E1336724C6F5B80404
SHA-256:	F1A9C17B50D6278A694406D9E5DCE160F81AFD7A2683DFDF07F0651C38BDAA8E
SHA-512:	823B863FE8840923178A5CF7DA42AD9A99C019CA237C320C080338A0B96D95A4662405E91877372BF664E0B6947E70202958A6513727B450CF9D04D29F50DA26
Malicious:	false
Reputation:	low
URL:	https://www.telegram-gd.com/static/js/jquery.js
Preview:	/!jQuery v3.3.1 \| (c) JS Foundation and other contributors \| jquery.org/license/!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(e,t){"use strict";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return"function"==typeof t&&"number"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t\|\|r).createElement("script");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+"":"object"==typeof e\|\|"function"==typeof e?l[c.call(e)]\|\|"object":typeof e}var b="3.3.1",w=function(e,t){return new w.fn.init(e,t)},T=/

Chrome Cache Entry: 64

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	downloaded
Size (bytes):	1331
Entropy (8bit):	5.130415263980162
Encrypted:	false
SSDEEP:	24:sSaDlMfl2HgSE98vJ34apncroPi3i436P8oe6uPBoND7S:sSaDafoASE98vB5TP+JOCP+du
MD5:	EBB3C870BBCA875F5CEEDE01DFD5AC71
SHA1:	8CC3CDB83C7463D5F4610BE553B2CE9034DDB2A8
SHA-256:	5D980CE2F83A0AF6CECA8264539E0380FF235E8C621BCA2F22F1BC2DB9B4FA5F
SHA-512:	A7D4F42F3327F36392E306EB99199B8ABBE8AB64771D99C67D87F4650C051D9A780049C844F3DF4C03AD9F7E710DAC6FC367388CB1E4EE3B41B1DF5E0A7D2E1C
Malicious:	false
Reputation:	low
URL:	https://www.telegram-gd.com/static/js/public.js
Preview:	$('#to-top').click(function() {.. $('body,html').animate({scrollTop:0},1);.. return false;..});....$(window).scroll(function() {.. const scrollTop = $(window).scrollTop();.. const windowHeight = $(window).height();.. if (scrollTop > 200 ) {.. $('#to-top').fadeIn(1).css('display', 'flex');.. } else {.. $('#to-top').fadeOut(1).css('display', 'none');.. }..});....// ........function getOperatingSystem() {.. var userAgent = navigator.userAgent \|\| navigator.vendor \|\| window.opera;.. if (/android/i.test(userAgent)) {.. return "android";.. }.. if (/iPad\|iPhone\|iPod/.test(userAgent) && !window.MSStream) {.. return "ios";.. }.. return "pc";..}....if(getOperatingSystem()=="android"){.. $(".down-link").css("display",'none').. $(".down-link.android").css("display",'inline-block')..}..if(getOperatingSystem()=="ios"){.. $(".down-link").css("display",'none').. $(".down-link.ios").css("display",'inline-block')..

Chrome Cache Entry: 65

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	downloaded
Size (bytes):	3959
Entropy (8bit):	6.009835804870415
Encrypted:	false
SSDEEP:	48:toypqbl2blFu6Ppzb799CYU5lpHsJlwcI1EqFSsWTCL/Vzp0Qg/C8D0Q1uquuHcf:2Lbl2blFusRP9ZY5gI1EwWFO5hd
MD5:	72593A2CC096E130546D9B35F6150928
SHA1:	D12CB13AE51F3645811EDE93048C769DB9916D95
SHA-256:	E7ADD1938EE629974722825A33B136DB76BCA9975901551F4E0B7E9D371EBF36
SHA-512:	B8922F6DBF8516866C50B030C151BFC04A9C432B198965966A6DECB229D9FCEE343A4C5A08A83E3A76803A101ADDDDBFEE8F607A94D9DEC56E4D157065ED35B3
Malicious:	false
Reputation:	low
URL:	https://www.telegram-gd.com/
Preview:	<!DOCTYPE html>..<html lang="zh-CN">..<head>...<meta charset="UTF-8">...<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />...<title>telegram.. - TG.....,.......,........</title>...<meta name="Keywords" content="Telegram.......telegram...........................................">...<meta name="Description" content="Telegram.......telegram...........................................">...<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=no" />...<meta name="baidu-site-verification" content="codeva-b7QlsyZZJI" />...<link href="https://image.sanxiang-sh.com/telegram-favicon.ico" rel="shortcut icon">...<link rel="stylesheet" href="/static/css/style.min.css" />...<

Chrome Cache Entry: 66

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, comment: "CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 82", baseline, precision 8, 1024x607, components 3
Category:	downloaded
Size (bytes):	111125
Entropy (8bit):	7.965807169323248
Encrypted:	false
SSDEEP:	3072:1Q7vuN6/0z5I2oJDb8kQMtEnrPHUBIO5a5BbR1wX7:yF0ODJDokQMCLHU0P6
MD5:	F259C331CB3DE1F8E04B2FF8D10B31A4
SHA1:	07E82849CFD34BBD84B801C01F643781014971B0
SHA-256:	DD971FABDEE03E3FF99F75A562FB9A93AC2AB282D3C667647E11C0CE958851DD
SHA-512:	FDD7F4EB834367CC36FA0C44E1C24DA9606715D949FDFB11D63374C99888281EA377897A1A9647AD93E06488937E81A02FE3FBDB187210753DBDD0D65AF3F973
Malicious:	false
Reputation:	low
URL:	https://image.sanxiang-sh.com/tg-06/2-1024x607.jpg
Preview:	......JFIF.....`.`.....;CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 82....C.....................................!........'.."#%%%..),($+!$%$...C...........$...$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$......_...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(...(...(...(...(...f...\.f..f...5.i..j....g...9.4.`T.K.,..Fi..4X.;4f..3E..Fi........[...=i..u..=..5.?4f..R.P..Fi.....;4SsFE.:.J3@.E&is@..f...E..4.QFh...QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..Q.3@..f...E..4.QFh...Q.3@..f...E.P.E.P.E.P.E.

Chrome Cache Entry: 67

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 25.11 (Macintosh), datetime=2024:08:13 14:47:32], progressive, precision 8, 600x378, components 3
Category:	downloaded
Size (bytes):	267441
Entropy (8bit):	7.517922094204864
Encrypted:	false
SSDEEP:	6144:JRbRgCZgQnFhzFx1f54Qd1c6uRgKzO27Dahl:hFB1f5lSVu
MD5:	8A8A62973B2EC0DECA1F66218DD051A4
SHA1:	9C4CD9C48726D8348BB30291C4C5D8BE4FF48D0D
SHA-256:	3F831EE741D3D5A23A7E1A95065284AD2736AB85BB12ED85B13E5CFE579855C2
SHA-512:	0AD95B73EBB844F32A8899A770709451B9955D8FF491BE3E143C276B6698B338D91FCF0E0FAA51D921AC1A6D5A0E16D0969AE932B1ECDE147539961D744FF857
Malicious:	false
Reputation:	low
URL:	https://image.sanxiang-sh.com/tg-06/3.jpg
Preview:	....&.Exif..MM..............................b...........j.(...........1....."...r.2...........i....................'.......'.Adobe Photoshop 25.11 (Macintosh).2024:08:13 14:47:32..........................X...........z..............................."............(.....................2..........%........H.......H..........Adobe_CM......Adobe.d.................................................................................................................................................e...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..BCAq0........a..r.\;4.@.../..60....G>.}.3.s..V.K[f.h3.......b..1-.Z....-...?.>.o...sY[l....k.$..............fR~..>...p.mo.e.G.._..^..S..%...n.t.d}..

Chrome Cache Entry: 68

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 25.11 (Macintosh), datetime=2024:08:13 14:47:32], progressive, precision 8, 600x378, components 3
Category:	dropped
Size (bytes):	171478
Entropy (8bit):	6.9569385318733845
Encrypted:	false
SSDEEP:	3072:OuRCc0juRCc0gA1Cg0ZZaQn6YhlRs7Wx19B54ytqyxLab:JRbRgCZgQnFhzFx1f54Qd+
MD5:	0314E06E81712DF08BF3083C610A926A
SHA1:	33EA30729F45106398470F848FFB80BE31552AF2
SHA-256:	1E08CB1CD3753A6B363E67683E1E90B91CEB687E6DE6FAB2678545F8A136272F
SHA-512:	7527F34B5A02724990FF52AC0B70FE0486FF0414E7CC4E63DD49E36FA4AEDD4E476FDCB82178AA60A71774CC2E23E00A61432DB717183868F9E37053BF0AA1A2
Malicious:	false
Reputation:	low
Preview:	....&.Exif..MM..............................b...........j.(...........1....."...r.2...........i....................'.......'.Adobe Photoshop 25.11 (Macintosh).2024:08:13 14:47:32..........................X...........z..............................."............(.....................2..........%........H.......H..........Adobe_CM......Adobe.d.................................................................................................................................................e...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..BCAq0........a..r.\;4.@.../..60....G>.}.3.s..V.K[f.h3.......b..1-.Z....-...?.>.o...sY[l....k.$..............fR~..>...p.mo.e.G.._..^..S..%...n.t.d}..

Chrome Cache Entry: 69

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	86923
Entropy (8bit):	5.288942392211126
Encrypted:	false
SSDEEP:	1536:hLiBdiaWLOczCmZx6+VWuGzQNOzdn6x2RZd9SEnk9HB96c9Yo/NWLbVj3kC6tv:nkn6x2xe9NK6nC6N
MD5:	B72AFE07A6F6F477120F3B0803D0A983
SHA1:	78EF8329A917D65F8BEDF5E1336724C6F5B80404
SHA-256:	F1A9C17B50D6278A694406D9E5DCE160F81AFD7A2683DFDF07F0651C38BDAA8E
SHA-512:	823B863FE8840923178A5CF7DA42AD9A99C019CA237C320C080338A0B96D95A4662405E91877372BF664E0B6947E70202958A6513727B450CF9D04D29F50DA26
Malicious:	false
Reputation:	low
Preview:	/!jQuery v3.3.1 \| (c) JS Foundation and other contributors \| jquery.org/license/!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(e,t){"use strict";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return"function"==typeof t&&"number"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t\|\|r).createElement("script");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+"":"object"==typeof e\|\|"function"==typeof e?l[c.call(e)]\|\|"object":typeof e}var b="3.3.1",w=function(e,t){return new w.fn.init(e,t)},T=/

Chrome Cache Entry: 70

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	downloaded
Size (bytes):	3788814
Entropy (8bit):	7.999755190483709
Encrypted:	true
SSDEEP:	98304:tXJd7Ro5xlMIVgiYISdhjyspy8lCF1RBVCcu:tX5oXlPpYV/j5pyzRKcu
MD5:	58E91D3FD9B98F0174B49D9F656A74A2
SHA1:	2C75D810AEB2B426C5E6B67F9560513E9B75C91F
SHA-256:	56E795A07A15010D2BD0CCA84235ECCD33F5FB8275B3D7336D3003C610C81973
SHA-512:	C9F1F2810CDB49D65B6609C7C9AD75C846A8944BD84FC7AABFE2DED7AD7E13EFA88420F0C240A9F9E5F6365DFE5E57950595272900DB23BE1FDE63920F5B13BD
Malicious:	false
Reputation:	low
URL:	https://00-25-1333705940.cos.ap-hongkong.myqcloud.com/shater.zip
Preview:	PK.........&Z.<.~..........shater.exe.y<To.7<....2..f....f4...l....i.2.e.L....H.../1.d...!.%C...}.k\|..}.~........u.W.....\.:..y.sM.>q....`..@...a.=.1..#..-S.X.).j.(.qj...:vN...SG..:..p...S!...=.R..Iu..=.'N..1......2\m1.'.I...G.{...Q...i.&D........>....#...k'.E1.1...9..1q....vgA..k.RFa.........8(Hx..m.w>....5P.%.0k.0....P..&a..#..P..&..0.9r).......B..P.`......9..i/.?...yX..F.f.huN.b.V....n.+..........S.^...^h?....a[/u..tX/..[h.]..a.A.0...5...}.;...6.m......\.Zx.g.........=F.0R..............IiKO..W...H_....%~.x....3..'.<\.g)$.1.%/.O.[.F.....ce...~6^.o.R...}..R.W..........&..%..7..]&[xG..iE.t.I......8r.5...]Z.5..$K..2..$yXA.........V.Zh.f...6..h..........{.......w).Q.U .Kj.........@......1.:...e.0........@.6:.,G .....?.,.X.....2.Jb..\.a.....b.......bP.Q.......N..b.u.).........S..C.C...h....(Y..fl.5\.......H.qR..N.eX@..............s....XUtI.$".6..'..U..W.Y?....W..].1-.\.I.+.r9.n..........:.i....WrX#...H#L..`9.z.n....R...F7....7..,....p.v.....U.pn.9B%.-...

Chrome Cache Entry: 71

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	GIF image data, version 89a, 301 x 240
Category:	dropped
Size (bytes):	156249
Entropy (8bit):	7.608393473228352
Encrypted:	false
SSDEEP:	3072:TTpcMmfppWKA/htQCTa6h13S6Yor5rHHVIfMPMt764CUTaul51OYzDNK:T1cMMppO/w6D3SfortnVIfqMtkUTr5Fk
MD5:	8A7FCB18354643CD37C53ED3D45014D8
SHA1:	56A801636FD6A6AE563F90FBD765BEA8AB26C501
SHA-256:	7BEE57D569F9AA5F2FECCE78533DA1A0BAEBC86D446C04B4C58BFFBB99727AFD
SHA-512:	DC63E15A539BC51DE216A75F4E4F0CC2786C8F0A68741A6668ECEDEC59951DB7397AB7B02AC09E6893600F07BE050F28C84C379DDB6C0ABFF7038DD557385633
Malicious:	false
Reputation:	low
Preview:	GIF89a-.........l..$.....H..H..H........H.....H........U.........HH..H..HU..U.HU..U.$........l......U....$U...........U.lUl...l..l..l..lU..U.$....l..$UH....Ull.H..$$.H..HH.HH....H.....H.UH........H..HU.UHHUH$.H..H..Hl.....U...H$UH........UHlU.l.Hl.l.U....H...Ul$..l..l..lU..U.$..$UH.U$..H..$..l.$H.$H........H..H......$.U$........lH..H..HU..U$HU..U$$.$..$..$l......U...$$U$..........U$lUH$..$..l..l..l..lU.$....$l..$Ul..l..l..lH.lH.....H......l.Ul.........H..HU..UlHUl$.l..l..ll......U...l$Ul..........UllU.l.ll...Ul.U.........................................................................................................................................................................................................................................................!..NETSCAPE2.0.....!.......,....-.......M..H.....>.Rh..T..@D..C.Ol`\|.PcC..7b.x..H..O.\Y.U#<}r..IS.MS6k..9.'A......s.Q.H{.U...R.M.>.i..=5..#....t.....kY.b..EkV..t..Kw.\.w...Kg...b...R..@.T.+^....#K.L.q..}.f.KW.W.

Chrome Cache Entry: 72

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (13589), with no line terminators
Category:	downloaded
Size (bytes):	13589
Entropy (8bit):	4.9575974503758005
Encrypted:	false
SSDEEP:	192:zT2enBcXxWHEDVaasxKKXNCLXtyj2ibrZmt7t9Eyqhqkmirm/It/opjov8ebixhh:WmahWiB9T///Gv8ebivxGocd88SUTA
MD5:	902623DED6DB9951DB34196DF22AE8FE
SHA1:	D79D87A4BEAF2E414BF6F3D6CF83F8DF444DB9FF
SHA-256:	1267D7DFA457E9271CAE84222BC7CDF2BC3E94063828F9A6E6F4E5B08863499B
SHA-512:	2926331F99F6782B629802208C22DA2D31C8CF2C065E7A6102C8E85861D04153A73678D1F3AA91219FEB56FD0EDCB3EC4EF92924BED8F476FF516D52209FDED1
Malicious:	false
Reputation:	low
URL:	https://www.telegram-gd.com/static/css/style.min.css
Preview:	:root{--headerHeight: 50px;--padding: 15px;--themeColor: #0088cc;--maxWidth: 1200px}*{-webkit-box-sizing:border-box;box-sizing:border-box;margin:0;padding:0}a{text-decoration:none;color:#333}.p-lr{padding-left:var(--padding);padding-right:var(--padding)}body{font:12px Microsoft YaHei-Regular,Microsoft YaHei;color:#333;background:#fff;overflow-x:hidden;font-weight:400}.android,.ios,.pc{display:inline-block}.android,.ios{display:none}#to-top{position:fixed;bottom:10%;right:20px;cursor:pointer;width:45px;height:45px;background:rgba(0,0,0,.3) url(../image/top.png) no-repeat center center;background-size:25px auto;cursor:pointer;border-radius:10px;z-index:999}#to-top:hover{background:var(--themeColor) url(../image/top.png) no-repeat center center/cover;background-size:25px auto}header{display:-webkit-box;display:-ms-flexbox;display:flex;-webkit-box-align:center;-ms-flex-align:center;align-items:center;padding:0 15px;width:100%;height:var(--headerHeight);background:rgba(255,255,255,.84);-web

Chrome Cache Entry: 73

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	4286
Entropy (8bit):	5.157520760822341
Encrypted:	false
SSDEEP:	48:er7z41Fi4mXEJyfetrETUzkPPgl0TzcHdCC8ZzsVhRItkhXj4FOKWXG8Q:u7z41c4mXEpHzk3gqzNCBKwKWWB
MD5:	975B4112A366CCA6B9BF2C84E268268C
SHA1:	97992BEA1D222B36E9B77B1E0E2C9F0CFDE0CCF5
SHA-256:	181349B08B8DA309823B3B6A670CE13581FF82AF7B03DB71BA60C705D0620261
SHA-512:	1440CD81F276F753DE3B6DFC7851D569689E998F14C55DCE698F68B4487D36E18B9D010DE66EC791FC97704CCC674AB65B26AC46F298A97B664FFE7BCCC90034
Malicious:	false
Reputation:	low
URL:	https://image.sanxiang-sh.com/telegram-favicon.ico
Preview:	...... .... .........(... ...@..... ..................................................................+..+G.'..(..)..(..)..(..(..'..(G.+..........................................................................+..)..(..(..(..(..(..(..(..(..(..(..(..(..)..+..........................................................I..)..)..)..)..(..)..(..(..(..(..(..(..(..(..(..(..)..)..I..............................................+..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..)..+......................................,..+....)....)..)....)......)....)..)..)..)..)..)..)..)..)....--.............................+..+..............................................+..+......................I....+..............+....+..+..+..+..+..+....+......+....+..+....,..I..................+..+..+..+..+..+..+..+..

Chrome Cache Entry: 74

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 82 x 82, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	4046
Entropy (8bit):	7.920916892238825
Encrypted:	false
SSDEEP:	96:RbRrGGHaQ56d4ddwpysPP5m20/JexcgBY9B3zFexTR3oAetdR:5ZGGHaa6addwpyw8JJz9FzQx9hetdR
MD5:	E67B727975AD821985059F20F52E0A0D
SHA1:	F64D5CA1F4AD157047E25D7C97E1AD3A67328F39
SHA-256:	6D8CF0D773DFC943BDA88D8F56B58BCEDF9E901BAC2F8F537677A1670A42F0E8
SHA-512:	87B653D978E2876A7E5EEB3DFAA9F368043BD70F3C184A18B9CA3F20D695E333A1DDA628ACEA981070BFCF41CD503BB2B82EAA1148DA2CD5B80826AB78D68051
Malicious:	false
Reputation:	low
URL:	https://www.telegram-gd.com/static/image/top.png
Preview:	.PNG........IHDR...R...R......,......sRGB.........IDATx^..p....wW..%K...;....!.G.mb......P..I..0..&i.:...LB..I8..BK.8C.r.......>.]..9...x.c\|.........i..Y.V.;..h$..........}.8......J-.+....I...$.>F.~.^.h....! G..H.D...7P.7.(..~..>w....;`..p.^......EQ)8.'....q..........>....0..n.7Y..+.o..?~\|..a.$..t.....@.q...../..1...q..a.f...m2.....U#P..4. ]..P./^.KOO_KQT.......Z.......5..(7.Z..~....$Z'.\....g.}v.D"y......\Q..b.SWW./33..P).."jp.....W.XA.8p.U.T.'......K3..t...w........<..~.'&H6p.O{{.....#8.?."..0..w....}.3...L1@r.Bbppp.B..aX.H.D..a...d.T?.0...hc.. Q.....%'N..GQ...<@.X....&Mz]......5....H...7o....D"Y....Z..n.r...+..<h.... .ylTv@.Z".<'jo.\..f...7..............K677.N....; ............Dt8n.vs_A.........5..e..Z...R..... .... az.B4../.T.#.Z.....r.Z}.W.B@.y...k.'M.t..0.@FV..t.a.!...*..x.\....q...p..0.k.eh...1.....F."9_....(..l.K$.t!......].`A.'..Z....,..o...?.Hh.v...$._9@...SJ.0....../W.V...C;I..q.G...].T..;6..Z".D......uxxx1..M....HT. .....u...H.F..JJJ..

Static File Info

⊘No static file info

Network Behavior

⊘Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 6024, Parent PID: 908

General

Target ID:	0
Start time:	19:19:39
Start date:	11/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 3732, Parent PID: 6024

General

Target ID:	2
Start time:	19:19:43
Start date:	11/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=2000,i,17727096617257468248,15794474977771889975,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 6508, Parent PID: 908

General

Target ID:	3
Start time:	19:19:49
Start date:	11/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://www.telegram-gd.com/"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: unarchiver.exePID: 3992, Parent PID: 6024

General

Target ID:	7
Start time:	19:20:55
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\shater.zip"
Imagebase:	0x960000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: 7za.exePID: 4348, Parent PID: 3992

General

Target ID:	8
Start time:	19:20:55
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\3orywyhy.gn2" "C:\Users\user\Downloads\shater.zip"
Imagebase:	0x6b0000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5568, Parent PID: 4348

General

Target ID:	9
Start time:	19:20:55
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f330000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6888, Parent PID: 3992

General

Target ID:	10
Start time:	19:20:58
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C "C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6896, Parent PID: 6888

General

Target ID:	11
Start time:	19:20:58
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: shater.exePID: 6912, Parent PID: 6888

General

Target ID:	12
Start time:	19:20:58
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe
Imagebase:	0xbf0000
File size:	62'891'960 bytes
MD5 hash:	D08BDF8F0948938687A6E0C1044E1962
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 8%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: unarchiver.exePID: 3992, Parent PID: 6024COMMON

Executed Functions

Function 00F5B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 00F5B208

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: d894e7258783ae5440a60548736818112cc6e5bcb926573504b323184e790547
Instruction ID: 59766c855d8731255d9a0457a8788bfb0dd9fa1faa3b1920b171826bc05fccf3
Opcode Fuzzy Hash: d894e7258783ae5440a60548736818112cc6e5bcb926573504b323184e790547
Instruction Fuzzy Hash: 0201A2719042409FDB10CF15E985765FBD4DF44721F08C4AADE488F256D379A908DBB1

Function 01370C99 Relevance: 6.3, Strings: 5, Instructions: 86COMMON

Download Yara Rule

Strings

[M , xrefs: 01370D43, 01370D48
`xj, xrefs: 01370D37
e]2j^, xrefs: 01370D6E, 01370D73
Pzj, xrefs: 01370CC8
`xj, xrefs: 01370D62

Memory Dump Source

Source File: 00000007.00000002.2567492905.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID:
String ID: Pzj$[M $`xj$`xj$e]2j^
API String ID: 0-1470540155
Opcode ID: 44315a64af82e37b89ca4903c30ca4726dfa3349f4bf838e66b7e7cc02e3999f
Instruction ID: 002cc64c8654cf8bfbbb27949b5ee42dc5c75a42729386933a0bf3c4529728c1
Opcode Fuzzy Hash: 44315a64af82e37b89ca4903c30ca4726dfa3349f4bf838e66b7e7cc02e3999f
Instruction Fuzzy Hash: 8A2149307012489FC714EB3589457AE7AD7AB86218B45843CE545DB342DF3ADA0687D6

Function 01370CA8 Relevance: 6.3, Strings: 5, Instructions: 82COMMON

Download Yara Rule

Strings

[M , xrefs: 01370D43, 01370D48
`xj, xrefs: 01370D37
e]2j^, xrefs: 01370D6E, 01370D73
Pzj, xrefs: 01370CC8
`xj, xrefs: 01370D62

Memory Dump Source

Source File: 00000007.00000002.2567492905.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID:
String ID: Pzj$[M $`xj$`xj$e]2j^
API String ID: 0-1470540155
Opcode ID: 68bb15b538e12836e0e5fd809ced9fb7f1bef8ccf50425157b2612cd00ca2149
Instruction ID: c330b5591fedb348662b304188698af1791ecf102253ebd9d29e21c2c832dada
Opcode Fuzzy Hash: 68bb15b538e12836e0e5fd809ced9fb7f1bef8ccf50425157b2612cd00ca2149
Instruction Fuzzy Hash: 2C2135307002089BC724EB35C9047AEBBD7AFC6208B41882CD186DB346DF79EA0697D6

Function 00F5B246 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00F5B2F3

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 92981611c8d8e694cd4a78327c64059d9fe9bedaa6b1e9082edbe52c94053e8d
Instruction ID: 6f3251356cb6ae7ecefbeeeffbeade259cb0cdd955f3c9dd5d25ea6dbed69628
Opcode Fuzzy Hash: 92981611c8d8e694cd4a78327c64059d9fe9bedaa6b1e9082edbe52c94053e8d
Instruction Fuzzy Hash: 4331C6715043446FEB228F21DC45FA7BFBCEF45324F04849AE985CB152D325A919DB71

Function 00F5AD04 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00F5ADA7

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 710549e146ee87510a767ffdce93c38fbb362b0d143f510eed46b0030607ea23
Instruction ID: 03898f0b85b292db5c1057e5c61c06f7648ec690ec551d65ed369f1293884142
Opcode Fuzzy Hash: 710549e146ee87510a767ffdce93c38fbb362b0d143f510eed46b0030607ea23
Instruction Fuzzy Hash: 3A31D5715043446FEB228F21DC45FA7BFBCEF45224F04449AF985CB152D225A919CB71

Function 00F5AB76 Relevance: 1.6, APIs: 1, Instructions: 92pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 00F5AC36

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 349bf14d52b4694cb1da022e625c4eeba815af15c966569f520765db557509e5
Instruction ID: 9fb35cdf29dc797b338ba5e3269b25f6da688f9fec8c764d357910f0dd295860
Opcode Fuzzy Hash: 349bf14d52b4694cb1da022e625c4eeba815af15c966569f520765db557509e5
Instruction Fuzzy Hash: 8E316D7250E3C06FD3138B718C65A66BFB4AF47610F1A84CBD8C4DF1A3D6296919C762

Function 00F5A5DC Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00F5A67D

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b81e2312963bc137d6996626ee01df86bceb4712baff5cbba99921dc9f0ccad5
Instruction ID: b22a3f21fff2dd48d9893937317ed5ea42827d91519514e9759c2f0e98de7e0a
Opcode Fuzzy Hash: b81e2312963bc137d6996626ee01df86bceb4712baff5cbba99921dc9f0ccad5
Instruction Fuzzy Hash: 8B31BF71504340AFE721CF25DC85F62BFE8EF49220F08889EEA858B252D375E819DB71

Function 00F5A120 Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 00F5A1C2

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 9a9d79878ab7bcfc324225f899f95b2624bc173df59ec9f1120bacc55c914bbc
Instruction ID: c56228190a96753aa922b92f3f6eda16900a06d6d5978f5e81ccb26420520f5a
Opcode Fuzzy Hash: 9a9d79878ab7bcfc324225f899f95b2624bc173df59ec9f1120bacc55c914bbc
Instruction Fuzzy Hash: 4221A37150D3C06FD3128B359C51BA6BFB4EF87610F1941CBD8848F593D229A91AD7A2

Function 00F5B276 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00F5B2F3

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cca6d268cfe4c84f96278c6e6e8f3af0848ad3683a5f62ba118b844f4ac2d964
Instruction ID: 1e5948a57676de032141fecaf4abe19c291e3376618eefe851b9cd07a2e87e15
Opcode Fuzzy Hash: cca6d268cfe4c84f96278c6e6e8f3af0848ad3683a5f62ba118b844f4ac2d964
Instruction Fuzzy Hash: C521C472500204AFEB219F61DC45FABFBECEF44324F04846AEA45DB155D735A9089BB1

Function 00F5A370 Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,63F07135,00000000,00000000,00000000,00000000), ref: 00F5A40C

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e96f8c59b6d39ef9e9395094a0747de83a5d882491568d06e02944f94a204260
Instruction ID: ae3f570f4fda6f582e78f9038a6b60d30f7f946a8ab2202b4c05d05b1fea3cda
Opcode Fuzzy Hash: e96f8c59b6d39ef9e9395094a0747de83a5d882491568d06e02944f94a204260
Instruction Fuzzy Hash: DD218075504740AFE721CF11DC84FA2BBF8EF45724F08859AEA45CB252D365E909CB71

Function 00F5AD2A Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00F5ADA7

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4dd3745b13504faeffff551f580edb9b36e3085f864b82eb2286ec04205e66b5
Instruction ID: 7130e21c00599ca299fee251f622feb30d2dfccceaab8bca545598873da7f659
Opcode Fuzzy Hash: 4dd3745b13504faeffff551f580edb9b36e3085f864b82eb2286ec04205e66b5
Instruction Fuzzy Hash: 1B21F472500204AFEB219F20DC85FABFBECEF44324F04846AEE45CA551D735A9199BA1

Function 00F5A50F Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetTempPathW.KERNELBASE(?,00000E24,?,?), ref: 00F5A5B6

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: 9e7c5cd8816e308a9516fa0e5843a31c695fbfb78cd53829d727127b0a9afdf8
Instruction ID: 90f2750379d749fea11a962432e13b592e0e3d1d37f046540a98559d9a7e5161
Opcode Fuzzy Hash: 9e7c5cd8816e308a9516fa0e5843a31c695fbfb78cd53829d727127b0a9afdf8
Instruction Fuzzy Hash: D821B2B140D3C06FD3138B25DC51B62BFB8EF87614F0A81DBE8848B593D624A919C7B2

Function 00F5A850 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E24,63F07135,00000000,00000000,00000000,00000000), ref: 00F5A8DE

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 1e83c0e211614c6c432b3800c7ecbd74e218039bdee440ec2be82c0390924e61
Instruction ID: ce05e6ab4cb4a1f047c9763bfe95dc91623aad9414ee65cd441a8bf822f62937
Opcode Fuzzy Hash: 1e83c0e211614c6c432b3800c7ecbd74e218039bdee440ec2be82c0390924e61
Instruction Fuzzy Hash: 0421B6714083806FEB228F24DC44FA6BFB8EF46724F0984DAE984CF153D265A919C772

Function 00F5A933 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,63F07135,00000000,00000000,00000000,00000000), ref: 00F5A9C1

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 5a67b4701dd2cd1d72ab944f897ef7522c243c8300d83e9aa578b0cb76ed54d7
Instruction ID: 7942131168357c5477db6a4aed53158972f1a926a311b4a7ac985ae76cf1c956
Opcode Fuzzy Hash: 5a67b4701dd2cd1d72ab944f897ef7522c243c8300d83e9aa578b0cb76ed54d7
Instruction Fuzzy Hash: CE21A371409380AFDB22CF21DC45F96BFB8EF46314F08849AE9849B152C265A509CBB2

Function 00F5A5FE Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00F5A67D

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2002308fa4759943958a0e66768d60b71cc9f968521d2b61790df949a313f5da
Instruction ID: 669c69c7d912e87c19d95d9075250c4c50e35fdcfdd05292e7b3cae3a8d04a29
Opcode Fuzzy Hash: 2002308fa4759943958a0e66768d60b71cc9f968521d2b61790df949a313f5da
Instruction Fuzzy Hash: 8B219C71500200AFEB20CF25DD85F66FBE8EF08320F08896AEE458B251D775E818DA72

Function 00F5A78F Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,63F07135,00000000,00000000,00000000,00000000), ref: 00F5A815

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 5c54cb2181b97272c0e39bcff5ea495929d5d1edaffc94485154eb447c04cbe1
Instruction ID: 377b432f2164d32d279a0ffd6356a919f60ccd2b787ca1751fb0ad4e0e923129
Opcode Fuzzy Hash: 5c54cb2181b97272c0e39bcff5ea495929d5d1edaffc94485154eb447c04cbe1
Instruction Fuzzy Hash: 0121EBB54087806FE7128B21DC45BA2BFB8DF47724F0880DBE9848B193D268AD09D775

Function 00F5AA0B Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00F5AA8B

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: bca732ec1f7928464ef2dff1fef134ed28fa364448911e5cd5cfa6c024763849
Instruction ID: 6b31e50851e84895811804cc107572d9e56764a7e3e2c4872f5417a585846669
Opcode Fuzzy Hash: bca732ec1f7928464ef2dff1fef134ed28fa364448911e5cd5cfa6c024763849
Instruction Fuzzy Hash: 722192759083C09FEB12CB29DC55B92BFE8AF06324F0D85EAE984CF153D225D909CB61

Function 00F5A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,63F07135,00000000,00000000,00000000,00000000), ref: 00F5A40C

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6312f41475c8f1b8632739e7dbad584be0a9225f801f0c8ee14f90bb9fda829b
Instruction ID: 0c697229f5b011a9f8e250a917fabbfb16d34e8a7a6eae4629dfb89fad4bf1df
Opcode Fuzzy Hash: 6312f41475c8f1b8632739e7dbad584be0a9225f801f0c8ee14f90bb9fda829b
Instruction Fuzzy Hash: 4A21F071500200AFE720CF21DC85FA2FBECEF04720F08815AEE458B251D764E819DAB2

Function 00F5A962 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,63F07135,00000000,00000000,00000000,00000000), ref: 00F5A9C1

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d6fbb5fa3939e4306126c6a6f3ad589f4803a1b90995b94e4eb253194420f3e6
Instruction ID: 99188173fd8c104486f8e88401a48f737f31247384622c8321b1900f0512aae3
Opcode Fuzzy Hash: d6fbb5fa3939e4306126c6a6f3ad589f4803a1b90995b94e4eb253194420f3e6
Instruction Fuzzy Hash: 2F112772400200AFEB21CF21DC85FA6FBE8EF44724F04855AEE458B141C339A918DBB2

Function 00F5A882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E24,63F07135,00000000,00000000,00000000,00000000), ref: 00F5A8DE

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a4cdef6e615f21675136b32bc6a5f02286ddd418218f00df4510234cd65118ed
Instruction ID: 9cb634f850a100cd1ddbfb2bf3170c7194546d150d028846ab155b7b8261a308
Opcode Fuzzy Hash: a4cdef6e615f21675136b32bc6a5f02286ddd418218f00df4510234cd65118ed
Instruction Fuzzy Hash: B5112771400300AFEB21CF24EC85FA6FBE8EF44720F04845AEE458B145C338A9199BB2

Function 00F5A2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00F5A30C

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: f1d98c04fd198d1922588801e7610205bdf5db52d106d45b22ba13878fa636e2
Instruction ID: 2e0d85106104f981ecd830e56108874ed4b9a6be59bdf96a398c9ac5270a52f7
Opcode Fuzzy Hash: f1d98c04fd198d1922588801e7610205bdf5db52d106d45b22ba13878fa636e2
Instruction Fuzzy Hash: 0411E07580D3C09FDB228B25DC54A52BFB4DF07224F0980DBDD848F2A3D226A818CB72

Function 00F5AA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00F5AA8B

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 0876e0e3fd68f2535b1b255d0b1bf6138d735dbf96fd72159b32331ca636c157
Instruction ID: ad8151963728fcf7debb2bde5497de903ed0385b8f5e19c4724a074ae8d30b07
Opcode Fuzzy Hash: 0876e0e3fd68f2535b1b255d0b1bf6138d735dbf96fd72159b32331ca636c157
Instruction Fuzzy Hash: BB11C871A00240DFEB10CF25D985B56FBD8EF04721F08C5AAEE45CB241E339D918DB62

Function 00F5A7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,63F07135,00000000,00000000,00000000,00000000), ref: 00F5A815

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: dad27c4f2c6616590d163cb3c279196932845c37bd72a6a875a9d46cdd207759
Instruction ID: 3e1663f3e1d6f7fa138595a90814246ee1c09f69184c89b3f56fa8d103720561
Opcode Fuzzy Hash: dad27c4f2c6616590d163cb3c279196932845c37bd72a6a875a9d46cdd207759
Instruction Fuzzy Hash: B001F575504200AFE720CF25EC85FA6FBDCDF44725F18C09AEE058B285D778AD098AB6

Function 00F5B1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 00F5B208

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 90398b832382f86b4429c097786aba03e8ac9b8dd43059028f5d1ae9f95487f2
Instruction ID: 17ffcaa16bd4c731e88157d61c2e43dfcf944aede01823bbd61e649f434f6829
Opcode Fuzzy Hash: 90398b832382f86b4429c097786aba03e8ac9b8dd43059028f5d1ae9f95487f2
Instruction Fuzzy Hash: C41170714093C09FDB128F25DC54B56FFA4DF56220F0884DAED849F252D275A908CB72

Function 00F5AF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00F5AFE4

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 0050cbae27064189be366b5074e7089c9b77738c6f20736d509a87e961b4f7a3
Instruction ID: 2f281ad1a0ca8d493c194f76475c24545898e13daf51577d27e6c1ccfd82ebf7
Opcode Fuzzy Hash: 0050cbae27064189be366b5074e7089c9b77738c6f20736d509a87e961b4f7a3
Instruction Fuzzy Hash: D0119E755093C09FD7128B25DC45A52BFF4EF06220F0984DAED858B2A2D265A808DB61

Function 00F5A172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 00F5A1C2

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: e346cee0d6297ab9976f956761b0d4549b607b84b14f283ed9df0485e7cd846e
Instruction ID: 3585366b6bdf0a70ef9e701d6767916cbbd15b124b29afe324933a9d21e9f017
Opcode Fuzzy Hash: e346cee0d6297ab9976f956761b0d4549b607b84b14f283ed9df0485e7cd846e
Instruction Fuzzy Hash: 6001B171A00200AFD310DF26DC46B66FBE8EB88A20F14815AEC089B645D735B955CBE1

Function 00F5ABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 00F5AC36

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 08c317e8a592290c2fb3b03b08f1e13cd68088530e818f5c6bdae83b26b5cd43
Instruction ID: 2e3dff746b0127b6b32e034e3c3d14f4e29e1ea509aa959f7b438a42575ff2b9
Opcode Fuzzy Hash: 08c317e8a592290c2fb3b03b08f1e13cd68088530e818f5c6bdae83b26b5cd43
Instruction Fuzzy Hash: 9601B171A00200AFD310DF26DC46B66FBE8FB88A20F14815AEC089B645D735B955CBE1

Function 00F5A566 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetTempPathW.KERNELBASE(?,00000E24,?,?), ref: 00F5A5B6

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: 80a994b3a831a0526feb139c8ea7ff5146cc96cfa315c37a57a6bcfbe8046262
Instruction ID: 1886a252fd4797ad4c0d0220e28286801d63a743d8f822cb99c9d16583e46d24
Opcode Fuzzy Hash: 80a994b3a831a0526feb139c8ea7ff5146cc96cfa315c37a57a6bcfbe8046262
Instruction Fuzzy Hash: 28016271900200ABD210DF16DD46B66FBE8FB88A20F148159ED085B741D775F955CBE5

Function 00F5AFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00F5AFE4

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 3fb4fe617be9ae0137e34d1d4434ddf680b8f6cfab2930a63914182efc6f8869
Instruction ID: 4d3cdc01df6d3f258481b005662d771eaa7de9125bfff28b86446904bb6d8863
Opcode Fuzzy Hash: 3fb4fe617be9ae0137e34d1d4434ddf680b8f6cfab2930a63914182efc6f8869
Instruction Fuzzy Hash: D101D1759002409FDB108F25D885762FBD4EF04721F08C0AADE558B292D379E858EAA2

Function 00F5A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00F5A30C

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 324d1cdacf84d763ab7c30ecee23d8b47bd74c244709dc2045696062c91cc1ee
Instruction ID: 12fa348673934379d6392d445bd83b7e48c56b5b6c19f8aa63db681e158ac37d
Opcode Fuzzy Hash: 324d1cdacf84d763ab7c30ecee23d8b47bd74c244709dc2045696062c91cc1ee
Instruction Fuzzy Hash: 52F0A4358042409FDB109F15D885761FFD4EF44735F08C19ADE494B256D37AA818DAA2

Function 00F5A6D4 Relevance: 1.3, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00F5A748

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 53b8ae9ccb0d1ae2f2771aa23817ed66cecff42cbd32ea1351aaa26a4c81d430
Instruction ID: 05c189b2f3c436ac8c198701fb7897b59c20234d1161d764b4f997a8ac72bc45
Opcode Fuzzy Hash: 53b8ae9ccb0d1ae2f2771aa23817ed66cecff42cbd32ea1351aaa26a4c81d430
Instruction Fuzzy Hash: 7921B0B59097C05FD7128B25DC54792BFB4AF06320F0980DADC858B1A3D2259918C772

Function 00F5A716 Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00F5A748

Memory Dump Source

Source File: 00000007.00000002.2566632762.0000000000F5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5A000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 4afa7db21efde44d609a49449862da638541420d379b12b56d113deae49b989e
Instruction ID: 0320ee6733bdf6214bda8910fa5f9aa243672a2d16077306c3091491ae754390
Opcode Fuzzy Hash: 4afa7db21efde44d609a49449862da638541420d379b12b56d113deae49b989e
Instruction Fuzzy Hash: D501D4759002409FDB108F25E985765FFE8DF04321F08C4AADD458B242D279A918DAA2

Function 013702C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2567492905.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b967506a2bb28607d5eeee82fb07b88dba05c92f1099087580b5037c8889070
Instruction ID: 4f9cc2102cb6bd28758be12476defce426e560f86a7cae27245d220243758f30
Opcode Fuzzy Hash: 0b967506a2bb28607d5eeee82fb07b88dba05c92f1099087580b5037c8889070
Instruction Fuzzy Hash: A0B18F35602118EFCB28EB74E96CA5E7BB3FF89214B108428E91697369CF359C50DB90

Function 01370799 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2567492905.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b8e0fb7f4afc382f0e106b0db1cf1289114eb9d2528d2b2e0ebcf002159e83
Instruction ID: 45b579365d0662d87f03e93320de887f1673ee72060a49b59d827858ade06a63
Opcode Fuzzy Hash: 55b8e0fb7f4afc382f0e106b0db1cf1289114eb9d2528d2b2e0ebcf002159e83
Instruction Fuzzy Hash: D8A1B130B012059FDB19AB74D46977EB7B3AF89308F148429E9169739ADF39CC42CB91

Function 01370B8F Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2567492905.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b97106e33464f49484aedef891a25aa2c7d7ca65f0584d35dbe1befebcbd8f87
Instruction ID: 76441bd59a92f887e8824bab8168c0347f436522f929948444a9e07ff870ee4f
Opcode Fuzzy Hash: b97106e33464f49484aedef891a25aa2c7d7ca65f0584d35dbe1befebcbd8f87
Instruction Fuzzy Hash: B911D635A111586FCF08DB74D8489DE7BF2FF88214B054539E506E7276DF3199159BC0

Function 01370BA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2567492905.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d8c02ba87972c94610b0a93b890c89cba25011b05ddc88bfe191ae76805959
Instruction ID: dab5bf12343232cbf8e00649ea5981314d5752a86278b00605d08818c74e2b7b
Opcode Fuzzy Hash: 57d8c02ba87972c94610b0a93b890c89cba25011b05ddc88bfe191ae76805959
Instruction Fuzzy Hash: E511C131A12158AFCF049BB4D84899E7BF6FF88214B068435E606E7236DF3198159BD0

Function 014E080D Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2567681852.00000000014E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c525dd116793828d280c099d1e92715512dfde409998e04d37476df17666a045
Instruction ID: f3e31b10b29cb718e081ac62590279424e13fe1b0ed5197f6a00ef048e91cae5
Opcode Fuzzy Hash: c525dd116793828d280c099d1e92715512dfde409998e04d37476df17666a045
Instruction Fuzzy Hash: 6401A7B64097406FD301DF15EC42C57FBECDF86524F09C4AAEC489B202D226BD198BB2

Function 014E05DF Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2567681852.00000000014E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6cbffaf9bad13a1414e6b6e12e0424b3d2c8c5b91746c75320f70c1928be0a5
Instruction ID: 5e977d6333bf681f07ea4dbbedde9e75c9b78c94107d4bea22d16067f250c519
Opcode Fuzzy Hash: f6cbffaf9bad13a1414e6b6e12e0424b3d2c8c5b91746c75320f70c1928be0a5
Instruction Fuzzy Hash: 7C01D6B64097806FC7118F16AC41853FFE8EF4663070984ABEC898B312D229B909DBB1

Function 014E082E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2567681852.00000000014E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa610eef26c432508ba892cd43d2bf56f207a156580baf889c26406f6088a86
Instruction ID: ae2e7ca40920f92859bc5d6631e9539b6a4372fb1d1e59be0062e8274c50ea9f
Opcode Fuzzy Hash: 4aa610eef26c432508ba892cd43d2bf56f207a156580baf889c26406f6088a86
Instruction Fuzzy Hash: 81F082B68052046FD240DF19ED46896F7ECDFC4921F04C56AEC088B305E376AD154AE2

Function 01370C50 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2567492905.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db73fe2885bac1e5b15b90b0bbfd646734ef8de966fb1e4b171c9abc87f3173
Instruction ID: 396b9db502f3d3c4d379b850fe701c24665ca9f03f368778d98dce75f3c7a7f8
Opcode Fuzzy Hash: 3db73fe2885bac1e5b15b90b0bbfd646734ef8de966fb1e4b171c9abc87f3173
Instruction Fuzzy Hash: 74E0D871F153541FCB48DABC984059E7FE5DB85150B05467AC008D7252DF358C028780

Function 014E0606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2567681852.00000000014E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e015d556f9b4793e3c2d184d1454a1173e4cc62e12b2c6b444e6e6f711632bd
Instruction ID: 6c09d1ffdfa545646b1714402c833aee77b46b0dfe76b8af8f55f3632d51d442
Opcode Fuzzy Hash: 3e015d556f9b4793e3c2d184d1454a1173e4cc62e12b2c6b444e6e6f711632bd
Instruction Fuzzy Hash: 36E092B66006004BD750CF0AEC41452F7D8EB84A30B08C07FDC0D8B701E23AB508CAE5

Function 01370C60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2567492905.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb6d4ab93e5a7643152290d59cf38a27003290e30f5ce413e6ff9d4612d63d58
Instruction ID: 46148c012d95c5ee393a36130ade2dbe100df11eb0e705e6dbec335e577b0400
Opcode Fuzzy Hash: bb6d4ab93e5a7643152290d59cf38a27003290e30f5ce413e6ff9d4612d63d58
Instruction Fuzzy Hash: 49D0C771F022282B8B48EAF8A8442AFBFEA9B84064B56807DC008D7301EE359C028780

Function 01370DD1 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2567492905.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af0626ee6c0396ac26798b74d139b58ac9a4f3c3016fd0aba1f15b582d53a463
Instruction ID: f8d151dd2567378f26939f3a5911dca9bb2240a9d43ec6cb4b856c0f8cd228c1
Opcode Fuzzy Hash: af0626ee6c0396ac26798b74d139b58ac9a4f3c3016fd0aba1f15b582d53a463
Instruction Fuzzy Hash: 4BE0C2301493449FC709CB38D8699B93FA1AFD2318F4681A5D408CB167CA38CE90C780

Function 00F523F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2566601373.0000000000F52000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F52000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7593452d60cd51cee14ed613c5898724dc0bb540eae8177dfd421d4dcfe5d57
Instruction ID: 6871f8ce8b4e0c7c3aeb6c93f87d5e28edef6aa4d41e3c8d574b09c829a90c56
Opcode Fuzzy Hash: e7593452d60cd51cee14ed613c5898724dc0bb540eae8177dfd421d4dcfe5d57
Instruction Fuzzy Hash: 44D02E792007804FD312CB1CC1A4F8637D4AB42B24F0A40FDAC008B363C32CD882E200

Function 00F523BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2566601373.0000000000F52000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F52000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60fa66584118076ed515812a08377f8ad4f7373b56bab82e7d6c1d6dccc39fbe
Instruction ID: bd05cb44852358d9b4df8d3c604b378d4c28043821de4acf79d3f3161e573d43
Opcode Fuzzy Hash: 60fa66584118076ed515812a08377f8ad4f7373b56bab82e7d6c1d6dccc39fbe
Instruction Fuzzy Hash: 3DD05E346012814BC729DA1CC2D4F5933D4AB41B25F1645ECAC108B762C7A8D8C4DA40

Function 01370DE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2567492905.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c71470ea6d727c2952442d81960a148d0e8e4975ca8bf285f71c8a7c757e901
Instruction ID: 9208038bf2e5c2be54bd0a4420b4a83c0bb48cd0b055e41ca7f2985b31f459b3
Opcode Fuzzy Hash: 4c71470ea6d727c2952442d81960a148d0e8e4975ca8bf285f71c8a7c757e901
Instruction Fuzzy Hash: 66C012302012088BD718A77CD55CA2977965BD0608F45C46495084B256CA74E840D6C0

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://www.telegram-gd.com/

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\3orywyhy.gn2\shater.exe

C:\Users\user\AppData\Local\Temp\unarchiver.log

C:\Users\user\Downloads\6d02d947-acc6-49aa-a9ac-9af46163f28d.tmp

C:\Users\user\Downloads\73c1b1fc-0e18-48dd-8730-e3811dedf735.tmp

C:\Users\user\Downloads\b50add30-32dd-4a3b-80b7-9353c2bcf7ee.tmp

C:\Users\user\Downloads\shater (1).zip.crdownload

C:\Users\user\Downloads\shater (2).zip.crdownload

C:\Users\user\Downloads\shater (3).zip.crdownload

C:\Users\user\Downloads\shater.zip (copy)

C:\Users\user\Downloads\shater.zip.crdownload

Chrome Cache Entry: 58

Chrome Cache Entry: 59

Chrome Cache Entry: 60

Chrome Cache Entry: 61

Chrome Cache Entry: 62

Chrome Cache Entry: 63

Chrome Cache Entry: 64

Chrome Cache Entry: 65

Chrome Cache Entry: 66

Chrome Cache Entry: 67

Windows Analysis Report
http://www.telegram-gd.com/