Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://investors.spotify.com.sg.misteri.us.kg/

Overview

General Information

Sample URL:https://investors.spotify.com.sg.misteri.us.kg/
Analysis ID:1521726
Tags:openphish
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Downloads suspicious files via Chrome
Drops large PE files
Allocates memory with a write watch (potentially for evading sandboxes)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found dropped PE file which has not been started or loaded
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
PE file overlay found
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 2724 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 4724 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2012,i,5296181332326272263,8081676399308569334,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 3552 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4200 --field-trial-handle=2012,i,5296181332326272263,8081676399308569334,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 6036 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4308 --field-trial-handle=2012,i,5296181332326272263,8081676399308569334,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • unarchiver.exe (PID: 2424 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\tportable-x64.5.5.5.zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)
      • 7za.exe (PID: 2104 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\34yqvajp.yju" "C:\Users\user\Downloads\tportable-x64.5.5.5.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
        • conhost.exe (PID: 2076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5848 cmdline: "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\34yqvajp.yju\Telegram\Telegram.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Telegram.exe (PID: 4748 cmdline: C:\Users\user\AppData\Local\Temp\34yqvajp.yju\Telegram\Telegram.exe MD5: DFAB353168FA4DB6A30FBC9F3599C929)
  • chrome.exe (PID: 3148 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://investors.spotify.com.sg.misteri.us.kg/" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: https://investors.spotify.com.sg.misteri.us.kg/Virustotal: Detection: 13%Perma Link
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: -----BEGIN RSA PUBLIC KEY-----memstr_4fd3903a-a
Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
Source: Binary string: aesni_init_keycrypto\evp\e_aes.caesni_gcm_init_keyaesni_xts_init_keyaesni_ccm_init_keyaesni_ocb_init_keyaes_init_keyaes_gcm_init_keyaes_gcm_tls_cipheraes_xts_init_keyaes_xts_cipheraes_ccm_init_keyaes_wrap_init_keyaes_wrap_cipheraes_ocb_init_keyaes_ocb_ciphercompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /FS -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.2.1 30 Jan 20243.2.1built on: Sun Aug 25 15:14:21 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecopy_integercrypto\params.cunsigned_from_signedgeneral_get_intgeneral_set_intgeneral_get_uintgeneral_set_uintOSSL_PARAM_get_int32OSSL_PARAM_set_int32OSSL_PARAM_get_uint32OSSL_PARAM_set_uint32OSSL_PARAM_get_int64OSSL_PARAM_set_int64OSSL_PARAM_get_uint64OSSL_PARAM_set_uint64OSSL_PARAM_get_BNOSSL_PARAM_set_BNget_string_internalOSSL_PARAM_get_utf8_stringset_string_internalOSSL_PARAM_set_utf8_stringOSSL_PARAM_set_octet_stringget_ptr_internalset_ptr_internalOSSL_PARAM_set_utf8_ptrOSSL_PARAM_set_octet_ptrget_string_ptr_internalcrypto\evp\mac_meth.cevp_mac_from_algorithmcrypto\evp\mac_lib.cEVP_MAC_CTX_newEVP_MAC_CTX_dupblock-sizeevp_mac_finalEVP_Q_mac source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /FS -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: crypto\modes\ocb128.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /FS -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\OpenSSL\lib\engines-3.dllCPUINFO: %s::%s:%d:%s source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: C:\Telegram\tx64\out\Release\Telegram.pdb source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65B00A000.00000002.00000001.01000000.00000008.sdmp
Source: chrome.exeMemory has grown: Private usage: 0MB later: 34MB
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: 04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1email.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06d7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3login.yahoo.com39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:293e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47login.skype.com92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43addons.mozilla.orgb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0login.live.comd8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0global trustee05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56*.google.com0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4cDigiNotar Root CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Services CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services 1024 CA0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Root CA G2a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21CertiID Enterprise Certificate Authority5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41DigiNotar Qualified CA46:9c:2c:b007:27:10:0dDigiNotar Cyber CA07:27:0f:f907:27:10:0301:31:69:b0DigiNotar PKIoverheid CA Overheid en Bedrijven01:31:34:bfDigiNotar PKIoverheid CA Organisatie - G2d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar Extended Validation CA1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Public CA 202546:9c:2c:af46:9c:3c:c907:27:14:a9Digisign Server ID (Enrich)4c:0e:63:6aDigisign Server ID - (Enrich)72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0UTN-USERFirst-HardwareMD5 Collisions Inc. (http://www.phreedom.org/md5)08:27*.EGO.GOV.TR08:64e-islem.kktcmerkezbankasi.org03:1d:a7AC DG Tr equals www.yahoo.com (Yahoo)
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6596D7000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://.css
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6596D7000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://.jpg
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/1423136
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/1423136Disables
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/1452
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/1452Bug
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/2152
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/2152On
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/3246
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/3246On
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/3682
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/3682There
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/5007
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/5007Disable
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/5658
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/5658Even
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/5750
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/5750Set
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/6041
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/6041Force-enable
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/7036
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/7036Enable
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/7279
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/7279Emulate
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/7724
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/7724Disable
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/7760
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/7760Write
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/7761
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://anglebug.com/7761Check
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://bugreports.qt.io/
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://bugreports.qt.io/_q_receiveReplyensureClientPrefaceSentMicrosoft-IIS/4.Microsoft-IIS/5.Netsca
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://crbug.com/941620
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://crbug.com/941620Some
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6596D7000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://html4/loose.dtd
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Digitized
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlLicensed
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01x
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.phreedom.org/md5)
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.phreedom.org/md5)08:27
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-time
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-timehttp://www.webrtc.org/experiments/rtp-h
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/color-space
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/generic-frame-descriptor-00
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/inband-cn
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/inband-cnurn:ietf:params:rtp-hdrext:csrc-audio-level
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/playout-delay
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/transport-wide-cc-02
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-content-type
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-frame-tracking-id
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-layers-allocation00
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-timing
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://%1/%2tokenize/cardtgb.smart-glocal.com/cds/v1expiration_yearexpiration_monthtgb-playground.s
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://ads.telegram.orgTelegram
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://anglebug.com/7246
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://anglebug.com/7246Force
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://api.mapbox.com/mapbox-gl-js/v3.4.0/mapbox-gl.css
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://api.mapbox.com/mapbox-gl-js/v3.4.0/mapbox-gl.js
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://api.mapbox.com/search/geocode/v6/reverse?longitude=%1&latitude=%2&language=%3&access_token=%
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://chromium.googlesource.com/angle/angle/
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://core.telegram.org/api
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://core.telegram.org/apihttps://promote.telegram.org
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://crbug.com/1053756
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://crbug.com/1053756ICE
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://crbug.com/593024
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://crbug.com/593024Copying
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://crbug.com/650547
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://crbug.com/650547Using
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://crbug.com/655534
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://crbug.com/655534Using
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp, Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://desktop.telegram.org
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://desktop.telegram.org/changelog
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://desktop.telegram.orghttps://snapcraft.io/telegram-desktophttps://flathub.org/apps/details/or
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://flathub.org/apps/details/org.telegram.desktop
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://github.com/davelab6/Roboto-ClassicThis
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://github.com/rastikerdar/vazirmatn)Vazirmatn
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://github.com/telegramdesktop/tdesktop
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://github.com/telegramdesktop/tdesktop/blob/master/LICENSE
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://github.com/telegramdesktop/tdesktop/blob/master/LICENSEdeThe
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://github.com/telegramdesktop/tdesktopGNU
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://instagram.com/
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://instagram.com/explore/tags/
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://issuetracker.google.com/220069903
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://issuetracker.google.com/220069903Force
Source: Unconfirmed 103549.crdownload.0.drString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp, Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://maps.google.com/maps?q=
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://promote.telegram.org
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://promote.telegram.org/guidelines
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://scripts.sil.org/OFLhttps://scripts.sil.org/OFL
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://scripts.sil.org/OFLhttps://scripts.sil.org/OFLVazirmatn
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://snapcraft.io/telegram-desktop
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://ss3.4sqi.net/img/categories_v2/
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://streams.videolan.org/upload/
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://t.me
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp, Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://t.me/
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://t.me/$
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://t.me/$premium.promo_screen_showpremium.promo_screen_acceptpremium_promo_ordersourceprofile_:
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://t.me/TelegramTipsWarningYou
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://t.me/c/%1/%2
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://t.me/setlanguage/
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://td.telegram.org
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://td.telegram.org/
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://tdesktop.com/
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://tdesktop.com/crash.php?act=query_report&apiid=%1&version=%2&dmp=%3&platform=%4
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://tdesktop.com/crash.php?act=report
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://telegram.org/
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://telegram.org/blog/monetization-for-channelsAd
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://telegram.org/blog/telegram-business#chatbots-for-businessbot
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://telegram.org/blog/telegram-starsUnlock
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://telegram.org/faq
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://telegram.org/faq#general-questionsTelegram
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://telegram.org/privacy
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://telegram.org/privacy-tpa
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://telegram.org/tos
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://telegram.org/tos/mini-appsNotification
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://telegram.org/tos/stars
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://telegram.org/tos/starsAll
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://telegram.org/tos/starsMedia
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://telegram.org/tos/starsSubscription
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://telegram.org/tos/starsWithdraw
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://telesco.pe/
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://twitter.com/
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpString found in binary or memory: https://twitter.com/hashtag/
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://webrtc.googlesource.com/src/
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0

System Summary

barindex
Downloads suspicious files via Chrome
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile dump: C:\Users\user\Downloads\tportable-x64.5.5.5.zip (copy)Jump to dropped file
Drops large PE files
Source: C:\Windows\SysWOW64\7za.exeFile dump: Telegram.exe.10.dr 162952456Jump to dropped file
Source: 012cb3cd-41cf-435d-b141-c65927ddb5ee.tmp.0.drStatic PE information: No import functions for PE file found
Source: 0b8031df-20d6-4a21-b2d6-249cd53d0db3.tmp.0.drStatic PE information: No import functions for PE file found
Source: 012cb3cd-41cf-435d-b141-c65927ddb5ee.tmp.0.drStatic PE information: Data appended to the last section found
Source: 0b8031df-20d6-4a21-b2d6-249cd53d0db3.tmp.0.drStatic PE information: Data appended to the last section found
Source: Telegram.exe.10.drStatic PE information: Section: .qtmimed ZLIB complexity 0.9983110514817629
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: ndre-land.nonet.slnet.soin-brb.de123website.lutrentino-stirol.it
Source: classification engineClassification label: mal56.win@35/48@0/13
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome AppsJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2076:120:WilError_03
Source: C:\Windows\SysWOW64\unarchiver.exeFile created: C:\Users\user\AppData\Local\Temp\unarchiver.logJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2012,i,5296181332326272263,8081676399308569334,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://investors.spotify.com.sg.misteri.us.kg/"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4200 --field-trial-handle=2012,i,5296181332326272263,8081676399308569334,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4308 --field-trial-handle=2012,i,5296181332326272263,8081676399308569334,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\tportable-x64.5.5.5.zip"
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\34yqvajp.yju" "C:\Users\user\Downloads\tportable-x64.5.5.5.zip"
Source: C:\Windows\SysWOW64\7za.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\34yqvajp.yju\Telegram\Telegram.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\34yqvajp.yju\Telegram\Telegram.exe C:\Users\user\AppData\Local\Temp\34yqvajp.yju\Telegram\Telegram.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2012,i,5296181332326272263,8081676399308569334,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4200 --field-trial-handle=2012,i,5296181332326272263,8081676399308569334,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4308 --field-trial-handle=2012,i,5296181332326272263,8081676399308569334,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\tportable-x64.5.5.5.zip"Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\34yqvajp.yju" "C:\Users\user\Downloads\tportable-x64.5.5.5.zip"Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\34yqvajp.yju\Telegram\Telegram.exe"Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\7za.exeSection loaded: 7z.dllJump to behavior
Source: Google Drive.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
Source: Binary string: aesni_init_keycrypto\evp\e_aes.caesni_gcm_init_keyaesni_xts_init_keyaesni_ccm_init_keyaesni_ocb_init_keyaes_init_keyaes_gcm_init_keyaes_gcm_tls_cipheraes_xts_init_keyaes_xts_cipheraes_ccm_init_keyaes_wrap_init_keyaes_wrap_cipheraes_ocb_init_keyaes_ocb_ciphercompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /FS -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.2.1 30 Jan 20243.2.1built on: Sun Aug 25 15:14:21 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecopy_integercrypto\params.cunsigned_from_signedgeneral_get_intgeneral_set_intgeneral_get_uintgeneral_set_uintOSSL_PARAM_get_int32OSSL_PARAM_set_int32OSSL_PARAM_get_uint32OSSL_PARAM_set_uint32OSSL_PARAM_get_int64OSSL_PARAM_set_int64OSSL_PARAM_get_uint64OSSL_PARAM_set_uint64OSSL_PARAM_get_BNOSSL_PARAM_set_BNget_string_internalOSSL_PARAM_get_utf8_stringset_string_internalOSSL_PARAM_set_utf8_stringOSSL_PARAM_set_octet_stringget_ptr_internalset_ptr_internalOSSL_PARAM_set_utf8_ptrOSSL_PARAM_set_octet_ptrget_string_ptr_internalcrypto\evp\mac_meth.cevp_mac_from_algorithmcrypto\evp\mac_lib.cEVP_MAC_CTX_newEVP_MAC_CTX_dupblock-sizeevp_mac_finalEVP_Q_mac source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /FS -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: crypto\modes\ocb128.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /FS -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\OpenSSL\lib\engines-3.dllCPUINFO: %s::%s:%d:%s source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: C:\Telegram\tx64\out\Release\Telegram.pdb source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65B00A000.00000002.00000001.01000000.00000008.sdmp
Source: 012cb3cd-41cf-435d-b141-c65927ddb5ee.tmp.0.drStatic PE information: real checksum: 0x2bca9df should be: 0x8a41
Source: 0b8031df-20d6-4a21-b2d6-249cd53d0db3.tmp.0.drStatic PE information: real checksum: 0x2bca9df should be: 0x39f1f
Source: 012cb3cd-41cf-435d-b141-c65927ddb5ee.tmp.0.drStatic PE information: section name: .didata
Source: Unconfirmed 103549.crdownload.0.drStatic PE information: section name: .didata
Source: 0b8031df-20d6-4a21-b2d6-249cd53d0db3.tmp.0.drStatic PE information: section name: .didata
Source: Unconfirmed 342131.crdownload.0.drStatic PE information: section name: .didata
Source: Telegram.exe.10.drStatic PE information: section name: .rodata
Source: Telegram.exe.10.drStatic PE information: section name: .qtmetad
Source: Telegram.exe.10.drStatic PE information: section name: .qtmimed
Source: Telegram.exe.10.drStatic PE information: section name: _RDATA
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\34yqvajp.yju\Telegram\Telegram.exeJump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\012cb3cd-41cf-435d-b141-c65927ddb5ee.tmpJump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\0b8031df-20d6-4a21-b2d6-249cd53d0db3.tmpJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\34yqvajp.yju\Telegram\modules\x64\d3d\d3dcompiler_47.dllJump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\Unconfirmed 103549.crdownloadJump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\Unconfirmed 342131.crdownloadJump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome AppsJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnkJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: 11F0000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: 3140000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: 5140000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\34yqvajp.yju\Telegram\modules\x64\d3d\d3dcompiler_47.dllJump to dropped file
Source: C:\Windows\SysWOW64\unarchiver.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 9_2_0103B1D6 GetSystemInfo,9_2_0103B1D6
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: VMware
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: VMnet
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65C485000.00000008.00000001.01000000.00000008.sdmpBinary or memory string: .?AVQEmulationPaintEngine@@h
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: C:\Telegram\Libraries\win64\tg_owt\src\rtc_base\network.ccIgnore link local IP:Ignore Mac based IP:Ignore deprecated IP:WebRTC-IPv6NetworkResolutionFixesIpAddressAttributesEnabledWebRTC-SignalNetworkPreferenceChangeToo many network interfaces to handle!WebRTC-AllowMACBasedIPv6WebRTC-BindUsingInterfaceNameNetwork change was observedVMnetSocket creation failedConnect failed with NetworkManager detected , active ? , IgnoredWebRTC-UseDifferentiatedCellularCostsWebRTC-AddNetworkCostToVpnUnknown network cost: Net[:id=
Source: Unconfirmed 103549.crdownload.0.drBinary or memory string: @VMCII
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: IIAMDARMBroadcomGoogleIntelMesaMicrosoftNVIDIAImagination TechnologiesQualcommSamsung Electronics Co., Ltd.VivanteVMwareVirtIOTestFrontend workaroundsFrontend featuresOpenGL workaroundsOpenGL featuresD3D workaroundsVulkan app workaroundsVulkan workaroundsVulkan featuresMetal featuresMetal workaroundsUnknownenableddisabled
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65C485000.00000008.00000001.01000000.00000008.sdmpBinary or memory string: .?AVQEmulationPaintEngine@@
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: VMware Screen Codec / VMware Video
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\34yqvajp.yju" "C:\Users\user\Downloads\tportable-x64.5.5.5.zip"Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\34yqvajp.yju\Telegram\Telegram.exe"Jump to behavior
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: System Error: GetWindowPlacement failed.WindowsCustomMarginsShell_TrayWndC:\Telegram\tx64\Telegram\lib_ui\ui\platform\win\ui_window_win.cppFailed to get taskbar pos"_handle != nullptr"GetSystemMetricsForDpiAdjustWindowRectExForDpix&.[
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: C:\Telegram\Libraries\win64\tg_owt\src\modules\desktop_capture\cropping_window_capturer.ccWindow no longer on top when ScreenCapturer finishesScreenCapturer failed to capture a frameWindow rect is emptyWindow is outside of the captured displayC:\Telegram\Libraries\win64\tg_owt\src\modules\desktop_capture\win\screen_capture_utils.ccNo HMONITOR found for supplied device index.GetDpiForMonitor() failedChrome_WidgetWin_ProgmanButton
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		12
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote Services1
Archive Collected Data		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
Registry Run Keys / Startup Folder		1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Registry Run Keys / Startup Folder		1
Disable or Modify Tools		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
Extra Window Memory Injection		1
Software Packing		NTDS13
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Process Injection		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Extra Window Memory Injection		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1521726 URL: https://investors.spotify.c... Startdate: 29/09/2024 Architecture: WINDOWS Score: 56 59 Multi AV Scanner detection for submitted file 2->59 61 Downloads suspicious files via Chrome 2->61 8 chrome.exe 25 2->8         started        12 chrome.exe 2->12         started        process3 dnsIp4 53 192.168.2.4 unknown unknown 8->53 55 192.168.2.5 unknown unknown 8->55 57 2 other IPs or domains 8->57 39 C:\Users\...\tportable-x64.5.5.5.zip (copy), Zip 8->39 dropped 41 C:\Users\...\Unconfirmed 342131.crdownload, PE32 8->41 dropped 43 C:\Users\...\Unconfirmed 103549.crdownload, PE32 8->43 dropped 45 2 other files (none is malicious) 8->45 dropped 14 unarchiver.exe 4 8->14         started        16 chrome.exe 8->16         started        19 chrome.exe 8->19         started        21 chrome.exe 8->21         started        file5 process6 dnsIp7 23 7za.exe 11 14->23         started        27 cmd.exe 1 14->27         started        47 149.154.167.99 TELEGRAMRU United Kingdom 16->47 49 108.177.15.84 GOOGLEUS United States 16->49 51 7 other IPs or domains 16->51 process8 file9 35 C:\Users\user\AppData\...\d3dcompiler_47.dll, PE32+ 23->35 dropped 37 C:\Users\user\AppData\Local\...\Telegram.exe, PE32+ 23->37 dropped 63 Drops large PE files 23->63 29 conhost.exe 23->29         started        31 conhost.exe 27->31         started        33 Telegram.exe 27->33         started        signatures10 process11

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
https://investors.spotify.com.sg.misteri.us.kg/14%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\34yqvajp.yju\Telegram\Telegram.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\34yqvajp.yju\Telegram\modules\x64\d3d\d3dcompiler_47.dll0%ReversingLabs
C:\Users\user\Downloads\Unconfirmed 103549.crdownload0%ReversingLabs
C:\Users\user\Downloads\Unconfirmed 342131.crdownload0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#0%URL Reputationsafe
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#0%URL Reputationsafe
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#0%URL Reputationsafe
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z0%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl00%URL Reputationsafe
https://sectigo.com/CPS00%URL Reputationsafe
https://telesco.pe/0%VirustotalBrowse
http://anglebug.com/1423136Disables0%VirustotalBrowse
https://api.mapbox.com/mapbox-gl-js/v3.4.0/mapbox-gl.js0%VirustotalBrowse
https://chromium.googlesource.com/angle/angle/0%VirustotalBrowse
https://telegram.org/blog/monetization-for-channelsAd0%VirustotalBrowse
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU0%VirustotalBrowse
http://anglebug.com/5658Even0%VirustotalBrowse
https://promote.telegram.org0%VirustotalBrowse
http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-010%VirustotalBrowse
http://anglebug.com/7279Emulate0%VirustotalBrowse
http://bugreports.qt.io/0%VirustotalBrowse
https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension1%VirustotalBrowse
https://anglebug.com/7246Force0%VirustotalBrowse
https://issuetracker.google.com/2200699030%VirustotalBrowse
https://telegram.org/tos0%VirustotalBrowse
https://twitter.com/hashtag/0%VirustotalBrowse
https://t.me/c/%1/%20%VirustotalBrowse
https://github.com/telegramdesktop/tdesktopGNU0%VirustotalBrowse
https://streams.videolan.org/upload/0%VirustotalBrowse
https://scripts.sil.org/OFLhttps://scripts.sil.org/OFLVazirmatn0%VirustotalBrowse
https://telegram.org/privacy0%VirustotalBrowse
https://core.telegram.org/apihttps://promote.telegram.org0%VirustotalBrowse
https://snapcraft.io/telegram-desktop0%VirustotalBrowse
https://flathub.org/apps/details/org.telegram.desktop0%VirustotalBrowse
https://github.com/rastikerdar/vazirmatn)Vazirmatn0%VirustotalBrowse
https://github.com/davelab6/Roboto-ClassicThis0%VirustotalBrowse
http://anglebug.com/21520%VirustotalBrowse
https://crbug.com/6505470%VirustotalBrowse
https://core.telegram.org/api0%VirustotalBrowse
https://anglebug.com/72460%VirustotalBrowse
https://telegram.org/faq#general-questionsTelegram0%VirustotalBrowse
http://anglebug.com/5007Disable0%VirustotalBrowse
http://anglebug.com/77241%VirustotalBrowse
https://telegram.org/privacy-tpa0%VirustotalBrowse
http://anglebug.com/7760Write0%VirustotalBrowse
https://tdesktop.com/0%VirustotalBrowse
https://crbug.com/5930240%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://desktop.telegram.org/false
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUUnconfirmed 103549.crdownload.0.drfalseunknown
    http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://telesco.pe/Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpfalseunknown
    https://api.mapbox.com/mapbox-gl-js/v3.4.0/mapbox-gl.jsTelegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpfalseunknown
    http://anglebug.com/5658EvenTelegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalseunknown
    https://promote.telegram.orgTelegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpfalseunknown
    https://telegram.org/blog/monetization-for-channelsAdTelegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmpfalseunknown
    http://anglebug.com/1423136DisablesTelegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalseunknown
    https://chromium.googlesource.com/angle/angle/Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalseunknown
    http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpfalseunknown
    https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extensionTelegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpfalseunknown
    https://anglebug.com/7246ForceTelegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalseunknown
    http://bugreports.qt.io/Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalseunknown
    https://issuetracker.google.com/220069903Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalseunknown
    http://anglebug.com/7279EmulateTelegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalseunknown
    https://telegram.org/tosTelegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpfalseunknown
    https://twitter.com/hashtag/Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpfalseunknown
    https://t.me/c/%1/%2Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpfalseunknown
    https://streams.videolan.org/upload/Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpfalseunknown
    https://github.com/telegramdesktop/tdesktopGNUTelegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpfalseunknown
    https://snapcraft.io/telegram-desktopTelegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpfalseunknown
    https://core.telegram.org/apihttps://promote.telegram.orgTelegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpfalseunknown
    https://telegram.org/privacyTelegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpfalseunknown
    https://crbug.com/650547Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalseunknown
    https://scripts.sil.org/OFLhttps://scripts.sil.org/OFLVazirmatnTelegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpfalseunknown
    https://flathub.org/apps/details/org.telegram.desktopTelegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpfalseunknown
    https://issuetracker.google.com/220069903ForceTelegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalse
      		unknown
      https://github.com/rastikerdar/vazirmatn)VazirmatnTelegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpfalseunknown
      https://telegram.org/privacy-tpaTelegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmpfalseunknown
      https://github.com/davelab6/Roboto-ClassicThisTelegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpfalseunknown
      http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://anglebug.com/2152Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalseunknown
      http://www.phreedom.org/md5)Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalse
        		unknown
        https://core.telegram.org/apiTelegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpfalseunknown
        https://anglebug.com/7246Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalseunknown
        http://anglebug.com/5007DisableTelegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalseunknown
        https://tdesktop.com/Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpfalseunknown
        https://crbug.com/593024Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalseunknown
        https://telegram.org/faq#general-questionsTelegramTelegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmpfalseunknown
        http://anglebug.com/7724Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalseunknown
        http://anglebug.com/7760WriteTelegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalseunknown
        http://anglebug.com/3246Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalse
          		unknown
          http://crbug.com/941620Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalse
            		unknown
            https://desktop.telegram.orgTelegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp, Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpfalse
              		unknown
              https://td.telegram.org/Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpfalse
                		unknown
                https://desktop.telegram.orghttps://snapcraft.io/telegram-desktophttps://flathub.org/apps/details/orTelegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpfalse
                  		unknown
                  https://crbug.com/655534UsingTelegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalse
                    		unknown
                    http://anglebug.com/7279Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalse
                      		unknown
                      http://anglebug.com/7036Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalse
                        		unknown
                        https://telegram.org/tos/starsSubscriptionTelegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmpfalse
                          		unknown
                          http://anglebug.com/2152OnTelegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalse
                            		unknown
                            http://anglebug.com/5658Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalse
                              		unknown
                              http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://t.me/$premium.promo_screen_showpremium.promo_screen_acceptpremium_promo_ordersourceprofile_:Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpfalse
                                		unknown
                                http://anglebug.com/1452Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalse
                                  		unknown
                                  http://anglebug.com/7036EnableTelegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalse
                                    		unknown
                                    https://tdesktop.com/crash.php?act=query_report&apiid=%1&version=%2&dmp=%3&platform=%4Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpfalse
                                      		unknown
                                      https://telegram.org/tos/starsMediaTelegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmpfalse
                                        		unknown
                                        https://telegram.org/tos/starsAllTelegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmpfalse
                                          		unknown
                                          http://html4/loose.dtdTelegram.exe, 0000000E.00000000.3308240792.00007FF6596D7000.00000002.00000001.01000000.00000008.sdmpfalse
                                            		unknown
                                            https://t.me/Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp, Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpfalse
                                              		unknown
                                              http://www.phreedom.org/md5)08:27Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalse
                                                		unknown
                                                https://telegram.org/blog/telegram-starsUnlockTelegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmpfalse
                                                  		unknown
                                                  http://ocsp.sectigo.com07za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01xTelegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpfalse
                                                    		unknown
                                                    https://github.com/telegramdesktop/tdesktop/blob/master/LICENSEdeTheTelegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpfalse
                                                      		unknown
                                                      http://anglebug.com/7761CheckTelegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalse
                                                        		unknown
                                                        http://anglebug.com/5007Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalse
                                                          		unknown
                                                          https://crbug.com/593024CopyingTelegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalse
                                                            		unknown
                                                            https://desktop.telegram.org/changelogTelegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpfalse
                                                              		unknown
                                                              https://crbug.com/1053756Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                		unknown
                                                                http://.cssTelegram.exe, 0000000E.00000000.3308240792.00007FF6596D7000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                  		unknown
                                                                  http://anglebug.com/3682ThereTelegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                    		unknown
                                                                    https://telegram.org/tos/mini-appsNotificationTelegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmpfalse
                                                                      		unknown
                                                                      http://anglebug.com/5750Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                        		unknown
                                                                        http://anglebug.com/6041Force-enableTelegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                          		unknown
                                                                          http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl07za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://github.com/telegramdesktop/tdesktop/blob/master/LICENSETelegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                            		unknown
                                                                            http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlLicensedTelegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                              		unknown
                                                                              https://api.mapbox.com/search/geocode/v6/reverse?longitude=%1&latitude=%2&language=%3&access_token=%Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpfalse
                                                                                		unknown
                                                                                https://telegram.org/Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                                  		unknown
                                                                                  https://ads.telegram.orgTelegramTelegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmpfalse
                                                                                    		unknown
                                                                                    http://anglebug.com/6041Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                                      		unknown
                                                                                      http://anglebug.com/5750SetTelegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                                        		unknown
                                                                                        https://maps.google.com/maps?q=Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp, Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                                          		unknown
                                                                                          https://t.me/TelegramTipsWarningYouTelegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmpfalse
                                                                                            		unknown
                                                                                            http://anglebug.com/1423136Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                                              		unknown
                                                                                              http://.jpgTelegram.exe, 0000000E.00000000.3308240792.00007FF6596D7000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                                                		unknown
                                                                                                https://scripts.sil.org/OFLhttps://scripts.sil.org/OFLTelegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://webrtc.googlesource.com/src/Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://crbug.com/941620SomeTelegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://promote.telegram.org/guidelinesTelegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://github.com/telegramdesktop/tdesktopTelegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://www.apache.org/licenses/LICENSE-2.0Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://anglebug.com/3682Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://anglebug.com/7761Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://crbug.com/1053756ICETelegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://anglebug.com/7760Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://sectigo.com/CPS07za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown

                                                                                                                    World Map of Contacted IPs

                                                                                                                    • No. of IPs < 25%
                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                    • 75% < No. of IPs

                                                                                                                    Public IPs

                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                    1.1.1.1
                                                                                                                    		unknownAustralia
                                                                                                                    		13335CLOUDFLARENETUSfalse
                                                                                                                    108.177.15.84
                                                                                                                    		unknownUnited States
                                                                                                                    		15169GOOGLEUSfalse
                                                                                                                    172.217.18.3
                                                                                                                    		unknownUnited States
                                                                                                                    		15169GOOGLEUSfalse
                                                                                                                    104.21.47.42
                                                                                                                    		unknownUnited States
                                                                                                                    		13335CLOUDFLARENETUSfalse
                                                                                                                    142.250.185.132
                                                                                                                    		unknownUnited States
                                                                                                                    		15169GOOGLEUSfalse
                                                                                                                    142.250.185.227
                                                                                                                    		unknownUnited States
                                                                                                                    		15169GOOGLEUSfalse
                                                                                                                    149.154.167.99
                                                                                                                    		unknownUnited Kingdom
                                                                                                                    		62041TELEGRAMRUfalse
                                                                                                                    216.58.206.46
                                                                                                                    		unknownUnited States
                                                                                                                    		15169GOOGLEUSfalse
                                                                                                                    239.255.255.250
                                                                                                                    		unknownReserved
                                                                                                                    		unknownunknownfalse
                                                                                                                    142.250.184.206
                                                                                                                    		unknownUnited States
                                                                                                                    		15169GOOGLEUSfalse

                                                                                                                    Private

                                                                                                                    IP
                                                                                                                    192.168.2.4
                                                                                                                    192.168.2.6
                                                                                                                    192.168.2.5

                                                                                                                    General Information

                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                    Analysis ID:1521726
                                                                                                                    Start date and time:2024-09-29 02:46:41 +02:00
                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                    Overall analysis duration:0h 5m 59s
                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                    Report type:full
                                                                                                                    Cookbook file name:browseurl.jbs
                                                                                                                    Sample URL:https://investors.spotify.com.sg.misteri.us.kg/
                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                    Number of analysed new started processes analysed:15
                                                                                                                    Number of new started drivers analysed:0
                                                                                                                    Number of existing processes analysed:0
                                                                                                                    Number of existing drivers analysed:0
                                                                                                                    Number of injected processes analysed:0
                                                                                                                    Technologies:
                                                                                                                    • HCA enabled
                                                                                                                    • EGA enabled
                                                                                                                    • AMSI enabled
                                                                                                                    Analysis Mode:default
                                                                                                                    Analysis stop reason:Timeout
                                                                                                                    Detection:MAL
                                                                                                                    Classification:mal56.win@35/48@0/13
                                                                                                                    EGA Information:Failed
                                                                                                                    HCA Information:
                                                                                                                    • Successful, ratio: 100%
                                                                                                                    • Number of executed functions: 44
                                                                                                                    • Number of non-executed functions: 0
                                                                                                                    Cookbook Comments:
                                                                                                                    • Browse: https://telegram.org/dl/desktop/win64
                                                                                                                    • Browse: https://telegram.org/dl/desktop/win64_portable

                                                                                                                    Warnings

                                                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                    • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                    • Skipping network analysis since amount of network traffic is too extensive

                                                                                                                    Simulations

                                                                                                                    Behavior and APIs

                                                                                                                    No simulations

                                                                                                                    LLM Input / Output

                                                                                                                    InputOutput
                                                                                                                    URL: https://desktop.telegram.org/ Model: jbxai
                                                                                                                    {
"brand":[],
"contains_trigger_text":false,
"trigger_text":"",
"prominent_button_name":"Get Telegram for Windows x64",
"text_input_field_labels":"unknown",
"pdf_icon_visible":false,
"has_visible_captcha":false,
"has_urgent_text":false,
"has_visible_qrcode":false}

                                                                                                                    Joe Sandbox View / Context

                                                                                                                    IPs

                                                                                                                    No context

                                                                                                                    Domains

                                                                                                                    No context

                                                                                                                    ASNs

                                                                                                                    No context

                                                                                                                    JA3 Fingerprints

                                                                                                                    No context

                                                                                                                    Dropped Files

                                                                                                                    No context

                                                                                                                    Created / dropped Files

                                                                                                                    C:\Users\user\AppData\Local\Temp\34yqvajp.yju\Telegram\Telegram.exe

                                                                                                                    Download File
                                                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):162952456
                                                                                                                    Entropy (8bit):6.841157263379702
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:786432:SIvdxfoVlJGRKky9rRaGcUuMle2qNLvuMWNK1ocfDtiKbRsgemnWUIv:SIlhoFBkyhFfuCgNLxoyocfDtNRu
                                                                                                                    MD5:DFAB353168FA4DB6A30FBC9F3599C929
                                                                                                                    SHA1:063C7F6B4D6D447D2AA4F3BECE2568A8A44479AD
                                                                                                                    SHA-256:E3D9CD23F107A82983986A6D48C04974639F03064CC9957F429102A22BCD44AC
                                                                                                                    SHA-512:68AEED2687D5F718FBF8157AB8FCB1A0341D449E37F601521EF47924C19605BB236DAB6768124929BDB910834773526F2E9215B40F862EF310B15A4BD197535A
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Reputation:low
                                                                                                                    Preview:MZ......................@...................................X...........!..L.!This program cannot be run in DOS mode....$..........J.k...k...k....o..k......k......k.......k.......k.......k.......k.......k.....4k...k..!k...k...h.....5m......l.....:j.....]k......j......n......k....m..k...k...k......k..Rich.k..........................PE..d....t.f.........."....)......N......`r........@..........................................`.........................................@l......Xz..(.......@.........1..J...+...0..H...0.$.T.....................$.(.......@............ .......#.......................text...|........................... ..`.rdata...z@.. ...|@.................@..@.data...,........j..................@....pdata....1.......1...o.............@..@.rodata......0......................@..@.qtmetad.....@......................@..P.qtmimed.#...P...$..................@..P_RDATA..0..........................@..@.rsrc...@..........................@..@.reloc..H....0.......p..........

                                                                                                                    C:\Users\user\AppData\Local\Temp\34yqvajp.yju\Telegram\modules\x64\d3d\d3dcompiler_47.dll

                                                                                                                    Download File
                                                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):4916840
                                                                                                                    Entropy (8bit):6.398149817011711
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:49152:FCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvpiD0N+YEzI4og/RfzHLeHTRhFRNS:EG2QCwmHXnog/pzHAo/A2L
                                                                                                                    MD5:A7349236212B0E5CEC2978F2CFA49A1A
                                                                                                                    SHA1:5ABB08949162FD1985B89FFAD40AAF5FC769017E
                                                                                                                    SHA-256:A05D04A270F68C8C6D6EA2D23BEBF8CD1D5453B26B5442FA54965F90F1C62082
                                                                                                                    SHA-512:C7FF4F9146FEFEDC199360AA04236294349C881B3865EBC58C5646AD6B3F83FCA309DE1173F5EBF823A14BA65E5ADA77B46F20286D1EA62C37E17ADBC9A82D02
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Reputation:low
                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|3..]...]...]..e\...]...\.5.]..e...]..wX...]..wY...]..e^...]..eX.y.]..eY...]..e]...]..eU./.]..e....]..e_...].Rich..].................PE..d................." ......8..........<).......................................K.....B.K...`A........................................`%G.x....(G.P.....J.@.....H.......J.h&....J.....p.D.p....................S<.(...pR<.@............S<.(............................text.....8.......8................. ..`.rdata...F....8..P....8.............@..@.data...`....@G......@G.............@....pdata........H......@H.............@..@.rsrc...@.....J......@J.............@..@.reloc........J......PJ.............@..B........................................................................................................................................................................................................................................

                                                                                                                    C:\Users\user\AppData\Local\Temp\unarchiver.log

                                                                                                                    Download File
                                                                                                                    Process:C:\Windows\SysWOW64\unarchiver.exe
                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1607
                                                                                                                    Entropy (8bit):5.16035855991339
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:48:fpxB+jGWGbWGWGpcG+AGWGpfUGbAGwUG+GtGWGnGWGNGlGpGzvbBq:fpDqLTMGVq
                                                                                                                    MD5:2507E7AEDE99A0AE68ADA658B7681028
                                                                                                                    SHA1:B82DE3C6E26AE629FAF9903EC2CF2B05D847A9F2
                                                                                                                    SHA-256:A8EBD2E56C7708702E4FD472AAB52AB79C8E1626AEB80DB25DFFFBE782D2F558
                                                                                                                    SHA-512:C5C77A69C95E3EF1FBE41BC5F6183E2349CD50F5B373FC71E743CFABCD695213FBEABBD601460CA3046F5D69162E94437EED7F251C4EA12F7A17F59E1F00640B
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    Preview:09/28/2024 8:49 PM: Unpack: C:\Users\user\Downloads\tportable-x64.5.5.5.zip..09/28/2024 8:49 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\34yqvajp.yju..09/28/2024 8:49 PM: Received from standard out: ..09/28/2024 8:49 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..09/28/2024 8:49 PM: Received from standard out: ..09/28/2024 8:49 PM: Received from standard out: Scanning the drive for archives:..09/28/2024 8:49 PM: Received from standard out: 1 file, 57559317 bytes (55 MiB)..09/28/2024 8:49 PM: Received from standard out: ..09/28/2024 8:49 PM: Received from standard out: Extracting archive: C:\Users\user\Downloads\tportable-x64.5.5.5.zip..09/28/2024 8:49 PM: Received from standard out: --..09/28/2024 8:49 PM: Received from standard out: Path = C:\Users\user\Downloads\tportable-x64.5.5.5.zip..09/28/2024 8:49 PM: Received from standard out: Type = zip..09/28/2024 8:49 PM: Received from standard out: Physical Size = 57559317..0

                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Sep 28 23:47:38 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):2677
                                                                                                                    Entropy (8bit):3.9774135657715237
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:48:8ddTTbLGHqidAKZdA19ehwiZUklqehuy+3:8DD/Zy
                                                                                                                    MD5:EC7AB0AD7327E6F15053E39173DFB869
                                                                                                                    SHA1:CC07FB50F4BCF234C8D2931F0C48DF935A00A4A3
                                                                                                                    SHA-256:9CF972A3CE12048B4C6745F83F8A345637ED9A11FDCC54D60E9F56E418DC0F4A
                                                                                                                    SHA-512:0F2BF0D38662D037989AE23482459D25AD04B07E5F6A1EEA213D1697101A52ECB55AC3228CEE79A817E83B6A5DC35F2F9B31B7F1EB941EED58788D37D22BDB10
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    Preview:L..................F.@.. ...$+.,............N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I=Y......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V=Y......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V=Y......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V=Y............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V=Y.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........y.Q......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Sep 28 23:47:38 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):2679
                                                                                                                    Entropy (8bit):3.9929369218094197
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:48:8/dTTbLGHqidAKZdA1weh/iZUkAQkqehJy+2:8lDF9Q8y
                                                                                                                    MD5:475F57D1FB2445A42AF0123FF97E96E9
                                                                                                                    SHA1:E9DC49375E44FEA25235EB32E5E010B5EE2D53C7
                                                                                                                    SHA-256:F5EFD9C94140B991BE1C89465AA09B2BCEC17F9380F5C67B060B0D1E4C1189E5
                                                                                                                    SHA-512:949FA13193F630C7C484216579E22E06E4BA0674B83A745D83A3C52EAA1BBDE4A7A0BDC966BC124D12B8D0FF23A1BDFA6DD6EE6071D2762D42C1657C3C84B356
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    Preview:L..................F.@.. ...$+.,....K.......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I=Y......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V=Y......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V=Y......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V=Y............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V=Y.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........y.Q......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):2693
                                                                                                                    Entropy (8bit):4.006037433202603
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:48:8x8dTTbLsHqidAKZdA14tseh7sFiZUkmgqeh7svy+BX:8x8D7nVy
                                                                                                                    MD5:4FA6F6EB563422EEB954C7FAC21AAD14
                                                                                                                    SHA1:0EB7D5935C5CF339C419C6D98CAE3DC26DF35C97
                                                                                                                    SHA-256:F24D8EA06CE737774447AC166B6BEC27E808F52BEF6AEB4DBAAD11D09BB78E98
                                                                                                                    SHA-512:3B73FD12BAB873E13B84917A0D8F407B5285E9BC7460CBC1CA248DBA4EF55DE3AF6868B1BD65304C8E385717B8BA4E0F0DDA71073729147323989742681DE960
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    Preview:L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I=Y......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V=Y......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V=Y......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V=Y............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........y.Q......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Sep 28 23:47:38 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):2681
                                                                                                                    Entropy (8bit):3.9918671297380097
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:48:8sdTTbLGHqidAKZdA1vehDiZUkwqehty+R:8MDGny
                                                                                                                    MD5:645B451C9480763754B567BFE4D19B3B
                                                                                                                    SHA1:E550F1772F4A32B7BCF1216201FBB70D799A83DC
                                                                                                                    SHA-256:41ADFF69F03C940F23A5B9028E7C6C21805C988E1FC72506913153356368C0F6
                                                                                                                    SHA-512:2D33833EEC8D201B7BCCE9E918533FE2456FDC8CA2BB8E9A6E5F56CD7868D8736D6769D7ACBF8B01F8EC42889ED90335BD5277C6B1497EC4B0A63D984AD1218B
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    Preview:L..................F.@.. ...$+.,....~?......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I=Y......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V=Y......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V=Y......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V=Y............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V=Y.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........y.Q......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Sep 28 23:47:38 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):2681
                                                                                                                    Entropy (8bit):3.9798507794369447
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:48:8+dTTbLGHqidAKZdA1hehBiZUk1W1qehLy+C:8+DG9ry
                                                                                                                    MD5:0EE9593E004D664A090EF73760B44F16
                                                                                                                    SHA1:99FCAB946C1C659B85E1DB47DD6D7CD5343445FC
                                                                                                                    SHA-256:13B562A85681F73BAD20777A178BB023B4E448C9E3B39F9F453E8BB098D91E12
                                                                                                                    SHA-512:72AF0236655ADC69C9EEF04C882DCA9C4CE081346EC5CD6CCB963C69F7F056934BBF0397E7CEF99A7CA11BD5FEA97E78126F97504136C261B119EA5D31D4E8E1
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    Preview:L..................F.@.. ...$+.,.....s......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I=Y......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V=Y......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V=Y......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V=Y............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V=Y.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........y.Q......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Sep 28 23:47:38 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):2683
                                                                                                                    Entropy (8bit):3.9925159876041385
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:48:8E8dTTbLGHqidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbVy+yT+:8E8DYT/TbxWOvTbVy7T
                                                                                                                    MD5:2C050B66B1C053580FB25CCEF2B8A852
                                                                                                                    SHA1:92C041482E944A88E2681B37845BBF4E1D506220
                                                                                                                    SHA-256:5ADE254767286CBCE5F285F4D93304C64FE7F6E2C38257CB0CCB3A89C3161BD8
                                                                                                                    SHA-512:6B5083582CECC9851BE763E7536368F4D096980FF332F8816F8F830E972AA64D71B9592298AB2FFD1011E551020835FC7B211B5221B2FE2E6AD30048CFD82FDB
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    Preview:L..................F.@.. ...$+.,.....#......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I=Y......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V=Y......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V=Y......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V=Y............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V=Y.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........y.Q......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                    C:\Users\user\Downloads\012cb3cd-41cf-435d-b141-c65927ddb5ee.tmp

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):3839
                                                                                                                    Entropy (8bit):4.66655547139829
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:48:OEPm7B6klyK0ZWo9ZLQfJlD9/JotA/xl3yEKs:nPm7B6DnZJuxotA/xl9d
                                                                                                                    MD5:FBD08FF4871C3D47D10042ACE1CF0945
                                                                                                                    SHA1:4313B1092F2403F6C4446CDDC261486BEB2FEC9A
                                                                                                                    SHA-256:90B33E702D83A181AD439CE63498497B5B79156D27376CC6C7BD3149C97F6B96
                                                                                                                    SHA-512:7A44D4D7756B3B468CAFAD2B40660211450F2CA26B643019C4D4A8E02422DE0FFF19B9994AE0B5F34EE434B637E30E60801C468960D3DA706847649A910C8CD4
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................R...........^.......p....@..........................@...........@......@...................@....... .......p..|...............+...................................`......................."..T....0.......................text....9.......:.................. ..`.itext.......P.......>.............. ..`.data....7...p...8...V..............@....bss.....m...............................idata....... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc...|....p......................@..@....................................@..@........................................................

                                                                                                                    C:\Users\user\Downloads\0b8031df-20d6-4a21-b2d6-249cd53d0db3.tmp

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):196608
                                                                                                                    Entropy (8bit):6.501084362566912
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:bS0aBFL9AxmGJYHrC+XQ4h11vsH0DBJjwcaGhyY5Eb:bS005y5u11vsH0Db0cHEb
                                                                                                                    MD5:48C11CB10FA4617C946A40CCE6F9A1C5
                                                                                                                    SHA1:968B2ABAD35E4C210FD527F4B301C739F2B355A2
                                                                                                                    SHA-256:553F0CC95421C6F15FC8CFD80EAF62F3C03D8A47599E84D638854B819C9DD060
                                                                                                                    SHA-512:E8F7B6F1BA5FF9410BC5EECA06A0DF713052D64BBDEDCD8FF87AF71707643E94C0734A58283B89AE7D0EE69DEA7595324387CB16AFEA1747BED0BEBAA9444330
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................R...........^.......p....@..........................@...........@......@...................@....... .......p..|...............+...................................`......................."..T....0.......................text....9.......:.................. ..`.itext.......P.......>.............. ..`.data....7...p...8...V..............@....bss.....m...............................idata....... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc...|....p......................@..@....................................@..@........................................................

                                                                                                                    C:\Users\user\Downloads\737aae4f-9d8d-422f-bbc8-503542a1420e.tmp

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):16018
                                                                                                                    Entropy (8bit):7.962834994888358
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:384:PsD2bPJaMCUHU/hHekmn8GWO659wGZYqDl/au46eek4z6Sx7YWn:vbcTUMe8GInhYqlZkw6Sx7YWn
                                                                                                                    MD5:57E26C6E38582D89D62A04CF96BAAAF7
                                                                                                                    SHA1:A03FCE9689EBE6DE6A4EC37C9129D9B0CE2A794E
                                                                                                                    SHA-256:CE870A2FB7153906BA03BE21B55572BD8EAF60FCD370021E88E9475D6A277E6A
                                                                                                                    SHA-512:30FEE32C7DC1F9EA3E464C08D011FEC9C0B45F156B184D180FE9B87BDCBF4458F52153241C33116248BB6397E06689A0371EEEC95F1F0E08A929F18CD6F4D301
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    Preview:PK..........-Y................Telegram/PK..........-Y................Telegram/modules/PK..........-Y................Telegram/modules/x64/PK..........-Y................Telegram/modules/x64/d3d/PK........|.UX.V..m..h.K.+...Telegram/modules/x64/d3d/d3dcompiler_47.dll..{|.u...g..l..nh.f.Qf..l....)..oE.D..I+.)Jr..N...%%.Kr...a.~..G......9...;....|..........q..eY~.....Zi.G...@.....U......V.4...S.....W.>.{Fwl..K..Ew....K.._...yt.^.:W........'m.S.w....f.,....d..:......ZN.B......'dSm9a .V..Q}..o1.*..&..m)o.c7|..si..eu.U.^jM...U>:.@hY.H.e...lQ...../.....+...bF.OP^...p|.e..._...v...pB..gZM1<...e..C..as.[_.-....Vo.|,j^..`.Ym+.....<o.*.:....;.StCG..G4.Y.O....[..B..xMS].#..../.y...g..]...U.M/......L.O.>..k?:6..t...:.....cD....'.x]]......................................{1.6..G.w.I........./..<=)...w...g\..D..R..]..g.]]c.P...X..[+.......5.M....n...U...w....'..1....|gKWV..;E......q..Iq.W...@.....F..x....p|.w....._L..=8&Z..*ZI.]#...se..+V.r..t..O...n..K.L.G}...

                                                                                                                    C:\Users\user\Downloads\Unconfirmed 103549.crdownload

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):45882760
                                                                                                                    Entropy (8bit):7.997979156460257
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:786432:qfk2nQelz7O/+mVUFw4br6vfq8ozOcQJFiV+VMIQFOUT1HIC1D+LNUVmm+uP5RdO:qfkidN6WmGa434fgzJQJFirIQFOC1H+R
                                                                                                                    MD5:7007B8D688605D05646D1753BF76A39D
                                                                                                                    SHA1:6E2FE1957939FDCC465CFB1CFDD36C382FE8EBCD
                                                                                                                    SHA-256:A374195C34E1992F0FA765830AE2C4A15A25146376E796B38DD0AC8F6C006F1F
                                                                                                                    SHA-512:EE9CA7646032D53098D4416E74736A0E33836E27E940B73F5C4D2C13FBFBB11B5FF125469C8BD9AE87F0589AD92300E52ECE715F31D8531F31D2B4FACE68E372
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Reputation:low
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................R...........^.......p....@..........................@...........@......@...................@....... .......p..|...............+...................................`......................."..T....0.......................text....9.......:.................. ..`.itext.......P.......>.............. ..`.data....7...p...8...V..............@....bss.....m...............................idata....... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc...|....p......................@..@....................................@..@........................................................

                                                                                                                    C:\Users\user\Downloads\Unconfirmed 342131.crdownload

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):45882760
                                                                                                                    Entropy (8bit):7.997979156460257
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:786432:qfk2nQelz7O/+mVUFw4br6vfq8ozOcQJFiV+VMIQFOUT1HIC1D+LNUVmm+uP5RdO:qfkidN6WmGa434fgzJQJFirIQFOC1H+R
                                                                                                                    MD5:7007B8D688605D05646D1753BF76A39D
                                                                                                                    SHA1:6E2FE1957939FDCC465CFB1CFDD36C382FE8EBCD
                                                                                                                    SHA-256:A374195C34E1992F0FA765830AE2C4A15A25146376E796B38DD0AC8F6C006F1F
                                                                                                                    SHA-512:EE9CA7646032D53098D4416E74736A0E33836E27E940B73F5C4D2C13FBFBB11B5FF125469C8BD9AE87F0589AD92300E52ECE715F31D8531F31D2B4FACE68E372
                                                                                                                    Malicious:false
                                                                                                                    Antivirus:
                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                    Reputation:low
                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................R...........^.......p....@..........................@...........@......@...................@....... .......p..|...............+...................................`......................."..T....0.......................text....9.......:.................. ..`.itext.......P.......>.............. ..`.data....7...p...8...V..............@....bss.....m...............................idata....... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc...|....p......................@..@....................................@..@........................................................

                                                                                                                    C:\Users\user\Downloads\tportable-x64.5.5.5.zip (copy)

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):57559317
                                                                                                                    Entropy (8bit):7.997574488136236
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:1572864:wYYeQ7692eqgfTcGdzoh129lRMOneWyRa:Ho6sMTdqc/RMOnpqa
                                                                                                                    MD5:DE88E2BDDF7B2C0A91BD0C566A4B7756
                                                                                                                    SHA1:6630B3870AF28AAE610B72E719BDF5B358963BF4
                                                                                                                    SHA-256:129794BC072A403E13BF0885E2CB34415D91FDEA82AEA2AD5B03DA08286A063E
                                                                                                                    SHA-512:AB395AB5127178E014D156ED6E543ED081C09EF45C29B9D646787A4110877B20DEAE5A2D71467CEBA0C358A074B7C6760A5FAAFA92FE7F544E91E3AD06A9F284
                                                                                                                    Malicious:true
                                                                                                                    Reputation:low
                                                                                                                    Preview:PK..........-Y................Telegram/PK..........-Y................Telegram/modules/PK..........-Y................Telegram/modules/x64/PK..........-Y................Telegram/modules/x64/d3d/PK........|.UX.V..m..h.K.+...Telegram/modules/x64/d3d/d3dcompiler_47.dll..{|.u...g..l..nh.f.Qf..l....)..oE.D..I+.)Jr..N...%%.Kr...a.~..G......9...;....|..........q..eY~.....Zi.G...@.....U......V.4...S.....W.>.{Fwl..K..Ew....K.._...yt.^.:W........'m.S.w....f.,....d..:......ZN.B......'dSm9a .V..Q}..o1.*..&..m)o.c7|..si..eu.U.^jM...U>:.@hY.H.e...lQ...../.....+...bF.OP^...p|.e..._...v...pB..gZM1<...e..C..as.[_.-....Vo.|,j^..`.Ym+.....<o.*.:....;.StCG..G4.Y.O....[..B..xMS].#..../.y...g..]...U.M/......L.O.>..k?:6..t...:.....cD....'.x]]......................................{1.6..G.w.I........./..<=)...w...g\..D..R..]..g.]]c.P...X..[+.......5.M....n...U...w....'..1....|gKWV..;E......q..Iq.W...@.....F..x....p|.w....._L..=8&Z..*ZI.]#...se..+V.r..t..O...n..K.L.G}...

                                                                                                                    C:\Users\user\Downloads\tportable-x64.5.5.5.zip.crdownload

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):57559317
                                                                                                                    Entropy (8bit):7.997574488136236
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:1572864:wYYeQ7692eqgfTcGdzoh129lRMOneWyRa:Ho6sMTdqc/RMOnpqa
                                                                                                                    MD5:DE88E2BDDF7B2C0A91BD0C566A4B7756
                                                                                                                    SHA1:6630B3870AF28AAE610B72E719BDF5B358963BF4
                                                                                                                    SHA-256:129794BC072A403E13BF0885E2CB34415D91FDEA82AEA2AD5B03DA08286A063E
                                                                                                                    SHA-512:AB395AB5127178E014D156ED6E543ED081C09EF45C29B9D646787A4110877B20DEAE5A2D71467CEBA0C358A074B7C6760A5FAAFA92FE7F544E91E3AD06A9F284
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    Preview:PK..........-Y................Telegram/PK..........-Y................Telegram/modules/PK..........-Y................Telegram/modules/x64/PK..........-Y................Telegram/modules/x64/d3d/PK........|.UX.V..m..h.K.+...Telegram/modules/x64/d3d/d3dcompiler_47.dll..{|.u...g..l..nh.f.Qf..l....)..oE.D..I+.)Jr..N...%%.Kr...a.~..G......9...;....|..........q..eY~.....Zi.G...@.....U......V.4...S.....W.>.{Fwl..K..Ew....K.._...yt.^.:W........'m.S.w....f.,....d..:......ZN.B......'dSm9a .V..Q}..o1.*..&..m)o.c7|..si..eu.U.^jM...U>:.@hY.H.e...lQ...../.....+...bF.OP^...p|.e..._...v...pB..gZM1<...e..C..as.[_.-....Vo.|,j^..`.Ym+.....<o.*.:....;.StCG..G4.Y.O....[..B..xMS].#..../.y...g..]...U.M/......L.O.>..k?:6..t...:.....cD....'.x]]......................................{1.6..G.w.I........./..<=)...w...g\..D..R..]..g.]]c.P...X..[+.......5.M....n...U...w....'..1....|gKWV..;E......q..Iq.W...@.....F..x....p|.w....._L..=8&Z..*ZI.]#...se..+V.r..t..O...n..K.L.G}...

                                                                                                                    Chrome Cache Entry: 100

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:ASCII text, with very long lines (42164)
                                                                                                                    Category:downloaded
                                                                                                                    Size (bytes):42523
                                                                                                                    Entropy (8bit):5.082709528800747
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:384:6RvBBVkrJxvcwYBUQ7X85AUfvDUNeFUBOgBmjeYP4PSvSdlb1bGjpXJNNRyIrOM:2k0p38OBmjeYP4xb1bG/bRyIH
                                                                                                                    MD5:C2656E265EF58A9CC9F4B70B15DA5FB9
                                                                                                                    SHA1:85C5EBDB89D4574D72688C2650D4B84B9B09770A
                                                                                                                    SHA-256:F1D083FFAA644C708F11DB29707AA57C19246E6D32643B03FEE3F82C17B224B3
                                                                                                                    SHA-512:6417AADEBEEF4EE35381BFC7034148D57FD061D84DE9974D798468C6426C24A6BD1C9913CF517ACCF3E349FA06CBDD546D2883EA8391C595285FE0C6127E26E8
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    URL:https://telegram.org/css/bootstrap.min.css?3
                                                                                                                    Preview:/*!. * Bootstrap v3.2.0 (http://getbootstrap.com). * Copyright 2011-2014 Twitter, Inc.. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE). */../*!. * Generated using the Bootstrap Customizer (http://getbootstrap.com/customize/?id=92d2ac1b31978642b6b6). * Config saved to config.json and https://gist.github.com/92d2ac1b31978642b6b6. *//*! normalize.css v3.0.1 | MIT License | git.io/normalize */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:bold}dfn{font-style:italic}h1{font-size:2em;margin:0.67em 0}mark{background:#ff0;color:#000}small{font-size:80%}sub,sup{fo

                                                                                                                    Chrome Cache Entry: 101

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                                    Category:downloaded
                                                                                                                    Size (bytes):15086
                                                                                                                    Entropy (8bit):4.980767694952946
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:96:jJkRRRRRRRRRRRRRRRRRRRRRRRRRRRRutRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRC:jJ/1MJNF6m9XC801f6x7QJGp18G2QR
                                                                                                                    MD5:5791D664309E275F4569D2F993C44782
                                                                                                                    SHA1:A68F363153614A09F10AE2892C134B9C4B001D4B
                                                                                                                    SHA-256:4FF54BC38C267DC3A8C95F6ED4590336BAAEC70433EF15D027DDCA608C391E78
                                                                                                                    SHA-512:93502A68F14FD4F87E0AA2CAD92A5657A8587E6ACB1C108CCD8CEB5E52776E77DF867962C51E1290316BB78027DA636F38C065294871B4400FBBC4DEDF622EE1
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    URL:https://desktop.telegram.org/img/favicon.ico
                                                                                                                    Preview:......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......$...................................................................................".."6."o."..".."..".."..".."..".."..".."o."6.#......................................................................................................................#..#(."s."..".."..".."..".."..".."..".."..".."..".."..".."s.#(.#..................................................................................................#..#-.#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#-.#......................................................................................#..#}.#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#}.#..............................................................................#:.#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..

                                                                                                                    Chrome Cache Entry: 102

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:Web Open Font Format (Version 2), TrueType, length 11040, version 1.0
                                                                                                                    Category:downloaded
                                                                                                                    Size (bytes):11040
                                                                                                                    Entropy (8bit):7.982229448383992
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:192:4Q49xPa2JiaMac+2d26KTpwgLfdRVH8Hfyj+lGSdVtxejHgwPvuD14CBt/F8bxt:4QcNc+2w6eJcIoGSdVtxoHgU+1B8bxt
                                                                                                                    MD5:5E22A46C04D947A36EA0CAD07AFCC9E1
                                                                                                                    SHA1:6091D981C2A4EE975C7F6B56186EE698040BB804
                                                                                                                    SHA-256:0F53E8B0A717CA4CE313EEC62B90D41DB62C2F4946259A65C93BF8E84C5B0C44
                                                                                                                    SHA-512:3E2DCB20C7416160573EA7C7A17BF7250132C5203161B03AEAA3CF065E3CE609DA6D1B317D3739AAD7FC0C092C44CD0C4EA5657A63BFA530C66F9B0ECB9DAF15
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    URL:https://telegram.org/fonts/Roboto/KFOlCnqEu92Fr1MmWUlfBBc4AMP6lQ.woff2
                                                                                                                    Preview:wOF2......+ ......T...*..........................d.....^.`.. .... .!.....6.$.... ..~. ..E...l..a.[).r1J.(.....u.7...(U.r....=....2....h.F..j..P.).0...]~."Jk5$<...L..S...9s...Qs...y...;....-...~.....RJ0.......$j......1F.H..*..Pb.M(....(.m ..Y.....,..e.q.H.U.iW.D6'..6L..c.).#h...I...O^.T.m%...@....L..q.5`T=.Z.....mt...i.....:..T..P...!....Nnn^.[Q.......Q..^(.....0{xe.Lw..:..s..#................@{.........==.=I...>2`L..I..7!d.:H(. r..q....3.."......fMS.4...R.~..l...h8...r.(+.....<.is.p..:..A...$,.q>~.a.]..!.L~{.W...5...u~.......P..p..'D.8..).i. 88..!..h...........`.q......in.....p&............' ....;H...........v...:.4..S.T>...3m..j.g..i..#{N.......}un_..g/....8.(]..W..4<.G._."i..x...6.5....r50..j.)...NW...v...@Z.z.bj).k.........*....o..\..a.G.e..).[..[.q^...N).6}h.>u..2..,..G.i.....h.J.m^..N..o'.+..k..g.ro......z............Y=1.M..g.F.=...<P[..U..n@A....X....b.;.FZ{..3'...@d....X...8po.M.....-Y..0.T..:.E.W.8;DI...}........^...[.[.i..+QF..o....

                                                                                                                    Chrome Cache Entry: 103

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:PNG image data, 840 x 487, 8-bit/color RGBA, non-interlaced
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):189734
                                                                                                                    Entropy (8bit):7.995418777360924
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:3072:qKCCO9mMyY1K6SCUQB4AxtinSEItHFDukVnxJQTu6r6R7NApp4rFDwGIQ:nzOkMy97CRR3Ljn5n2uYgGkKQ
                                                                                                                    MD5:40D4266E5AADC87CCEEC1AB420DC2692
                                                                                                                    SHA1:266C56990A106B6E9EFB0F9EF2A1A752AA6FA0FC
                                                                                                                    SHA-256:3A1D4890B3E91A01C20C65B75F1AE028E3C445CAD1FD2D249DD0868876DFE4B4
                                                                                                                    SHA-512:7DE32DEFDD87034F29930A7A32915100C2A109A80C79EED4C0A5F3127D1101FE0BF59B41CB4C5807F6FEA29A7721EBE74C55A8A4942C4EF67EDC40B860F46277
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    Preview:.PNG........IHDR...H..........2}.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx....%gu...p.9..{.hF......H..D2\..?0.m.`..y...6.e..}..#...X.....X...H..@.......S....V.L+.hF...R.P......$......x-M/..r.NK..ko)..(..(O...)....v......x.v.S....).H..t-M/....Q.EQ.EQ...h..M.HB.....F.S.J..L..4.H.UQ.EQ.E9.../h......M... =I...|).I..(..(..t.i..|.7...*..Nq..T...7.EQ.EQ....hz9...v....C.]A...)...(..(...!|......O..yb.h.....#EQ.EQ....+)_....Q.....+..*+s..EQ.EQ...$....}.{wiW<~......*..EQ.EQ.#....h7.@:\.W.@Q.EQ.E9.y..W^y.v...C..d....'.EQ.EQ.....]...P.2.3EQ.EQ..(....*..5...P.EQ.EQ..V^y.'k7.@:...].(..(......I1...P.EQ.EQ.~U...j....(..(.QDY.@...(..(..(..$EQ.EQ.EQ..H..(..(..(O..v..I.D;AQ.EQ.EQ....IQ.EQ.EQ.E...(..(..(..$EQ.EQ.EQ..H..(..(..(.B.4.!.J%.[.N;BQ.EQ...e...h6...*..f...i..5o.....^.q.C.G1:A.R.F.Q...(..(.R.q.....c..d...^..uX4{_....]....AP..d.,.{..vI$.(..(..,C,E.M..^..d?1....~....EQ.EQ.EQ..H..(..(..(*..EQ.EQ.EQ.Es.......G..EQ.EQ..7...$EQ.EQ.EQ..H..(..(..(*..EQ.EQ.EQT )..(..

                                                                                                                    Chrome Cache Entry: 104

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:ASCII text
                                                                                                                    Category:downloaded
                                                                                                                    Size (bytes):6166
                                                                                                                    Entropy (8bit):5.4227704706263475
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:192:KR6tGVFJ3qFl5p3AkmztIZa+XqtRcalH9:wTY7t8t
                                                                                                                    MD5:C706681409217A14A24C7E2DEB8CF423
                                                                                                                    SHA1:08B443FE5BC6A223A9DE08FB56282365B1D13857
                                                                                                                    SHA-256:84B97B3FA8847B64C6D3833561E4B3146530577171E85AD226578A087DB70974
                                                                                                                    SHA-512:2520A5417426CEA58972529B3776713958FF259CC8467EBAFBE291BD040E27195054C4133F4A9518D78DA38DDF4F7CDAC64DA0813DA33BBE707AD13AF5BAA7C1
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    URL:https://telegram.org/css/font-roboto.css?1
                                                                                                                    Preview:/* cyrillic-ext */.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 400;. font-display: swap;. src: url('../fonts/Roboto/KFOmCnqEu92Fr1Mu72xKKTU1Kvnz.woff2') format('woff2');. unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;.}./* cyrillic */.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 400;. font-display: swap;. src: url('../fonts/Roboto/KFOmCnqEu92Fr1Mu5mxKKTU1Kvnz.woff2') format('woff2');. unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;.}./* greek-ext */.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 400;. font-display: swap;. src: url('../fonts/Roboto/KFOmCnqEu92Fr1Mu7mxKKTU1Kvnz.woff2') format('woff2');. unicode-range: U+1F00-1FFF;.}./* greek */.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 400;. font-display: swap;. src: url('../fonts/Roboto/KFOmCnqEu92Fr1Mu4WxKKTU1Kvnz.woff2') format('woff2');. un

                                                                                                                    Chrome Cache Entry: 105

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):15086
                                                                                                                    Entropy (8bit):4.980767694952946
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:96:jJkRRRRRRRRRRRRRRRRRRRRRRRRRRRRutRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRC:jJ/1MJNF6m9XC801f6x7QJGp18G2QR
                                                                                                                    MD5:5791D664309E275F4569D2F993C44782
                                                                                                                    SHA1:A68F363153614A09F10AE2892C134B9C4B001D4B
                                                                                                                    SHA-256:4FF54BC38C267DC3A8C95F6ED4590336BAAEC70433EF15D027DDCA608C391E78
                                                                                                                    SHA-512:93502A68F14FD4F87E0AA2CAD92A5657A8587E6ACB1C108CCD8CEB5E52776E77DF867962C51E1290316BB78027DA636F38C065294871B4400FBBC4DEDF622EE1
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    Preview:......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......$...................................................................................".."6."o."..".."..".."..".."..".."..".."o."6.#......................................................................................................................#..#(."s."..".."..".."..".."..".."..".."..".."..".."..".."s.#(.#..................................................................................................#..#-.#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#-.#......................................................................................#..#}.#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#}.#..............................................................................#:.#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..

                                                                                                                    Chrome Cache Entry: 87

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:ASCII text, with very long lines (42164)
                                                                                                                    Category:downloaded
                                                                                                                    Size (bytes):42523
                                                                                                                    Entropy (8bit):5.082709528800747
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:384:6RvBBVkrJxvcwYBUQ7X85AUfvDUNeFUBOgBmjeYP4PSvSdlb1bGjpXJNNRyIrOM:2k0p38OBmjeYP4xb1bG/bRyIH
                                                                                                                    MD5:C2656E265EF58A9CC9F4B70B15DA5FB9
                                                                                                                    SHA1:85C5EBDB89D4574D72688C2650D4B84B9B09770A
                                                                                                                    SHA-256:F1D083FFAA644C708F11DB29707AA57C19246E6D32643B03FEE3F82C17B224B3
                                                                                                                    SHA-512:6417AADEBEEF4EE35381BFC7034148D57FD061D84DE9974D798468C6426C24A6BD1C9913CF517ACCF3E349FA06CBDD546D2883EA8391C595285FE0C6127E26E8
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    URL:https://desktop.telegram.org/css/bootstrap.min.css?3
                                                                                                                    Preview:/*!. * Bootstrap v3.2.0 (http://getbootstrap.com). * Copyright 2011-2014 Twitter, Inc.. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE). */../*!. * Generated using the Bootstrap Customizer (http://getbootstrap.com/customize/?id=92d2ac1b31978642b6b6). * Config saved to config.json and https://gist.github.com/92d2ac1b31978642b6b6. *//*! normalize.css v3.0.1 | MIT License | git.io/normalize */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:bold}dfn{font-style:italic}h1{font-size:2em;margin:0.67em 0}mark{background:#ff0;color:#000}small{font-size:80%}sub,sup{fo

                                                                                                                    Chrome Cache Entry: 88

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:ASCII text
                                                                                                                    Category:downloaded
                                                                                                                    Size (bytes):21478
                                                                                                                    Entropy (8bit):4.9401794405194135
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:384:FCxaBo7s5dibe4UbBHasovLi1xPSoGBejIfD5FQhPOwIc:FCxko7UALi1xdGFTcIc
                                                                                                                    MD5:4C9BA6B680FC51B6E5BD4217A1550C88
                                                                                                                    SHA1:3FA0E7D643CC1E3008E0FFEBA46A1E3682E2EAF7
                                                                                                                    SHA-256:51C4D88FD78F3B8EFB16F845E75BE7F1BB288FDF2FD39D033868A0346DB7FADB
                                                                                                                    SHA-512:42706B3E53134B3EA0FCE3A5775D8929634EAB202856794D6E5E71FFA44B83487AA992D3D933FBE2BD5B2CF084F20206EE13BA904A713114E566DA6474A8C3D1
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    URL:https://desktop.telegram.org/js/main.js?47
                                                                                                                    Preview:var startTime = +(new Date());.function dT() {. return '[' + ((+(new Date()) - startTime)/ 1000.0) + '] ';.}..var jsonpCallbacks = [];.function twitterCustomShareInit () {. var btns = document.querySelectorAll. ? document.querySelectorAll('.tl_twitter_share_btn'). : [document.getElementById('tl_twitter_share_btn')];.. if (!btns.length) {. return;. }. var head = document.getElementsByTagName('head')[0], i, script;. for (i = 0; i < btns.length; i++) {. (function (btn) {. var status = btn.getAttribute('data-text'),. url = btn.getAttribute('data-url') || location.toString() || 'https://telegram.org/',. via = btn.getAttribute('data-via'),. urlEncoded = encodeURIComponent(url),. popupUrl = 'https://twitter.com/intent/tweet?text=' + encodeURIComponent(status) + '&url=' + urlEncoded + '&via=' + encodeURIComponent(via);.. btn.setAttribute('href', popupUrl);. btn.href = popupUrl;.. btn.addEventListe

                                                                                                                    Chrome Cache Entry: 89

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:PNG image data, 21 x 17, 8-bit/color RGBA, non-interlaced
                                                                                                                    Category:downloaded
                                                                                                                    Size (bytes):1272
                                                                                                                    Entropy (8bit):6.759893244400297
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:24:ay1he91Wwjx82lY2T3ouVMgK5iyJ3V6pKzLXGLfarUZdR+p0tN:awqQNn2xCJ3xKjZD+p0z
                                                                                                                    MD5:1ED9BF7633F4F449C8D2DF94EA0EB35F
                                                                                                                    SHA1:2902BA9C2B127C74C2550298A0578D7D8DA941C2
                                                                                                                    SHA-256:E7D23B06A4FFD600558E5443D1E32DAAAF13A27CF7BB8B7CC163A92B4054AAF2
                                                                                                                    SHA-512:51DD36178DD85F062FEE20903A4F0981CA34EB24A7E7245191EF43D493CD47F756389E548A731109F1C0463BA3BD1D3D4F7C4C623639B9514EB2FB9619124F07
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    URL:https://desktop.telegram.org/img/twitter.png
                                                                                                                    Preview:.PNG........IHDR.............2......tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:BD511DF2556611E48F9585596B882309" xmpMM:DocumentID="xmp.did:BD511DF3556611E48F9585596B882309"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:BD511DF0556611E48F9585596B882309" stRef:documentID="xmp.did:BD511DF1556611E48F9585596B882309"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.."...lIDATx..O(.a....19P....up...r...XI.M.."G.*)g.....f..p.h.....Rh/.. ..O=S.3..z..........5.it....L2+...i6g..

                                                                                                                    Chrome Cache Entry: 90

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:ASCII text, with very long lines (1267)
                                                                                                                    Category:downloaded
                                                                                                                    Size (bytes):115228
                                                                                                                    Entropy (8bit):5.153170283271925
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:xylcfDxYzbJ3iw93BC2WXdm791WoDYzghw4uJuhwNpfewltog69FjxWDpfxV685u:xylc7xYzwwyrXkC0YzPvL5u
                                                                                                                    MD5:CC407E432532261714CA106E967BED72
                                                                                                                    SHA1:6D93BAF813EA6291DA475634726D3D7B3FE415C2
                                                                                                                    SHA-256:F5F739B99351C1D64B3B890E80E78A9267E9AD2EFE8116999EAD3749D849E131
                                                                                                                    SHA-512:7C9D63D818843E406D31D3BEB7A9CF4A58F503346DDDA554E55B3C8FC1D940CC0707C44E2C42F1B79B3B9795DF036D68FCAAF855E205D06436A5793125AC02BC
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    URL:https://desktop.telegram.org/css/telegram.css?241
                                                                                                                    Preview:body {. font: 12px/18px "Lucida Grande", "Lucida Sans Unicode", Arial, Helvetica, Verdana, sans-serif;. /*-webkit-font-smoothing: antialiased;*/.}.html.native_fonts body {. font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";.}.html.lang_rtl {. direction: rtl;.}..body,.html.theme_dark body.bg_light {. --text-color: #000;. --second-text-color: #7d7f81;. --accent-btn-color: #2481cc;. --accent-color-hover: #1a8ad5;. --body-bg: #fff;. --box-bg: #fff;. --box-bg-blured: rgba(255, 255, 255, .84);. --tme-logo-color: #363b40;. --accent-link-color: #2481cc;.. --icon-verified: url('data:image/svg+xml,%3Csvg%20fill%3D%22none%22%20height%3D%2226%22%20viewBox%3D%220%200%2026%2026%22%20width%3D%2226%22%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Cpath%20d%3D%22m6%206h12v12h-12z%22%20fill%3D%22%23fff%22%2F%3E%3Cpath%20clip-rule%3D%22evenodd%22%20d%3D%22m14.38%201.51%201.82%

                                                                                                                    Chrome Cache Entry: 91

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:ASCII text
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):21478
                                                                                                                    Entropy (8bit):4.9401794405194135
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:384:FCxaBo7s5dibe4UbBHasovLi1xPSoGBejIfD5FQhPOwIc:FCxko7UALi1xdGFTcIc
                                                                                                                    MD5:4C9BA6B680FC51B6E5BD4217A1550C88
                                                                                                                    SHA1:3FA0E7D643CC1E3008E0FFEBA46A1E3682E2EAF7
                                                                                                                    SHA-256:51C4D88FD78F3B8EFB16F845E75BE7F1BB288FDF2FD39D033868A0346DB7FADB
                                                                                                                    SHA-512:42706B3E53134B3EA0FCE3A5775D8929634EAB202856794D6E5E71FFA44B83487AA992D3D933FBE2BD5B2CF084F20206EE13BA904A713114E566DA6474A8C3D1
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    Preview:var startTime = +(new Date());.function dT() {. return '[' + ((+(new Date()) - startTime)/ 1000.0) + '] ';.}..var jsonpCallbacks = [];.function twitterCustomShareInit () {. var btns = document.querySelectorAll. ? document.querySelectorAll('.tl_twitter_share_btn'). : [document.getElementById('tl_twitter_share_btn')];.. if (!btns.length) {. return;. }. var head = document.getElementsByTagName('head')[0], i, script;. for (i = 0; i < btns.length; i++) {. (function (btn) {. var status = btn.getAttribute('data-text'),. url = btn.getAttribute('data-url') || location.toString() || 'https://telegram.org/',. via = btn.getAttribute('data-via'),. urlEncoded = encodeURIComponent(url),. popupUrl = 'https://twitter.com/intent/tweet?text=' + encodeURIComponent(status) + '&url=' + urlEncoded + '&via=' + encodeURIComponent(via);.. btn.setAttribute('href', popupUrl);. btn.href = popupUrl;.. btn.addEventListe

                                                                                                                    Chrome Cache Entry: 92

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:SVG Scalable Vector Graphics image
                                                                                                                    Category:downloaded
                                                                                                                    Size (bytes):231706
                                                                                                                    Entropy (8bit):4.593328315871064
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:XVU9J794HJ4E7mwNUiRPt5jmU7LxmMS2S1J7g8tEqcqMWKB5v:Xew7ePc
                                                                                                                    MD5:D0C22C6A97023D85BA6E644A41C44A5D
                                                                                                                    SHA1:4284EFB616C182DA4450C123174CE0E81A322845
                                                                                                                    SHA-256:118ADD53487C02AAF5B5AB9F69380FA06717DEB10492E14AAA487E3C62806AD4
                                                                                                                    SHA-512:DA96462F4F999BB65509D32E4D5D2E1FD74555CE78D43E5F80FC350155BCE59250337CD1796B17D2132F39429B5E3FD95D05101EE9F9B29BCE2BB7B44B6E4EB8
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    URL:https://telegram.org/img/tgme/pattern.svg?1
                                                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>. Generator: Adobe Illustrator 27.0.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->.<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px".. viewBox="0 0 1440 2960" style="enable-background:new 0 0 1440 2960;" xml:space="preserve">.<style type="text/css">...st0{fill:none;stroke:#000000;stroke-width:3;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:10;}...st1{fill:none;stroke:#000000;stroke-width:3;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:10.0001;}...st2{fill:none;stroke:#000000;stroke-width:2.9998;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:9.9995;}...st3{stroke:#000000;stroke-width:3;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:10;}...st4{fill:none;stroke:#000000;stroke-width:2.9999;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:9.9998;}...st5{fill:none;stroke:#000000;stroke-width:3.0001

                                                                                                                    Chrome Cache Entry: 93

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:ASCII text, with very long lines (2979), with no line terminators
                                                                                                                    Category:downloaded
                                                                                                                    Size (bytes):2979
                                                                                                                    Entropy (8bit):5.648534994584625
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:48:UQEHvIUHtDAYabRP46xcOfRRlUOS3+/fmsghxLU7Suj5OQRSLfctS/6uMMWjfYA1:vaLJByxvS3o6U7PRPM0j
                                                                                                                    MD5:2B89D34702716A8AD2CC3977718F53A3
                                                                                                                    SHA1:04406EBD6A9E2CE79DBAC5E5048CFE1384E4574A
                                                                                                                    SHA-256:2031E418EE10AF8110729B3F327B968462FC0A9D8D1DA095387BB472CCD0DEE6
                                                                                                                    SHA-512:E6FBDA1E7D1E24C0DB5A724E4CD30C883CEB5D35DE1CC6AB8851C9B19E202024752E7E42AECC21002F9F9684EA98775F1EBE0EE8DA9BD7562DAC2FE171464242
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    URL:https://telegram.org/js/tgwallpaper.min.js?3
                                                                                                                    Preview:var TWallpaper=function(){function x(a){for(var b=[].concat(G);0<a;)b.push(b.shift()),a--;a=[];for(var c=0;c<b.length;c+=2)a.push(b[c]);return a}function B(a,b){b%=90;var c=x(a%p);if(b){var d=x(++a%p);return[{x:c[0].x+(d[0].x-c[0].x)/90*b,y:c[0].y+(d[0].y-c[0].y)/90*b},{x:c[1].x+(d[1].x-c[1].x)/90*b,y:c[1].y+(d[1].y-c[1].y)/90*b},{x:c[2].x+(d[2].x-c[2].x)/90*b,y:c[2].y+(d[2].y-c[2].y)/90*b},{x:c[3].x+(d[3].x-c[3].x)/90*b,y:c[3].y+(d[3].y-c[3].y)/90*b}]}return c}function H(a){for(l+=a;90<=l;)l-=90,g++,g>=p&&(g-=p);for(;0>l;)l+=90,g--,0>g&&(g+=p)}function I(a){C+=a.deltaY;D||(requestAnimationFrame(P),D=!0)}function P(){var a=C/50;C%=50;if(a=0<a?Math.floor(a):Math.ceil(a))H(a),a=B(g,l),y(z(a));D=!1}function Q(){if(0<A.length){var a=A.shift();y(a)}else clearInterval(E)}function z(a){for(var b=f._hctx.createImageData(50,50),c=b.data,d=0,q=0;50>q;q++)for(var h=q/50-.5,F=h*h,v=0;50>v;v++){var m=v/50-.5,e=.35*Math.sqrt(m*m+F);e=e*e*6.4;var r=Math.sin(e),w=Math.cos(e);e=Math.max(0,Math.min(1,.5

                                                                                                                    Chrome Cache Entry: 94

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:PNG image data, 840 x 487, 8-bit/color RGBA, non-interlaced
                                                                                                                    Category:downloaded
                                                                                                                    Size (bytes):189734
                                                                                                                    Entropy (8bit):7.995418777360924
                                                                                                                    Encrypted:true
                                                                                                                    SSDEEP:3072:qKCCO9mMyY1K6SCUQB4AxtinSEItHFDukVnxJQTu6r6R7NApp4rFDwGIQ:nzOkMy97CRR3Ljn5n2uYgGkKQ
                                                                                                                    MD5:40D4266E5AADC87CCEEC1AB420DC2692
                                                                                                                    SHA1:266C56990A106B6E9EFB0F9EF2A1A752AA6FA0FC
                                                                                                                    SHA-256:3A1D4890B3E91A01C20C65B75F1AE028E3C445CAD1FD2D249DD0868876DFE4B4
                                                                                                                    SHA-512:7DE32DEFDD87034F29930A7A32915100C2A109A80C79EED4C0A5F3127D1101FE0BF59B41CB4C5807F6FEA29A7721EBE74C55A8A4942C4EF67EDC40B860F46277
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    URL:https://desktop.telegram.org/img/td_laptop.png
                                                                                                                    Preview:.PNG........IHDR...H..........2}.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx....%gu...p.9..{.hF......H..D2\..?0.m.`..y...6.e..}..#...X.....X...H..@.......S....V.L+.hF...R.P......$......x-M/..r.NK..ko)..(..(O...)....v......x.v.S....).H..t-M/....Q.EQ.EQ...h..M.HB.....F.S.J..L..4.H.UQ.EQ.E9.../h......M... =I...|).I..(..(..t.i..|.7...*..Nq..T...7.EQ.EQ....hz9...v....C.]A...)...(..(...!|......O..yb.h.....#EQ.EQ....+)_....Q.....+..*+s..EQ.EQ...$....}.{wiW<~......*..EQ.EQ.#....h7.@:\.W.@Q.EQ.E9.y..W^y.v...C..d....'.EQ.EQ.....]...P.2.3EQ.EQ..(....*..5...P.EQ.EQ..V^y.'k7.@:...].(..(......I1...P.EQ.EQ.~U...j....(..(.QDY.@...(..(..(..$EQ.EQ.EQ..H..(..(..(O..v..I.D;AQ.EQ.EQ....IQ.EQ.EQ.E...(..(..(..$EQ.EQ.EQ..H..(..(..(.B.4.!.J%.[.N;BQ.EQ...e...h6...*..f...i..5o.....^.q.C.G1:A.R.F.Q...(..(.R.q.....c..d...^..uX4{_....]....AP..d.,.{..vI$.(..(..,C,E.M..^..d?1....~....EQ.EQ.EQ..H..(..(..(*..EQ.EQ.EQ.Es.......G..EQ.EQ..7...$EQ.EQ.EQ..H..(..(..(*..EQ.EQ.EQT )..(..

                                                                                                                    Chrome Cache Entry: 95

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:ASCII text, with very long lines (1267)
                                                                                                                    Category:downloaded
                                                                                                                    Size (bytes):115228
                                                                                                                    Entropy (8bit):5.153170283271925
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:xylcfDxYzbJ3iw93BC2WXdm791WoDYzghw4uJuhwNpfewltog69FjxWDpfxV685u:xylc7xYzwwyrXkC0YzPvL5u
                                                                                                                    MD5:CC407E432532261714CA106E967BED72
                                                                                                                    SHA1:6D93BAF813EA6291DA475634726D3D7B3FE415C2
                                                                                                                    SHA-256:F5F739B99351C1D64B3B890E80E78A9267E9AD2EFE8116999EAD3749D849E131
                                                                                                                    SHA-512:7C9D63D818843E406D31D3BEB7A9CF4A58F503346DDDA554E55B3C8FC1D940CC0707C44E2C42F1B79B3B9795DF036D68FCAAF855E205D06436A5793125AC02BC
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    URL:https://telegram.org/css/telegram.css?241
                                                                                                                    Preview:body {. font: 12px/18px "Lucida Grande", "Lucida Sans Unicode", Arial, Helvetica, Verdana, sans-serif;. /*-webkit-font-smoothing: antialiased;*/.}.html.native_fonts body {. font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";.}.html.lang_rtl {. direction: rtl;.}..body,.html.theme_dark body.bg_light {. --text-color: #000;. --second-text-color: #7d7f81;. --accent-btn-color: #2481cc;. --accent-color-hover: #1a8ad5;. --body-bg: #fff;. --box-bg: #fff;. --box-bg-blured: rgba(255, 255, 255, .84);. --tme-logo-color: #363b40;. --accent-link-color: #2481cc;.. --icon-verified: url('data:image/svg+xml,%3Csvg%20fill%3D%22none%22%20height%3D%2226%22%20viewBox%3D%220%200%2026%2026%22%20width%3D%2226%22%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Cpath%20d%3D%22m6%206h12v12h-12z%22%20fill%3D%22%23fff%22%2F%3E%3Cpath%20clip-rule%3D%22evenodd%22%20d%3D%22m14.38%201.51%201.82%

                                                                                                                    Chrome Cache Entry: 96

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:SVG Scalable Vector Graphics image
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):231706
                                                                                                                    Entropy (8bit):4.593328315871064
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:1536:XVU9J794HJ4E7mwNUiRPt5jmU7LxmMS2S1J7g8tEqcqMWKB5v:Xew7ePc
                                                                                                                    MD5:D0C22C6A97023D85BA6E644A41C44A5D
                                                                                                                    SHA1:4284EFB616C182DA4450C123174CE0E81A322845
                                                                                                                    SHA-256:118ADD53487C02AAF5B5AB9F69380FA06717DEB10492E14AAA487E3C62806AD4
                                                                                                                    SHA-512:DA96462F4F999BB65509D32E4D5D2E1FD74555CE78D43E5F80FC350155BCE59250337CD1796B17D2132F39429B5E3FD95D05101EE9F9B29BCE2BB7B44B6E4EB8
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>. Generator: Adobe Illustrator 27.0.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->.<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px".. viewBox="0 0 1440 2960" style="enable-background:new 0 0 1440 2960;" xml:space="preserve">.<style type="text/css">...st0{fill:none;stroke:#000000;stroke-width:3;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:10;}...st1{fill:none;stroke:#000000;stroke-width:3;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:10.0001;}...st2{fill:none;stroke:#000000;stroke-width:2.9998;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:9.9995;}...st3{stroke:#000000;stroke-width:3;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:10;}...st4{fill:none;stroke:#000000;stroke-width:2.9999;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:9.9998;}...st5{fill:none;stroke:#000000;stroke-width:3.0001

                                                                                                                    Chrome Cache Entry: 97

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:ASCII text, with very long lines (2979), with no line terminators
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):2979
                                                                                                                    Entropy (8bit):5.648534994584625
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:48:UQEHvIUHtDAYabRP46xcOfRRlUOS3+/fmsghxLU7Suj5OQRSLfctS/6uMMWjfYA1:vaLJByxvS3o6U7PRPM0j
                                                                                                                    MD5:2B89D34702716A8AD2CC3977718F53A3
                                                                                                                    SHA1:04406EBD6A9E2CE79DBAC5E5048CFE1384E4574A
                                                                                                                    SHA-256:2031E418EE10AF8110729B3F327B968462FC0A9D8D1DA095387BB472CCD0DEE6
                                                                                                                    SHA-512:E6FBDA1E7D1E24C0DB5A724E4CD30C883CEB5D35DE1CC6AB8851C9B19E202024752E7E42AECC21002F9F9684EA98775F1EBE0EE8DA9BD7562DAC2FE171464242
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    Preview:var TWallpaper=function(){function x(a){for(var b=[].concat(G);0<a;)b.push(b.shift()),a--;a=[];for(var c=0;c<b.length;c+=2)a.push(b[c]);return a}function B(a,b){b%=90;var c=x(a%p);if(b){var d=x(++a%p);return[{x:c[0].x+(d[0].x-c[0].x)/90*b,y:c[0].y+(d[0].y-c[0].y)/90*b},{x:c[1].x+(d[1].x-c[1].x)/90*b,y:c[1].y+(d[1].y-c[1].y)/90*b},{x:c[2].x+(d[2].x-c[2].x)/90*b,y:c[2].y+(d[2].y-c[2].y)/90*b},{x:c[3].x+(d[3].x-c[3].x)/90*b,y:c[3].y+(d[3].y-c[3].y)/90*b}]}return c}function H(a){for(l+=a;90<=l;)l-=90,g++,g>=p&&(g-=p);for(;0>l;)l+=90,g--,0>g&&(g+=p)}function I(a){C+=a.deltaY;D||(requestAnimationFrame(P),D=!0)}function P(){var a=C/50;C%=50;if(a=0<a?Math.floor(a):Math.ceil(a))H(a),a=B(g,l),y(z(a));D=!1}function Q(){if(0<A.length){var a=A.shift();y(a)}else clearInterval(E)}function z(a){for(var b=f._hctx.createImageData(50,50),c=b.data,d=0,q=0;50>q;q++)for(var h=q/50-.5,F=h*h,v=0;50>v;v++){var m=v/50-.5,e=.35*Math.sqrt(m*m+F);e=e*e*6.4;var r=Math.sin(e),w=Math.cos(e);e=Math.max(0,Math.min(1,.5

                                                                                                                    Chrome Cache Entry: 98

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:Web Open Font Format (Version 2), TrueType, length 11028, version 1.0
                                                                                                                    Category:downloaded
                                                                                                                    Size (bytes):11028
                                                                                                                    Entropy (8bit):7.982077315529319
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:192:4oijUxKA0B3BxJPeLrh00JWNhi5A5HWdZ6SfroKthzwbMcYfQKvwpFVX2T+:Nx4bexHAE6STltlwbMcovaET+
                                                                                                                    MD5:1F6D3CF6D38F25D83D95F5A800B8CAC3
                                                                                                                    SHA1:279F300CA2CBBDF9F5036EF2F438607FBF377DAA
                                                                                                                    SHA-256:796DE064B8D80EBA7CCACB8BA67D77FDBCDF4B385C844645D452C24537B3108F
                                                                                                                    SHA-512:716305F4D2582683B64C61B5E2390983579EA0FB33C936DD3EA8362872176625FBCB6F5AD18D2ABF85DA82D14C33A9640DFC5749922CB2FC079DDF37864F361F
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    URL:https://telegram.org/fonts/Roboto/KFOmCnqEu92Fr1Mu4mxKKTU1Kg.woff2
                                                                                                                    Preview:wOF2......+.......T(..*..........................d..d..^.`.. ....\.r.....6.$.... ..t. ..EEF....(j....._'pr.X..C.....%I..=..#7fC....y./...z../.d\H...wN.........=.....!GF...uNG`Nd.".....~..a..`.)..R.!5jTH....i@.7T*T,0iI;...kv..+.bR.%.3.....;I^..T.T.........4..tZ3.d..J.D5.w...ve...6...HI'%E..E{..G.l........]WY..M........Q.w<.....lu..A.p.v...e.NQ...'i...y...,.FK...=.r.....*.{..].+.K...I.e...?.t...R...R...p....4T+.....!1....A.1...JE.....d./......,.......?..%.p.p..6..!..@..H...*.....)..*..A3.1? .(`.....D..X.30..gl.b... v..;...u...1.9.......?@..(..@........x.g.L........g..jt..f.........x.....9vB..FM.;U.IS..wf.....O~.RP.,4.x..J./.j.......9h/..*...6.....z.f..._..b..........z......r. .C.>j..@D.. :G.2.|..z.^.[...7.....v9_=.$..G1..=c.dhz..Q,oP....*..[...f.b\.Z.aa....n.u...T..!'[..NC{.o.g.N..Y.F..a}...X..x2...q.X......P.{.n+..'G.o.b.N..6[;5..q..&.r...}k}.O.JVL).y.>..#..[.j.b.OV...[!...<.+.k.}..P..x...y...Q.....A.=.C....y.B+....2}\...f3...U.Sd?l.^7._}].G@..9R.

                                                                                                                    Chrome Cache Entry: 99

                                                                                                                    Download File
                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    File Type:PNG image data, 21 x 17, 8-bit/color RGBA, non-interlaced
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1272
                                                                                                                    Entropy (8bit):6.759893244400297
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:24:ay1he91Wwjx82lY2T3ouVMgK5iyJ3V6pKzLXGLfarUZdR+p0tN:awqQNn2xCJ3xKjZD+p0z
                                                                                                                    MD5:1ED9BF7633F4F449C8D2DF94EA0EB35F
                                                                                                                    SHA1:2902BA9C2B127C74C2550298A0578D7D8DA941C2
                                                                                                                    SHA-256:E7D23B06A4FFD600558E5443D1E32DAAAF13A27CF7BB8B7CC163A92B4054AAF2
                                                                                                                    SHA-512:51DD36178DD85F062FEE20903A4F0981CA34EB24A7E7245191EF43D493CD47F756389E548A731109F1C0463BA3BD1D3D4F7C4C623639B9514EB2FB9619124F07
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    Preview:.PNG........IHDR.............2......tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:BD511DF2556611E48F9585596B882309" xmpMM:DocumentID="xmp.did:BD511DF3556611E48F9585596B882309"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:BD511DF0556611E48F9585596B882309" stRef:documentID="xmp.did:BD511DF1556611E48F9585596B882309"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.."...lIDATx..O(.a....19P....up...r...XI.M.."G.*)g.....f..p.h.....Rh/.. ..O=S.3..z..........5.it....L2+...i6g..

                                                                                                                    Static File Info

                                                                                                                    No static file info

                                                                                                                    Network Behavior

                                                                                                                    Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                    Statistics

                                                                                                                    CPU Usage

                                                                                                                    Click to jump to process

                                                                                                                    Memory Usage

                                                                                                                    Click to jump to process

                                                                                                                    High Level Behavior Distribution

                                                                                                                    Click to dive into process behavior distribution

                                                                                                                    Behavior

                                                                                                                    Click to jump to process

                                                                                                                    System Behavior

                                                                                                                    General

                                                                                                                    Target ID:0
                                                                                                                    Start time:20:47:32
                                                                                                                    Start date:28/09/2024
                                                                                                                    Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
                                                                                                                    Imagebase:0x7ff715980000
                                                                                                                    File size:3'242'272 bytes
                                                                                                                    MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:low
                                                                                                                    Has exited:false

                                                                                                                    General

                                                                                                                    Target ID:2
                                                                                                                    Start time:20:47:35
                                                                                                                    Start date:28/09/2024
                                                                                                                    Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2012,i,5296181332326272263,8081676399308569334,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                    Imagebase:0x7ff715980000
                                                                                                                    File size:3'242'272 bytes
                                                                                                                    MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:low
                                                                                                                    Has exited:false

                                                                                                                    General

                                                                                                                    Target ID:3
                                                                                                                    Start time:20:47:38
                                                                                                                    Start date:28/09/2024
                                                                                                                    Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://investors.spotify.com.sg.misteri.us.kg/"
                                                                                                                    Imagebase:0x7ff715980000
                                                                                                                    File size:3'242'272 bytes
                                                                                                                    MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:low
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:6
                                                                                                                    Start time:20:48:14
                                                                                                                    Start date:28/09/2024
                                                                                                                    Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4200 --field-trial-handle=2012,i,5296181332326272263,8081676399308569334,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                    Imagebase:0x7ff715980000
                                                                                                                    File size:3'242'272 bytes
                                                                                                                    MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:low
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:8
                                                                                                                    Start time:20:49:26
                                                                                                                    Start date:28/09/2024
                                                                                                                    Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4308 --field-trial-handle=2012,i,5296181332326272263,8081676399308569334,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                    Imagebase:0x7ff715980000
                                                                                                                    File size:3'242'272 bytes
                                                                                                                    MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:low
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:9
                                                                                                                    Start time:20:49:31
                                                                                                                    Start date:28/09/2024
                                                                                                                    Path:C:\Windows\SysWOW64\unarchiver.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\tportable-x64.5.5.5.zip"
                                                                                                                    Imagebase:0xa60000
                                                                                                                    File size:12'800 bytes
                                                                                                                    MD5 hash:16FF3CC6CC330A08EED70CBC1D35F5D2
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:low
                                                                                                                    Has exited:false

                                                                                                                    General

                                                                                                                    Target ID:10
                                                                                                                    Start time:20:49:31
                                                                                                                    Start date:28/09/2024
                                                                                                                    Path:C:\Windows\SysWOW64\7za.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\34yqvajp.yju" "C:\Users\user\Downloads\tportable-x64.5.5.5.zip"
                                                                                                                    Imagebase:0x230000
                                                                                                                    File size:289'792 bytes
                                                                                                                    MD5 hash:77E556CDFDC5C592F5C46DB4127C6F4C
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:low
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:11
                                                                                                                    Start time:20:49:31
                                                                                                                    Start date:28/09/2024
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff6d64d0000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:low
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:12
                                                                                                                    Start time:20:49:36
                                                                                                                    Start date:28/09/2024
                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"cmd.exe" /C "C:\Users\user\AppData\Local\Temp\34yqvajp.yju\Telegram\Telegram.exe"
                                                                                                                    Imagebase:0x790000
                                                                                                                    File size:236'544 bytes
                                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:low
                                                                                                                    Has exited:false

                                                                                                                    General

                                                                                                                    Target ID:13
                                                                                                                    Start time:20:49:36
                                                                                                                    Start date:28/09/2024
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff6d64d0000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:low
                                                                                                                    Has exited:false

                                                                                                                    General

                                                                                                                    Target ID:14
                                                                                                                    Start time:20:49:37
                                                                                                                    Start date:28/09/2024
                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\34yqvajp.yju\Telegram\Telegram.exe
                                                                                                                    Wow64 process (32bit):
                                                                                                                    Commandline:C:\Users\user\AppData\Local\Temp\34yqvajp.yju\Telegram\Telegram.exe
                                                                                                                    Imagebase:
                                                                                                                    File size:162'952'456 bytes
                                                                                                                    MD5 hash:DFAB353168FA4DB6A30FBC9F3599C929
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Antivirus matches:
                                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                                    Reputation:low
                                                                                                                    Has exited:false

                                                                                                                    Disassembly

                                                                                                                    Reset < >

                                                                                                                      Executed Functions

                                                                                                                      Function 0103B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetSystemInfo.KERNELBASE(?), ref: 0103B208
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: InfoSystem
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 31276548-0
                                                                                                                      • Opcode ID: 818e4aa2d876e957701fb6aeb1338a3af6ddd84d1c19f09b2eafdc8c1a027a01
                                                                                                                      • Instruction ID: 222d54ccbf5ee797f94fed1ba7739769d0d6acaf9c7054665ede2d79d48ad214
                                                                                                                      • Opcode Fuzzy Hash: 818e4aa2d876e957701fb6aeb1338a3af6ddd84d1c19f09b2eafdc8c1a027a01
                                                                                                                      • Instruction Fuzzy Hash: F201A2749042408FDB10CF55D888769FFD8EF45324F08C5AADD498F252D379A404CBA2
                                                                                                                      Function 01270798 Relevance: 4.0, Strings: 3, Instructions: 284COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3315251311.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: :@1j$:@1j$\OXj
                                                                                                                      • API String ID: 0-1245103996
                                                                                                                      • Opcode ID: fadb461d741bdf982a3fdf998fc3fb03977d57f8a0920023006348572edb1fa9
                                                                                                                      • Instruction ID: 0647275e26f1509954209cbac313f62d0f53b0bbadd2d8c07e82ee1b35096d95
                                                                                                                      • Opcode Fuzzy Hash: fadb461d741bdf982a3fdf998fc3fb03977d57f8a0920023006348572edb1fa9
                                                                                                                      • Instruction Fuzzy Hash: 28A1A178B002118BDB059BB5C49877E77B3EFC9748F258028EA0697395EF799C81CB91
                                                                                                                      Function 0103B246 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • DuplicateHandle.KERNELBASE(?,00000E24), ref: 0103B2F3
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: DuplicateHandle
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3793708945-0
                                                                                                                      • Opcode ID: 527d99712d73723bf729f5c09df8971945af6207553bb6014482c66f698d9d0b
                                                                                                                      • Instruction ID: e0004827edf92981b251f4648de16bd73731c78ddaf649b0c29914c4ec38564f
                                                                                                                      • Opcode Fuzzy Hash: 527d99712d73723bf729f5c09df8971945af6207553bb6014482c66f698d9d0b
                                                                                                                      • Instruction Fuzzy Hash: 1E31B4B1504344AFE7228B61CC44FA6BFBCEF45324F08859EE985CB162D764A909CB71
                                                                                                                      Function 0103AD04 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • DuplicateHandle.KERNELBASE(?,00000E24), ref: 0103ADA7
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: DuplicateHandle
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3793708945-0
                                                                                                                      • Opcode ID: 5bf14ff78d4b199b2f1bf42a99c122a64a4ceb1751242399aaf721a197099952
                                                                                                                      • Instruction ID: 8be0c3a7170820d485f7a5701a1876d0e909185faed0917aa9fb7eb40738a8ba
                                                                                                                      • Opcode Fuzzy Hash: 5bf14ff78d4b199b2f1bf42a99c122a64a4ceb1751242399aaf721a197099952
                                                                                                                      • Instruction Fuzzy Hash: 3031A1B2504344AFEB228B65CC44FA7BFACEF45224F08489EE985CB152D724A909CB71
                                                                                                                      Function 0103AB76 Relevance: 1.6, APIs: 1, Instructions: 92pipeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0103AC36
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: CreatePipe
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2719314638-0
                                                                                                                      • Opcode ID: 29d14b3ca0dfa476aeeae93954839bf1183349d97cad3ff30bc91b1596b856fe
                                                                                                                      • Instruction ID: 8935eebfc67bae195873d4dcc48f7c20c42c7a29f79d9438a05916b9dffb658d
                                                                                                                      • Opcode Fuzzy Hash: 29d14b3ca0dfa476aeeae93954839bf1183349d97cad3ff30bc91b1596b856fe
                                                                                                                      • Instruction Fuzzy Hash: FB316C7250E3C06FD3138B758C65A65BFB4AF47610F1A84CBD8C8DF1A3D269A819C762
                                                                                                                      Function 0103A5DC Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0103A67D
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateFile
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 823142352-0
                                                                                                                      • Opcode ID: 0a8f5cd0e6ccc443fd7d7e33dfe55b50f697a389bce86ced048fce783f330229
                                                                                                                      • Instruction ID: 50767993ec88e5ad3b2ea5e2eebe1818e22c57f6beaddc8a548f123dcb471679
                                                                                                                      • Opcode Fuzzy Hash: 0a8f5cd0e6ccc443fd7d7e33dfe55b50f697a389bce86ced048fce783f330229
                                                                                                                      • Instruction Fuzzy Hash: FE3170B1605340AFE722CF65CC44F62BFE8EF49220F08849EE9858B252D765E409DB71
                                                                                                                      Function 0103A120 Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0103A1C2
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: FileFindNext
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2029273394-0
                                                                                                                      • Opcode ID: fd4de32be55320e1680ce183740d547cfebcf677605cd1ad01bf653647cf0a5c
                                                                                                                      • Instruction ID: 27b2c31b52e960c92ce8f120fee5f6affd2429d8cd08c9ee54810b68c4f6b523
                                                                                                                      • Opcode Fuzzy Hash: fd4de32be55320e1680ce183740d547cfebcf677605cd1ad01bf653647cf0a5c
                                                                                                                      • Instruction Fuzzy Hash: FA21E27150D3C06FD3128B258C51B62BFB4EF47620F1985CBDD88CF1A3D225A909C7A2
                                                                                                                      Function 0103AD2A Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • DuplicateHandle.KERNELBASE(?,00000E24), ref: 0103ADA7
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: DuplicateHandle
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3793708945-0
                                                                                                                      • Opcode ID: 577669e19f5a6ad57c0fbfe72d97368d837a4b5f16882453975fc19fca5681c1
                                                                                                                      • Instruction ID: fb045412140c55a8b5837f86c0b54076aad7e11c3b6322d4d9d0a4094553493d
                                                                                                                      • Opcode Fuzzy Hash: 577669e19f5a6ad57c0fbfe72d97368d837a4b5f16882453975fc19fca5681c1
                                                                                                                      • Instruction Fuzzy Hash: 7421B571500204AFEB219F54DC48F6BFBECEF04224F18885EE986CB552DB70E5058BB1
                                                                                                                      Function 0103A370 Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • RegQueryValueExW.KERNELBASE(?,00000E24,7A57C4C2,00000000,00000000,00000000,00000000), ref: 0103A40C
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: QueryValue
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3660427363-0
                                                                                                                      • Opcode ID: 70c0086fdb4a1f52cd25eae5cc2bd9825012a21b68254271914cfa035b4e626d
                                                                                                                      • Instruction ID: 4e4214c4eae32731223db2c28ea2320cd0c6bb3e167e79b32f30abdb1593149c
                                                                                                                      • Opcode Fuzzy Hash: 70c0086fdb4a1f52cd25eae5cc2bd9825012a21b68254271914cfa035b4e626d
                                                                                                                      • Instruction Fuzzy Hash: 7E217CB6604740AFE721CF15CC84FA2BBFCEF45610F08849AE985CB292D764E909CB71
                                                                                                                      Function 0103B276 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • DuplicateHandle.KERNELBASE(?,00000E24), ref: 0103B2F3
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: DuplicateHandle
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3793708945-0
                                                                                                                      • Opcode ID: a00e63934586efc899623afb85628b56c3ef4b79dce763d9f4ed3af52c234264
                                                                                                                      • Instruction ID: 7f030227b3bbb75f66c216020874d908638e8a1563c22c23464f3a4065910c2d
                                                                                                                      • Opcode Fuzzy Hash: a00e63934586efc899623afb85628b56c3ef4b79dce763d9f4ed3af52c234264
                                                                                                                      • Instruction Fuzzy Hash: 71219272500204AFEB219F65DC44F6AFBECEF44224F18896EE9458A152DB70E5048BB1
                                                                                                                      Function 0103A850 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetFilePointer.KERNELBASE(?,00000E24,7A57C4C2,00000000,00000000,00000000,00000000), ref: 0103A8DE
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: FilePointer
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 973152223-0
                                                                                                                      • Opcode ID: b6d18cd8a91e060228703a2daf80bf4339cd52ac3d35b923211e583fdf40dcd6
                                                                                                                      • Instruction ID: 70feb57535d2f27b1478b15b833ae3d3fc1bd87b3128f26cd4d06c1b29bc1f71
                                                                                                                      • Opcode Fuzzy Hash: b6d18cd8a91e060228703a2daf80bf4339cd52ac3d35b923211e583fdf40dcd6
                                                                                                                      • Instruction Fuzzy Hash: CA21A1B1508380AFE7228B64DC44F62BFB8EF46724F1984DAE985DF153C265A909CB71
                                                                                                                      Function 0103A933 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • ReadFile.KERNELBASE(?,00000E24,7A57C4C2,00000000,00000000,00000000,00000000), ref: 0103A9C1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: FileRead
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2738559852-0
                                                                                                                      • Opcode ID: da7bd911d4a297e5b079af90ae7a0f3dcd0c8ccfaade70179631ca7efafefe4a
                                                                                                                      • Instruction ID: 794cdd43c8461980464ab18bbacfcad98177d510bb6633edda061060d588e472
                                                                                                                      • Opcode Fuzzy Hash: da7bd911d4a297e5b079af90ae7a0f3dcd0c8ccfaade70179631ca7efafefe4a
                                                                                                                      • Instruction Fuzzy Hash: 32219C71509380AFDB22CF65CC44B96BFB8EF46314F18859AE9859B162C365A409CBB2
                                                                                                                      Function 0103A5FE Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0103A67D
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateFile
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 823142352-0
                                                                                                                      • Opcode ID: cf10f907f970fa002f92d60287956a6469710d1fc3916a9493e16d22fd814fe4
                                                                                                                      • Instruction ID: ddce3090a77698dc89c78b6ab44a1844ad5da1b9f921ccfd40efdcdccd980de4
                                                                                                                      • Opcode Fuzzy Hash: cf10f907f970fa002f92d60287956a6469710d1fc3916a9493e16d22fd814fe4
                                                                                                                      • Instruction Fuzzy Hash: CC218EB1604200AFEB21CF65DD85F66FBE8EF48224F18856DE98ACB252D771E404CB71
                                                                                                                      Function 0103A78F Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetFileType.KERNELBASE(?,00000E24,7A57C4C2,00000000,00000000,00000000,00000000), ref: 0103A815
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: FileType
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3081899298-0
                                                                                                                      • Opcode ID: 735c153303279fb3be1a8e76a6fc27dfec7cb5129b62e159779980b38a55ed91
                                                                                                                      • Instruction ID: 183c4e27ca6e69d2a74602a8d2e4c897ba5dfe732dd3d370362fec5e5f0d3840
                                                                                                                      • Opcode Fuzzy Hash: 735c153303279fb3be1a8e76a6fc27dfec7cb5129b62e159779980b38a55ed91
                                                                                                                      • Instruction Fuzzy Hash: D021D5B55083806FE7128B11DC44BA2BFBCEF46324F1980DAE9858B193D664A909D771
                                                                                                                      Function 0103AA0B Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CreateDirectoryW.KERNELBASE(?,?), ref: 0103AA8B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateDirectory
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4241100979-0
                                                                                                                      • Opcode ID: 963d2b4270718b2d8a3a30353b09c455a93c74d8ced0bc02765f3110de753672
                                                                                                                      • Instruction ID: 57813c7efc46558559fa1e7e86c87068a571402f00fc74d2b8303f3cd10c0e69
                                                                                                                      • Opcode Fuzzy Hash: 963d2b4270718b2d8a3a30353b09c455a93c74d8ced0bc02765f3110de753672
                                                                                                                      • Instruction Fuzzy Hash: 8C21A1726087809FD712CB29DC55B92BFE8AF46324F0D84EAE984CB153D325D905CB61
                                                                                                                      Function 0103A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • RegQueryValueExW.KERNELBASE(?,00000E24,7A57C4C2,00000000,00000000,00000000,00000000), ref: 0103A40C
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: QueryValue
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3660427363-0
                                                                                                                      • Opcode ID: 11951ab8b94d9762a761ffade6b35bab2cee952698dafaf162d86c0d45b2f06b
                                                                                                                      • Instruction ID: b29f9640c234d057237f8ecf4e694ec87c91226421c24663fdc8db90b51bf15b
                                                                                                                      • Opcode Fuzzy Hash: 11951ab8b94d9762a761ffade6b35bab2cee952698dafaf162d86c0d45b2f06b
                                                                                                                      • Instruction Fuzzy Hash: 122190B56006049FE721CF15CC88F66FBECEF84710F18C59AE986CB252DB64E905CA71
                                                                                                                      Function 0103A962 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • ReadFile.KERNELBASE(?,00000E24,7A57C4C2,00000000,00000000,00000000,00000000), ref: 0103A9C1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: FileRead
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2738559852-0
                                                                                                                      • Opcode ID: fda0815968f76c43d505b47f9b4ed679058198eb367666e3eac0ea5b0e70ea37
                                                                                                                      • Instruction ID: b6ce16227250a5a809e06d24449eb1595dfc3e5dcd680be342ca49c78b3cf42d
                                                                                                                      • Opcode Fuzzy Hash: fda0815968f76c43d505b47f9b4ed679058198eb367666e3eac0ea5b0e70ea37
                                                                                                                      • Instruction Fuzzy Hash: 7011BF72600200AFEB21CF55DC84B6AFBE8EF44324F18855EE98A9B252C775A444CBB1
                                                                                                                      Function 0103A882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetFilePointer.KERNELBASE(?,00000E24,7A57C4C2,00000000,00000000,00000000,00000000), ref: 0103A8DE
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: FilePointer
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 973152223-0
                                                                                                                      • Opcode ID: b5128397b96236c764ea0f66574c23155491c23d39f5f366ec244a8f2d2a8da0
                                                                                                                      • Instruction ID: 496d6c316281f7b076186c3971e3c0dec70a7962b22869241f01c944af41a911
                                                                                                                      • Opcode Fuzzy Hash: b5128397b96236c764ea0f66574c23155491c23d39f5f366ec244a8f2d2a8da0
                                                                                                                      • Instruction Fuzzy Hash: 2911C471604204AFEB21CF54DC84B66FBECEF44724F18845AED899B152C774A5048BB1
                                                                                                                      Function 0103A2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetErrorMode.KERNELBASE(?), ref: 0103A30C
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorMode
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2340568224-0
                                                                                                                      • Opcode ID: 7cb4f5dbedda2e623cb400de2ce8883efcf1978f37e745aeafb1031d0c317423
                                                                                                                      • Instruction ID: 2e33672060c46d5fe6f22dec65cbd50e155f973b2834aee923f79368ac7d57af
                                                                                                                      • Opcode Fuzzy Hash: 7cb4f5dbedda2e623cb400de2ce8883efcf1978f37e745aeafb1031d0c317423
                                                                                                                      • Instruction Fuzzy Hash: DA1151755093C09FDB228B25DC94A52BFB4DF47220F0981DBEDC58F163D265A909CB72
                                                                                                                      Function 0103AF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseFind
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1863332320-0
                                                                                                                      • Opcode ID: 3a387cc9ec7cecff6155697bb624ce538b23e3da495e1a02ebf622dc21559c1a
                                                                                                                      • Instruction ID: 0e8ab3d124909b4be61ae1d04f41813ac674fc3c1204ad76d5d136214e00f023
                                                                                                                      • Opcode Fuzzy Hash: 3a387cc9ec7cecff6155697bb624ce538b23e3da495e1a02ebf622dc21559c1a
                                                                                                                      • Instruction Fuzzy Hash: BA1170755093C09FD7128B29DC85A52FFF8EF46320F0984DAED858B263D265A848DB61
                                                                                                                      Function 0103B1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetSystemInfo.KERNELBASE(?), ref: 0103B208
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: InfoSystem
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 31276548-0
                                                                                                                      • Opcode ID: 6715eba7d5fd4c7f258ceb8e9b819047a2fb36f6fe52389ff0a73e717db69266
                                                                                                                      • Instruction ID: 5198f6545827d4e78143a58147a6298f59e640a69769d7fd17844561ae5390d7
                                                                                                                      • Opcode Fuzzy Hash: 6715eba7d5fd4c7f258ceb8e9b819047a2fb36f6fe52389ff0a73e717db69266
                                                                                                                      • Instruction Fuzzy Hash: 711170755093809FDB12CF15DC84B56FFB8DF46224F0885DAED898F253D275A908CB62
                                                                                                                      Function 0103A7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetFileType.KERNELBASE(?,00000E24,7A57C4C2,00000000,00000000,00000000,00000000), ref: 0103A815
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: FileType
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3081899298-0
                                                                                                                      • Opcode ID: 4632719ba510f5582bcd46737ecac4c10c15303cb077c93e5b1d0d9c92f9aa73
                                                                                                                      • Instruction ID: 4ed21d7780fef7d14b75c87389dc030ad6eebb62c0e2d30511c5e074824c8f62
                                                                                                                      • Opcode Fuzzy Hash: 4632719ba510f5582bcd46737ecac4c10c15303cb077c93e5b1d0d9c92f9aa73
                                                                                                                      • Instruction Fuzzy Hash: EC01F971604200AEE721CF05DC88B66FBDCDF44724F18C09AED898B242DB74E9058AB5
                                                                                                                      Function 0103AA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CreateDirectoryW.KERNELBASE(?,?), ref: 0103AA8B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateDirectory
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4241100979-0
                                                                                                                      • Opcode ID: 323c2f8d384ea2b4d4418f931bb4b737532127db642b663714dc536b50bb8e03
                                                                                                                      • Instruction ID: c24a204c89dc58c9006e1abe8033132a29f6e1f043ac8fc3d0a6dc03eabbc0e0
                                                                                                                      • Opcode Fuzzy Hash: 323c2f8d384ea2b4d4418f931bb4b737532127db642b663714dc536b50bb8e03
                                                                                                                      • Instruction Fuzzy Hash: A0118E727046409FEB50CF69D984B66BBDCEF44220F08C4AADD89CB252E775E805CB61
                                                                                                                      Function 0103ABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 0103AC36
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: CreatePipe
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2719314638-0
                                                                                                                      • Opcode ID: 73041264f6856aa9e13d86ba09ccaf87a49c9f7bdb3f1a35191eb9ea8e1e3f2e
                                                                                                                      • Instruction ID: 03f9364c3496235dea6d4b726910e99406179cd19a2049ccc55efbc7c804b908
                                                                                                                      • Opcode Fuzzy Hash: 73041264f6856aa9e13d86ba09ccaf87a49c9f7bdb3f1a35191eb9ea8e1e3f2e
                                                                                                                      • Instruction Fuzzy Hash: 0F01B1B1600200ABD310DF16CD45B26FBE8FB88B20F14815AED089B652D771F915CBE5
                                                                                                                      Function 0103A172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 0103A1C2
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: FileFindNext
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2029273394-0
                                                                                                                      • Opcode ID: 313708d2e81eb0ac747b6cf5c5220d98237a3a32c45590a5c1028db026909f87
                                                                                                                      • Instruction ID: 249b4a969648669453f43070e759906d235fee80265139fc03169facbaaea264
                                                                                                                      • Opcode Fuzzy Hash: 313708d2e81eb0ac747b6cf5c5220d98237a3a32c45590a5c1028db026909f87
                                                                                                                      • Instruction Fuzzy Hash: 340171B1600200ABD310DF16DD45B26FBE8EB88A20F14855AED089B652D775F915CBE5
                                                                                                                      Function 0103AFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseFind
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1863332320-0
                                                                                                                      • Opcode ID: 8d8482fd9152fe039a4199c9192af763f64aa3cfc1979c7bc7898c07b4d80a66
                                                                                                                      • Instruction ID: c27e0ae7a4b178d5cb30c2937e7afffb6fe3afe48adf9530327890b3def41660
                                                                                                                      • Opcode Fuzzy Hash: 8d8482fd9152fe039a4199c9192af763f64aa3cfc1979c7bc7898c07b4d80a66
                                                                                                                      • Instruction Fuzzy Hash: 3B01D1756042408FDB208F19D884766FBD8EF44324F08C0AEDD898B292D675E844CAA2
                                                                                                                      Function 0103A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetErrorMode.KERNELBASE(?), ref: 0103A30C
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorMode
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2340568224-0
                                                                                                                      • Opcode ID: 50ad3a6361f0d1ee70ba15f1fed1faca18105adaa0d0c49640cb735be8cce7f5
                                                                                                                      • Instruction ID: ac1571d55706ce30247725f36d5f76d6761db1a95ca49e29a2318f85ac1790b6
                                                                                                                      • Opcode Fuzzy Hash: 50ad3a6361f0d1ee70ba15f1fed1faca18105adaa0d0c49640cb735be8cce7f5
                                                                                                                      • Instruction Fuzzy Hash: 44F0AF34604240CFDB20CF05D888765FFE8EF44720F08C09AED898F252D3B9A804CAA2
                                                                                                                      Function 01270C99 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3315251311.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: [M"
                                                                                                                      • API String ID: 0-3674321035
                                                                                                                      • Opcode ID: d06acf9d309f589fd6a5e18b601b228dc8c2a72609f20327ac9523a743c6d082
                                                                                                                      • Instruction ID: 2b31d17d720b1e122abaeb6ab8d77f19301f90f4492e72a29fc117b31c8fb999
                                                                                                                      • Opcode Fuzzy Hash: d06acf9d309f589fd6a5e18b601b228dc8c2a72609f20327ac9523a743c6d082
                                                                                                                      • Instruction Fuzzy Hash: E7214C34B002144FC715D73688807AE7BD79FCA104F44803CE186DB342EF7AAD5287A6
                                                                                                                      Function 01270CA8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3315251311.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: [M"
                                                                                                                      • API String ID: 0-3674321035
                                                                                                                      • Opcode ID: feea54dffb45f79949ff9beaf236f75d411ffef9efa0be69986b3baa322ca0fa
                                                                                                                      • Instruction ID: dfeb4e459ec33c72920e1ba94c84690f9195a062f65623ff1272daf9d039cb17
                                                                                                                      • Opcode Fuzzy Hash: feea54dffb45f79949ff9beaf236f75d411ffef9efa0be69986b3baa322ca0fa
                                                                                                                      • Instruction Fuzzy Hash: 5B21E7347002144BC714EB76D8906AFBBD79FCA214B45843CE08ADB342DF75AD5687E6
                                                                                                                      Function 0103A6D4 Relevance: 1.3, APIs: 1, Instructions: 68COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CloseHandle.KERNELBASE(?), ref: 0103A748
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseHandle
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2962429428-0
                                                                                                                      • Opcode ID: ff184f2b78c449edab82b177daacda37ad403110c99bc0375a31f1b8f5d1d02f
                                                                                                                      • Instruction ID: 22aca7daddbf5311c3e42aa7d1c127be87a83975e80fa2c8c16cd5625068a630
                                                                                                                      • Opcode Fuzzy Hash: ff184f2b78c449edab82b177daacda37ad403110c99bc0375a31f1b8f5d1d02f
                                                                                                                      • Instruction Fuzzy Hash: CF2192B5A097C09FD7138B25DC95792BFB8AF47320F0980DADD858F1A3D2649909C772
                                                                                                                      Function 0103A716 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CloseHandle.KERNELBASE(?), ref: 0103A748
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314346653.000000000103A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103A000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseHandle
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2962429428-0
                                                                                                                      • Opcode ID: b95d7ebc7b3274e70f70e3aa0d8295aff8a8656b8bfd98bec0dce0ecef2f7cdd
                                                                                                                      • Instruction ID: 841dc6b8cd5afff54a26570f6d4a5828ff9f4b46abcb6f7f4f150ae16ee025c6
                                                                                                                      • Opcode Fuzzy Hash: b95d7ebc7b3274e70f70e3aa0d8295aff8a8656b8bfd98bec0dce0ecef2f7cdd
                                                                                                                      • Instruction Fuzzy Hash: 730171756042408FDB118F15D989765FBE8EF44220F18C4AEDD8ACB252D679E844CAA1
                                                                                                                      Function 012702C0 Relevance: .3, Instructions: 285COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3315251311.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: c32726f4c12c3311ddca711e1b4cf19f1a0b07d73c064a9572d0563a1dca1cd4
                                                                                                                      • Instruction ID: a017d61a2bb551c2cb520647ab3ce8bd09d4a81893fc7b387e9ab53adf8addcf
                                                                                                                      • Opcode Fuzzy Hash: c32726f4c12c3311ddca711e1b4cf19f1a0b07d73c064a9572d0563a1dca1cd4
                                                                                                                      • Instruction Fuzzy Hash: 0DB15E7C711110CFC718DB66E9A8A5E7BF2FFC9280B118168FA069B355DB399C85CB90
                                                                                                                      Function 012607A4 Relevance: .1, Instructions: 87COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3315222399.0000000001260000.00000040.00000020.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 3bfeb71f3fa26d77367c4bc5b9463c71425d156ed31b93af506ede4a6cf6f9f6
                                                                                                                      • Instruction ID: be40428f26a54a681f1fc5549169afa330f922800a8e1586ad7faf7590bda73a
                                                                                                                      • Opcode Fuzzy Hash: 3bfeb71f3fa26d77367c4bc5b9463c71425d156ed31b93af506ede4a6cf6f9f6
                                                                                                                      • Instruction Fuzzy Hash: 6E21B2B6409304AFD210DF45AC45C67FBECEE85620B04C56EFD488B201E376AD058BF2
                                                                                                                      Function 01270BA0 Relevance: .1, Instructions: 60COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3315251311.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 281bccbede5af06c58fea54ffe8edbdaab178319751732d26e80cdfa8b45f724
                                                                                                                      • Instruction ID: 3b315d653ca187acef05669506acf9a06fb9365e418ff8c9e76440dbccd49bcd
                                                                                                                      • Opcode Fuzzy Hash: 281bccbede5af06c58fea54ffe8edbdaab178319751732d26e80cdfa8b45f724
                                                                                                                      • Instruction Fuzzy Hash: 99118F35A10118AFCB15DBB4D848D9E7BF6FFC8214B064479E606E7262EF319C458BD1
                                                                                                                      Function 01260808 Relevance: .0, Instructions: 46COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3315222399.0000000001260000.00000040.00000020.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: c767c9d73d3311c3de7a758dc33d2cf7f8facbb402e0fbc110f0c65bc29e1fff
                                                                                                                      • Instruction ID: cf63c093395e5a5536f1fd1a70eccef874cb082f56504de8afed3958cb15e692
                                                                                                                      • Opcode Fuzzy Hash: c767c9d73d3311c3de7a758dc33d2cf7f8facbb402e0fbc110f0c65bc29e1fff
                                                                                                                      • Instruction Fuzzy Hash: F701A2B65097446FD301CF45EC85C57BBECEF85624F05C46AFD488B202E375AD188BA2
                                                                                                                      Function 012605E0 Relevance: .0, Instructions: 43COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3315222399.0000000001260000.00000040.00000020.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 2a1b90f2aeef1e59ccac105a6e4a15f99ac0d6b08fdb89e82070664911ed2855
                                                                                                                      • Instruction ID: 7b0c928d8da4e5d21c76240b1f8be8fb61d242ba80605cf2db090be523bc5a20
                                                                                                                      • Opcode Fuzzy Hash: 2a1b90f2aeef1e59ccac105a6e4a15f99ac0d6b08fdb89e82070664911ed2855
                                                                                                                      • Instruction Fuzzy Hash: 860162B65093805FD7118F05AC44862FFA8EB86620749C09FED498B652D665A909CB71
                                                                                                                      Function 0126082E Relevance: .0, Instructions: 34COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3315222399.0000000001260000.00000040.00000020.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: b58c8ecfda19d63513184dbb478dfcee287207c93ccfee9e440552f9c254ad26
                                                                                                                      • Instruction ID: 7e4e45040d0fca7b900695a0f64de3ee3d75c8cc690ae121dd7791848ff88745
                                                                                                                      • Opcode Fuzzy Hash: b58c8ecfda19d63513184dbb478dfcee287207c93ccfee9e440552f9c254ad26
                                                                                                                      • Instruction Fuzzy Hash: 8DF082B29053046B9240DF45ED45866F7ECDF84521F44C52AEC488B301E776A9154AE2
                                                                                                                      Function 01260606 Relevance: .0, Instructions: 27COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3315222399.0000000001260000.00000040.00000020.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 98fa41c62d2eb70f7bcb58178d98ebb37b4b838bfebcd15d9a2212d58065aed2
                                                                                                                      • Instruction ID: dc5bde4ca66c119e9ba476513c0ff9fc48b50cb26dde4287b742c7f7d517e419
                                                                                                                      • Opcode Fuzzy Hash: 98fa41c62d2eb70f7bcb58178d98ebb37b4b838bfebcd15d9a2212d58065aed2
                                                                                                                      • Instruction Fuzzy Hash: 06E092B66006004B9650CF0AEC41462F7D8EB84730758C07FDC0D8B711D675B905CAA5
                                                                                                                      Function 01270C50 Relevance: .0, Instructions: 27COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3315251311.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 2477774e37b2b2e2eef52dfa4dc3f32b2a73922bca528c9a32dc1f93d3c25422
                                                                                                                      • Instruction ID: 6aa7437fdf3abe15861810260c946e96781fbadfa0e995bfabbbe9032e803d01
                                                                                                                      • Opcode Fuzzy Hash: 2477774e37b2b2e2eef52dfa4dc3f32b2a73922bca528c9a32dc1f93d3c25422
                                                                                                                      • Instruction Fuzzy Hash: 7BE0DFB2F102142FCB44DBB8989459E7FA5DF95118F824479D009DB342EE35DC0383D0
                                                                                                                      Function 01270C60 Relevance: .0, Instructions: 22COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3315251311.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 9f6352f877429da57b52f2f2d04a9d63bdb5efd7aec4c5b49f9b40fd25d8fa34
                                                                                                                      • Instruction ID: 6eb16392bb76dd7ab059ca4bcc4cc3c339f8a10870b385317de5ac9112b2c965
                                                                                                                      • Opcode Fuzzy Hash: 9f6352f877429da57b52f2f2d04a9d63bdb5efd7aec4c5b49f9b40fd25d8fa34
                                                                                                                      • Instruction Fuzzy Hash: 50D01231F002186B8B44DBB9984855F7FEA9FC5154B56447DD009D7341EF35DC4187D0
                                                                                                                      Function 01270DD1 Relevance: .0, Instructions: 21COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3315251311.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: f5dca9672465127fc30a335ca8e3117fee3b3351b699ee4816d9517a5e28ecbd
                                                                                                                      • Instruction ID: c284c521e8121a2cc18d22a2898aaa775fa3ced059734fab885d3335b4f794e0
                                                                                                                      • Opcode Fuzzy Hash: f5dca9672465127fc30a335ca8e3117fee3b3351b699ee4816d9517a5e28ecbd
                                                                                                                      • Instruction Fuzzy Hash: 46E02B302493404FC703573898549B63F616FD2104F8A80D5E404CF693D639DF8AD3D5
                                                                                                                      Function 010323F4 Relevance: .0, Instructions: 15COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314305030.0000000001032000.00000040.00000800.00020000.00000000.sdmp, Offset: 01032000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 3da6cec4f4022392029ab433ee999fe977513e43ad40cfb85514dce416f55de6
                                                                                                                      • Instruction ID: fc392baceb3b4c5f5c9de5527e09a95df5faacd811964d55d1b54d49d39b841f
                                                                                                                      • Opcode Fuzzy Hash: 3da6cec4f4022392029ab433ee999fe977513e43ad40cfb85514dce416f55de6
                                                                                                                      • Instruction Fuzzy Hash: 2DD05E792056814FE3169B1CD2A8B953BE8AB95714F4A44FDE8408B763CB6CE5D1D600
                                                                                                                      Function 010323BC Relevance: .0, Instructions: 14COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3314305030.0000000001032000.00000040.00000800.00020000.00000000.sdmp, Offset: 01032000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: b0782131e0a936d33c6b46501b80fae5ed8aa8af990359a027bd670870c18e37
                                                                                                                      • Instruction ID: 62bc5c1956077fbc7a4a705c51a241f9ed2a328a5763acfef6f036b70f7d0883
                                                                                                                      • Opcode Fuzzy Hash: b0782131e0a936d33c6b46501b80fae5ed8aa8af990359a027bd670870c18e37
                                                                                                                      • Instruction Fuzzy Hash: FAD05E352402814BD715EA0CD2D8F5977D8AB80B15F1A84ECAC508B262C7A8D8C0CA00
                                                                                                                      Function 01270DE0 Relevance: .0, Instructions: 12COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000009.00000002.3315251311.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 859d83c071543f1286470bfa38177a0c5e7f88575dec640ed7615b5927c21bcb
                                                                                                                      • Instruction ID: 348f616d1d4d2c88ca3ddc277894324eb610a29c90c2deaee426cbbf56292526
                                                                                                                      • Opcode Fuzzy Hash: 859d83c071543f1286470bfa38177a0c5e7f88575dec640ed7615b5927c21bcb
                                                                                                                      • Instruction Fuzzy Hash: 1CC012343103048BD7049779D818E3677966BD0604F45C064E5094B251DB74EC84D6C8