pandastealer | 57e399eee8e7310f54c728235115e9cf4cf84cd42095b9267620fe6af49e5ba8

Analysis

max time kernel
692s
max time network
896s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
27-02-2022 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

telegram_soft/telegram_soft.exe
Size

68.6MB
MD5

ee1154642153932ed0427aa0273f0edc
SHA1

16b0a829d4e1ecaf04c8d7b4c2c7ba9fa40007f1
SHA256

a1e2802eb55f371138e0e43d8062a3098ffff5058593fb566360971d49810e2e
SHA512

16e3329d52dcbe3eccfae8f38efa5e8627defebfb700223524e2205b98056c71b34c31d23db8a98449f3d558337ad994702fe999a81e286eafb7ae75a4a059f7

Score

10^/10

pandastealer evasion stealer themida trojan

Malware Config

Signatures

Panda Stealer Payload 9 IoCs

Processes:

resource	yara_rule
behavioral4/memory/4560-213-0x00000000002C0000-0x0000000000A14000-memory.dmp	family_pandastealer
behavioral4/memory/4560-214-0x00000000002C0000-0x0000000000A14000-memory.dmp	family_pandastealer
behavioral4/memory/4560-216-0x00000000002C0000-0x0000000000A14000-memory.dmp	family_pandastealer
behavioral4/memory/4480-218-0x00000000002C0000-0x0000000000A14000-memory.dmp	family_pandastealer
behavioral4/memory/4480-219-0x00000000002C0000-0x0000000000A14000-memory.dmp	family_pandastealer
behavioral4/memory/4480-220-0x00000000002C0000-0x0000000000A14000-memory.dmp	family_pandastealer
behavioral4/memory/1412-222-0x00000000002C0000-0x0000000000A14000-memory.dmp	family_pandastealer
behavioral4/memory/1412-223-0x00000000002C0000-0x0000000000A14000-memory.dmp	family_pandastealer
behavioral4/memory/1412-224-0x00000000002C0000-0x0000000000A14000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 16 IoCs

Processes:

unis000.exeunis000.exeupdate.exeupdate.exetelegram_soft.exetelegram_soft.exeunis000.exeunis000.exetelegram_soft.exetelegram_soft.exeunis000.exeunis000.exetelegram_soft.exetelegram_soft.exeunis000.exeunis000.exe

pid	process
2988	unis000.exe
3732	unis000.exe
536	update.exe
2132	update.exe
3536	telegram_soft.exe
4000	telegram_soft.exe
3068	unis000.exe
3404	unis000.exe
4664	telegram_soft.exe
4728	telegram_soft.exe
4780	unis000.exe
4796	unis000.exe
4436	telegram_soft.exe
4756	telegram_soft.exe
4896	unis000.exe
4868	unis000.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

telegram_soft.exeActivator.exetelegram_soft.exetelegram_soft.exeActivator.exeActivator.exetelegram_soft.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	telegram_soft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Activator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	telegram_soft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	telegram_soft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Activator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Activator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	telegram_soft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	telegram_soft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Activator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Activator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	telegram_soft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	telegram_soft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	telegram_soft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Activator.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

unis000.exeupdate.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	unis000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	update.exe

Loads dropped DLL 64 IoCs

Processes:

telegram_soft.exetelegram_soft.exe

pid	process
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe

Themida packer 24 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral4/memory/380-134-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp	themida
behavioral4/memory/380-135-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp	themida
behavioral4/memory/380-136-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp	themida
behavioral4/memory/2168-137-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp	themida
behavioral4/memory/2168-138-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp	themida
behavioral4/memory/2168-139-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp	themida
behavioral4/memory/3784-204-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp	themida
behavioral4/memory/3784-205-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp	themida
behavioral4/memory/3784-206-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp	themida
behavioral4/memory/544-207-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp	themida
behavioral4/memory/544-208-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp	themida
behavioral4/memory/544-209-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp	themida
behavioral4/memory/4560-212-0x00000000002C0000-0x0000000000A14000-memory.dmp	themida
behavioral4/memory/4560-213-0x00000000002C0000-0x0000000000A14000-memory.dmp	themida
behavioral4/memory/4560-214-0x00000000002C0000-0x0000000000A14000-memory.dmp	themida
behavioral4/memory/4560-216-0x00000000002C0000-0x0000000000A14000-memory.dmp	themida
behavioral4/memory/4480-217-0x00000000002C0000-0x0000000000A14000-memory.dmp	themida
behavioral4/memory/4480-218-0x00000000002C0000-0x0000000000A14000-memory.dmp	themida
behavioral4/memory/4480-219-0x00000000002C0000-0x0000000000A14000-memory.dmp	themida
behavioral4/memory/4480-220-0x00000000002C0000-0x0000000000A14000-memory.dmp	themida
behavioral4/memory/1412-221-0x00000000002C0000-0x0000000000A14000-memory.dmp	themida
behavioral4/memory/1412-222-0x00000000002C0000-0x0000000000A14000-memory.dmp	themida
behavioral4/memory/1412-223-0x00000000002C0000-0x0000000000A14000-memory.dmp	themida
behavioral4/memory/1412-224-0x00000000002C0000-0x0000000000A14000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

telegram_soft.exetelegram_soft.exetelegram_soft.exetelegram_soft.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	telegram_soft.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	telegram_soft.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	telegram_soft.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	telegram_soft.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

Processes:

telegram_soft.exetelegram_soft.exetelegram_soft.exetelegram_soft.exeunis000.exeupdate.exetelegram_soft.exeunis000.exeActivator.exetelegram_soft.exeunis000.exeActivator.exeActivator.exetelegram_soft.exeunis000.exe

pid	process
380	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
3784	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
3732	unis000.exe
2132	update.exe
4000	telegram_soft.exe
3404	unis000.exe
4560	Activator.exe
4728	telegram_soft.exe
4796	unis000.exe
4480	Activator.exe
1412	Activator.exe
4756	telegram_soft.exe
4868	unis000.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "231"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 3 IoCs

Processes:

ShellExperienceHost.exetaskmgr.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\MuiCache	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	taskmgr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APPMODEL\DEPLOYMENT\PACKAGE\*\S-1-5-21-790714498-1549421491-1643397139-1000\{ADE54141-8A50-4CEF-9D2D-2234C553C514}	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

unis000.exeupdate.exetelegram_soft.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeActivator.exechrome.exechrome.exechrome.exeActivator.exetaskmgr.exe

pid	process
3732	unis000.exe
3732	unis000.exe
3732	unis000.exe
3732	unis000.exe
2132	update.exe
2132	update.exe
2132	update.exe
2132	update.exe
4000	telegram_soft.exe
4000	telegram_soft.exe
4000	telegram_soft.exe
4000	telegram_soft.exe
4000	telegram_soft.exe
4000	telegram_soft.exe
4000	telegram_soft.exe
4000	telegram_soft.exe
736	chrome.exe
736	chrome.exe
2092	chrome.exe
2092	chrome.exe
2252	chrome.exe
2252	chrome.exe
2116	chrome.exe
2116	chrome.exe
4336	chrome.exe
4336	chrome.exe
4384	chrome.exe
4384	chrome.exe
4560	Activator.exe
4560	Activator.exe
4028	chrome.exe
4028	chrome.exe
4268	chrome.exe
4268	chrome.exe
3508	chrome.exe
3508	chrome.exe
4480	Activator.exe
4480	Activator.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

1320 taskmgr.exe
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
668

pid	process
1320	taskmgr.exe

pid
4
4
4
4
4
668

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid	process
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

telegram_soft.exetelegram_soft.exeunis000.exeupdate.exetelegram_soft.exeunis000.exeWMIC.exeWMIC.exe

description	pid	process
Token: 35	2168	telegram_soft.exe
Token: 35	544	telegram_soft.exe
Token: 35	3732	unis000.exe
Token: SeDebugPrivilege	3732	unis000.exe
Token: 35	2132	update.exe
Token: SeDebugPrivilege	2132	update.exe
Token: 35	4000	telegram_soft.exe
Token: SeDebugPrivilege	4000	telegram_soft.exe
Token: SeDebugPrivilege	3404	unis000.exe
Token: SeIncreaseQuotaPrivilege	2180	WMIC.exe
Token: SeSecurityPrivilege	2180	WMIC.exe
Token: SeTakeOwnershipPrivilege	2180	WMIC.exe
Token: SeLoadDriverPrivilege	2180	WMIC.exe
Token: SeSystemProfilePrivilege	2180	WMIC.exe
Token: SeSystemtimePrivilege	2180	WMIC.exe
Token: SeProfSingleProcessPrivilege	2180	WMIC.exe
Token: SeIncBasePriorityPrivilege	2180	WMIC.exe
Token: SeCreatePagefilePrivilege	2180	WMIC.exe
Token: SeBackupPrivilege	2180	WMIC.exe
Token: SeRestorePrivilege	2180	WMIC.exe
Token: SeShutdownPrivilege	2180	WMIC.exe
Token: SeDebugPrivilege	2180	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2180	WMIC.exe
Token: SeRemoteShutdownPrivilege	2180	WMIC.exe
Token: SeUndockPrivilege	2180	WMIC.exe
Token: SeManageVolumePrivilege	2180	WMIC.exe
Token: 33	2180	WMIC.exe
Token: 34	2180	WMIC.exe
Token: 35	2180	WMIC.exe
Token: 36	2180	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2180	WMIC.exe
Token: SeSecurityPrivilege	2180	WMIC.exe
Token: SeTakeOwnershipPrivilege	2180	WMIC.exe
Token: SeLoadDriverPrivilege	2180	WMIC.exe
Token: SeSystemProfilePrivilege	2180	WMIC.exe
Token: SeSystemtimePrivilege	2180	WMIC.exe
Token: SeProfSingleProcessPrivilege	2180	WMIC.exe
Token: SeIncBasePriorityPrivilege	2180	WMIC.exe
Token: SeCreatePagefilePrivilege	2180	WMIC.exe
Token: SeBackupPrivilege	2180	WMIC.exe
Token: SeRestorePrivilege	2180	WMIC.exe
Token: SeShutdownPrivilege	2180	WMIC.exe
Token: SeDebugPrivilege	2180	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2180	WMIC.exe
Token: SeRemoteShutdownPrivilege	2180	WMIC.exe
Token: SeUndockPrivilege	2180	WMIC.exe
Token: SeManageVolumePrivilege	2180	WMIC.exe
Token: 33	2180	WMIC.exe
Token: 34	2180	WMIC.exe
Token: 35	2180	WMIC.exe
Token: 36	2180	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3988	WMIC.exe
Token: SeSecurityPrivilege	3988	WMIC.exe
Token: SeTakeOwnershipPrivilege	3988	WMIC.exe
Token: SeLoadDriverPrivilege	3988	WMIC.exe
Token: SeSystemProfilePrivilege	3988	WMIC.exe
Token: SeSystemtimePrivilege	3988	WMIC.exe
Token: SeProfSingleProcessPrivilege	3988	WMIC.exe
Token: SeIncBasePriorityPrivilege	3988	WMIC.exe
Token: SeCreatePagefilePrivilege	3988	WMIC.exe
Token: SeBackupPrivilege	3988	WMIC.exe
Token: SeRestorePrivilege	3988	WMIC.exe
Token: SeShutdownPrivilege	3988	WMIC.exe
Token: SeDebugPrivilege	3988	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exechrome.exetaskmgr.exe

pid	process
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exechrome.exetaskmgr.exe

pid	process
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

ShellExperienceHost.exeLogonUI.exe

pid process

3764 ShellExperienceHost.exe
3764 ShellExperienceHost.exe
4692 LogonUI.exe

pid	process
3764	ShellExperienceHost.exe
3764	ShellExperienceHost.exe
4692	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

telegram_soft.exetelegram_soft.exetelegram_soft.execmd.exeunis000.exeunis000.exeupdate.exeupdate.exetelegram_soft.exetelegram_soft.execmd.exeunis000.exeunis000.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 380 wrote to memory of 2168	380	telegram_soft.exe	telegram_soft.exe
PID 380 wrote to memory of 2168	380	telegram_soft.exe	telegram_soft.exe
PID 3784 wrote to memory of 544	3784	telegram_soft.exe	telegram_soft.exe
PID 3784 wrote to memory of 544	3784	telegram_soft.exe	telegram_soft.exe
PID 2168 wrote to memory of 2224	2168	telegram_soft.exe	cmd.exe
PID 2168 wrote to memory of 2224	2168	telegram_soft.exe	cmd.exe
PID 2168 wrote to memory of 3800	2168	telegram_soft.exe	cmd.exe
PID 2168 wrote to memory of 3800	2168	telegram_soft.exe	cmd.exe
PID 3800 wrote to memory of 2988	3800	cmd.exe	unis000.exe
PID 3800 wrote to memory of 2988	3800	cmd.exe	unis000.exe
PID 2988 wrote to memory of 3732	2988	unis000.exe	unis000.exe
PID 2988 wrote to memory of 3732	2988	unis000.exe	unis000.exe
PID 3732 wrote to memory of 536	3732	unis000.exe	update.exe
PID 3732 wrote to memory of 536	3732	unis000.exe	update.exe
PID 3732 wrote to memory of 204	3732	unis000.exe	telegram_soft.exe
PID 3732 wrote to memory of 204	3732	unis000.exe	telegram_soft.exe
PID 536 wrote to memory of 2132	536	update.exe	update.exe
PID 536 wrote to memory of 2132	536	update.exe	update.exe
PID 2132 wrote to memory of 3536	2132	update.exe	telegram_soft.exe
PID 2132 wrote to memory of 3536	2132	update.exe	telegram_soft.exe
PID 3536 wrote to memory of 4000	3536	telegram_soft.exe	telegram_soft.exe
PID 3536 wrote to memory of 4000	3536	telegram_soft.exe	telegram_soft.exe
PID 4000 wrote to memory of 2844	4000	telegram_soft.exe	cmd.exe
PID 4000 wrote to memory of 2844	4000	telegram_soft.exe	cmd.exe
PID 4000 wrote to memory of 1244	4000	telegram_soft.exe	cmd.exe
PID 4000 wrote to memory of 1244	4000	telegram_soft.exe	cmd.exe
PID 1244 wrote to memory of 3068	1244	cmd.exe	unis000.exe
PID 1244 wrote to memory of 3068	1244	cmd.exe	unis000.exe
PID 3068 wrote to memory of 3404	3068	unis000.exe	unis000.exe
PID 3068 wrote to memory of 3404	3068	unis000.exe	unis000.exe
PID 3404 wrote to memory of 2688	3404	unis000.exe	cmd.exe
PID 3404 wrote to memory of 2688	3404	unis000.exe	cmd.exe
PID 3404 wrote to memory of 3012	3404	unis000.exe	cmd.exe
PID 3404 wrote to memory of 3012	3404	unis000.exe	cmd.exe
PID 3012 wrote to memory of 2180	3012	cmd.exe	WMIC.exe
PID 3012 wrote to memory of 2180	3012	cmd.exe	WMIC.exe
PID 3404 wrote to memory of 1272	3404	unis000.exe	cmd.exe
PID 3404 wrote to memory of 1272	3404	unis000.exe	cmd.exe
PID 1272 wrote to memory of 3988	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 3988	1272	cmd.exe	WMIC.exe
PID 3404 wrote to memory of 3644	3404	unis000.exe	cmd.exe
PID 3404 wrote to memory of 3644	3404	unis000.exe	cmd.exe
PID 3644 wrote to memory of 4072	3644	cmd.exe	WMIC.exe
PID 3644 wrote to memory of 4072	3644	cmd.exe	WMIC.exe
PID 3404 wrote to memory of 3368	3404	unis000.exe	cmd.exe
PID 3404 wrote to memory of 3368	3404	unis000.exe	cmd.exe
PID 3368 wrote to memory of 3560	3368	cmd.exe	WMIC.exe
PID 3368 wrote to memory of 3560	3368	cmd.exe	WMIC.exe
PID 3404 wrote to memory of 2604	3404	unis000.exe	cmd.exe
PID 3404 wrote to memory of 2604	3404	unis000.exe	cmd.exe
PID 2604 wrote to memory of 1220	2604	cmd.exe	WMIC.exe
PID 2604 wrote to memory of 1220	2604	cmd.exe	WMIC.exe
PID 3404 wrote to memory of 3856	3404	unis000.exe	cmd.exe
PID 3404 wrote to memory of 3856	3404	unis000.exe	cmd.exe
PID 3856 wrote to memory of 3832	3856	cmd.exe	WMIC.exe
PID 3856 wrote to memory of 3832	3856	cmd.exe	WMIC.exe
PID 3404 wrote to memory of 652	3404	unis000.exe	cmd.exe
PID 3404 wrote to memory of 652	3404	unis000.exe	cmd.exe
PID 652 wrote to memory of 688	652	cmd.exe	WMIC.exe
PID 652 wrote to memory of 688	652	cmd.exe	WMIC.exe
PID 3404 wrote to memory of 3572	3404	unis000.exe	cmd.exe
PID 3404 wrote to memory of 3572	3404	unis000.exe	cmd.exe
PID 3572 wrote to memory of 3980	3572	cmd.exe	WMIC.exe
PID 3572 wrote to memory of 3980	3572	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe
"C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:380

C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe
"C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe"
2⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unis000.exe -checked
3⤵
- Suspicious use of WriteProcessMemory
PID:3800

C:\Users\Admin\AppData\Local\Temp\telegram_soft\unis000.exe
unis000.exe -checked
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Local\Temp\telegram_soft\unis000.exe
unis000.exe -checked
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3732

C:\Users\Admin\AppData\Local\Temp\telegram_soft\update.exe
"C:\Users\Admin\AppData\Local\Temp\telegram_soft\update.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536

C:\Users\Admin\AppData\Local\Temp\telegram_soft\update.exe
"C:\Users\Admin\AppData\Local\Temp\telegram_soft\update.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132

C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe
"C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe"
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536

C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe
"C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe"
9⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
10⤵
PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unis000.exe -checked
10⤵
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Local\Temp\telegram_soft\unis000.exe
unis000.exe -checked
11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\telegram_soft\unis000.exe
unis000.exe -checked
12⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
13⤵
PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
13⤵
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
14⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
13⤵
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
14⤵
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic BASEBOARD get SerialNumber"
13⤵
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\System32\Wbem\WMIC.exe
wmic BASEBOARD get SerialNumber
14⤵
PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic cpu get ProcessorId"
13⤵
- Suspicious use of WriteProcessMemory
PID:3368

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get ProcessorId
14⤵
PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic BASEBOARD get SerialNumber"
13⤵
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\System32\Wbem\WMIC.exe
wmic BASEBOARD get SerialNumber
14⤵
PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic DISKDRIVE get SerialNumber"
13⤵
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\System32\Wbem\WMIC.exe
wmic DISKDRIVE get SerialNumber
14⤵
PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic DISKDRIVE get Model"
13⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\System32\Wbem\WMIC.exe
wmic DISKDRIVE get Model
14⤵
PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic DISKDRIVE get PNPDeviceID"
13⤵
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\System32\Wbem\WMIC.exe
wmic DISKDRIVE get PNPDeviceID
14⤵
PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY hku"
13⤵
PID:1620

C:\Windows\system32\reg.exe
REG QUERY hku
14⤵
PID:3724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --new-window --disable-http-cache http://localhost:20500/web/login.html
13⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xf4,0xf8,0xfc,0xd0,0x100,0x7ffaffad4f50,0x7ffaffad4f60,0x7ffaffad4f70
14⤵
PID:3748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1700 /prefetch:2
14⤵
PID:2748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2012 /prefetch:8
14⤵
- Suspicious behavior: EnumeratesProcesses
PID:736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2304 /prefetch:8
14⤵
PID:2000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:1
14⤵
PID:2936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
14⤵
PID:3092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4332 /prefetch:8
14⤵
PID:3448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5136 /prefetch:8
14⤵
PID:1876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5176 /prefetch:8
14⤵
PID:3868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:8
14⤵
- Suspicious behavior: EnumeratesProcesses
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4388 /prefetch:8
14⤵
PID:2844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:8
14⤵
PID:3480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4748 /prefetch:8
14⤵
PID:2208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4356 /prefetch:8
14⤵
PID:1312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5188 /prefetch:8
14⤵
PID:3684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4728 /prefetch:8
14⤵
PID:1776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
14⤵
PID:2916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
14⤵
- Suspicious behavior: EnumeratesProcesses
PID:2116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
14⤵
PID:1036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:8
14⤵
- Suspicious behavior: EnumeratesProcesses
PID:4336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
14⤵
- Suspicious behavior: EnumeratesProcesses
PID:4384

C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe
"C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe"
6⤵
PID:204

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs
1⤵
PID:3212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2096

C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe
"C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3784

C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe
"C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe"
2⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wsappx -p
1⤵
- Modifies registry class
PID:3724

C:\Users\Admin\AppData\Local\Temp\telegram_soft\Activator.exe
"C:\Users\Admin\AppData\Local\Temp\telegram_soft\Activator.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4560

C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe
"C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe"
1⤵
- Executes dropped EXE
PID:4664

C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe
"C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unis000.exe -checked
3⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\telegram_soft\unis000.exe
unis000.exe -checked
4⤵
- Executes dropped EXE
PID:4780

C:\Users\Admin\AppData\Local\Temp\telegram_soft\unis000.exe
unis000.exe -checked
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
6⤵
PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
6⤵
PID:4860

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
7⤵
PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
6⤵
PID:4960

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
7⤵
PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic BASEBOARD get SerialNumber"
6⤵
PID:5012

C:\Windows\System32\Wbem\WMIC.exe
wmic BASEBOARD get SerialNumber
7⤵
PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic cpu get ProcessorId"
6⤵
PID:5060

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get ProcessorId
7⤵
PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic BASEBOARD get SerialNumber"
6⤵
PID:5108

C:\Windows\System32\Wbem\WMIC.exe
wmic BASEBOARD get SerialNumber
7⤵
PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic DISKDRIVE get SerialNumber"
6⤵
PID:2604

C:\Windows\System32\Wbem\WMIC.exe
wmic DISKDRIVE get SerialNumber
7⤵
PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic DISKDRIVE get Model"
6⤵
PID:4100

C:\Windows\System32\Wbem\WMIC.exe
wmic DISKDRIVE get Model
7⤵
PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic DISKDRIVE get PNPDeviceID"
6⤵
PID:3280

C:\Windows\System32\Wbem\WMIC.exe
wmic DISKDRIVE get PNPDeviceID
7⤵
PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY hku"
6⤵
PID:4216

C:\Windows\system32\reg.exe
REG QUERY hku
7⤵
PID:4192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --new-window --disable-http-cache http://localhost:20500/web/login.html
6⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ffaff334f50,0x7ffaff334f60,0x7ffaff334f70
7⤵
PID:4080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1628,4258581478103133691,1478679181325169051,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1640 /prefetch:2
7⤵
PID:3220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1628,4258581478103133691,1478679181325169051,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 /prefetch:8
7⤵
PID:3484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,4258581478103133691,1478679181325169051,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2064 /prefetch:8
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4258581478103133691,1478679181325169051,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
7⤵
PID:3252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4258581478103133691,1478679181325169051,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3044 /prefetch:1
7⤵
PID:3416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4258581478103133691,1478679181325169051,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
7⤵
PID:3784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,4258581478103133691,1478679181325169051,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 /prefetch:8
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\telegram_soft\Activator.exe
"C:\Users\Admin\AppData\Local\Temp\telegram_soft\Activator.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4480

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1320

C:\Users\Admin\AppData\Local\Temp\telegram_soft\Activator.exe
"C:\Users\Admin\AppData\Local\Temp\telegram_soft\Activator.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1412

C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe
"C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe"
1⤵
- Executes dropped EXE
PID:4436

C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe
"C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c unis000.exe -checked
3⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\telegram_soft\unis000.exe
unis000.exe -checked
4⤵
- Executes dropped EXE
PID:4896

C:\Users\Admin\AppData\Local\Temp\telegram_soft\unis000.exe
unis000.exe -checked
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
6⤵
PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
6⤵
PID:4964

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
7⤵
PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
6⤵
PID:5064

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
7⤵
PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic BASEBOARD get SerialNumber"
6⤵
PID:3572

C:\Windows\System32\Wbem\WMIC.exe
wmic BASEBOARD get SerialNumber
7⤵
PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic cpu get ProcessorId"
6⤵
PID:1720

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get ProcessorId
7⤵
PID:2604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic BASEBOARD get SerialNumber"
6⤵
PID:780

C:\Windows\System32\Wbem\WMIC.exe
wmic BASEBOARD get SerialNumber
7⤵
PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic DISKDRIVE get SerialNumber"
6⤵
PID:816

C:\Windows\System32\Wbem\WMIC.exe
wmic DISKDRIVE get SerialNumber
7⤵
PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic DISKDRIVE get Model"
6⤵
PID:4204

C:\Windows\System32\Wbem\WMIC.exe
wmic DISKDRIVE get Model
7⤵
PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic DISKDRIVE get PNPDeviceID"
6⤵
PID:2992

C:\Windows\System32\Wbem\WMIC.exe
wmic DISKDRIVE get PNPDeviceID
7⤵
PID:1256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY hku"
6⤵
PID:1192

C:\Windows\system32\reg.exe
REG QUERY hku
7⤵
PID:3508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --new-window --disable-http-cache http://localhost:20500/web/login.html
6⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x94,0x7ffafded4f50,0x7ffafded4f60,0x7ffafded4f70
7⤵
PID:2264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,5638464557205394071,4957883377474093759,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2004 /prefetch:8
7⤵
PID:1628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1616,5638464557205394071,4957883377474093759,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1628 /prefetch:2
7⤵
PID:3456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1616,5638464557205394071,4957883377474093759,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2460 /prefetch:8
7⤵
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,5638464557205394071,4957883377474093759,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2828 /prefetch:1
7⤵
PID:3500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,5638464557205394071,4957883377474093759,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
7⤵
PID:3040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,5638464557205394071,4957883377474093759,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:1
7⤵
PID:2908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,5638464557205394071,4957883377474093759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:8
7⤵
PID:536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,5638464557205394071,4957883377474093759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8
7⤵
PID:4808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2112

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38ca855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI3802\Crypto\Cipher\_Salsa20.cp37-win_amd64.pyd
MD5
346613b7b5476bc5e0f2052337096745

SHA1
30d6f7dbeaca01e4b68c62441fcd7e96e5e3c318

SHA256
8e321257df73855dd2c676211bc701417615036486d86c26a2d534eb3d012cc2

SHA512
15923a468a68f89de1e023e788d0a5ce924cde0211d31a1d0244b01b938634988ea1cae677c8c0f0b7fbf60ea80bcfa0998869a5b5a4111ac641c9365b73c8fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\Crypto\Cipher\_Salsa20.cp37-win_amd64.pyd
MD5
346613b7b5476bc5e0f2052337096745

SHA1
30d6f7dbeaca01e4b68c62441fcd7e96e5e3c318

SHA256
8e321257df73855dd2c676211bc701417615036486d86c26a2d534eb3d012cc2

SHA512
15923a468a68f89de1e023e788d0a5ce924cde0211d31a1d0244b01b938634988ea1cae677c8c0f0b7fbf60ea80bcfa0998869a5b5a4111ac641c9365b73c8fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\Crypto\Cipher\_raw_cbc.cp37-win_amd64.pyd
MD5
975677038380fe2055348ef1cfead173

SHA1
fc13d734e4a762692b4763b0bb69f54f65961baa

SHA256
183c2b948acfee01ee53acdbcfd5ea1161819dd91e26a711f6bcae54ea4f1d68

SHA512
a84a1a1babc5e29fe3b3b52da550506b4a51d9974c044cae977d22082b9293f72c55339b936b4b01e13ac7f482fd15bac20129ed008421e00270275970548447

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\Crypto\Cipher\_raw_cbc.cp37-win_amd64.pyd
MD5
975677038380fe2055348ef1cfead173

SHA1
fc13d734e4a762692b4763b0bb69f54f65961baa

SHA256
183c2b948acfee01ee53acdbcfd5ea1161819dd91e26a711f6bcae54ea4f1d68

SHA512
a84a1a1babc5e29fe3b3b52da550506b4a51d9974c044cae977d22082b9293f72c55339b936b4b01e13ac7f482fd15bac20129ed008421e00270275970548447

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\Crypto\Cipher\_raw_cfb.cp37-win_amd64.pyd
MD5
eaeb30f73165bef13c17703e524ba4e7

SHA1
375396d0d6287739a78d192b6c99f63adb850621

SHA256
37dceb92e4712f70725b79309e1b3313c9a6fe4f0129eb873ec283f8a4fc966a

SHA512
6a8997a2bd80c62cee369636b8e33130ab983b5a58211901312624d961fd8c2630eee10df7891bc87bfc51c85e6fae3eec1e7537c35859604db754084bfcf226

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\Crypto\Cipher\_raw_cfb.cp37-win_amd64.pyd
MD5
eaeb30f73165bef13c17703e524ba4e7

SHA1
375396d0d6287739a78d192b6c99f63adb850621

SHA256
37dceb92e4712f70725b79309e1b3313c9a6fe4f0129eb873ec283f8a4fc966a

SHA512
6a8997a2bd80c62cee369636b8e33130ab983b5a58211901312624d961fd8c2630eee10df7891bc87bfc51c85e6fae3eec1e7537c35859604db754084bfcf226

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\Crypto\Cipher\_raw_ctr.cp37-win_amd64.pyd
MD5
9c4f7079923415405bdc57170343d276

SHA1
a7c5fc789c34717efdf18afd6ad80aa638285a3e

SHA256
0a3d953bbecd62553ec35ccd2b5e97e54849171ae3bec86361f18e5641f51cb4

SHA512
fe950abae14646fcafa417395361cbeda0b9f939fc5a8cc9610791ffc7d37d6ea3f0ccb59d3b541afdf2cfea5477b612ca2881bce2aec011165c521c6ae4570b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\Crypto\Cipher\_raw_ctr.cp37-win_amd64.pyd
MD5
9c4f7079923415405bdc57170343d276

SHA1
a7c5fc789c34717efdf18afd6ad80aa638285a3e

SHA256
0a3d953bbecd62553ec35ccd2b5e97e54849171ae3bec86361f18e5641f51cb4

SHA512
fe950abae14646fcafa417395361cbeda0b9f939fc5a8cc9610791ffc7d37d6ea3f0ccb59d3b541afdf2cfea5477b612ca2881bce2aec011165c521c6ae4570b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\Crypto\Cipher\_raw_ecb.cp37-win_amd64.pyd
MD5
dc7b8a32b583dddd095e4a586790e196

SHA1
899addf5f7160c3e9dcf0b70a277b37f9cfe1a99

SHA256
1e14ce917a8fda673def4e59ec95f3cbebc053adee0f4c1916b6cd580dc5451a

SHA512
04a8cef79f8f644af9daf937c20c1372eea55c747e2e3ebc7511263cc6d803ca5d959f856bcab3d1df8ac98939b2eb66c5ae506418f8317475b566480fe32fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\Crypto\Cipher\_raw_ecb.cp37-win_amd64.pyd
MD5
dc7b8a32b583dddd095e4a586790e196

SHA1
899addf5f7160c3e9dcf0b70a277b37f9cfe1a99

SHA256
1e14ce917a8fda673def4e59ec95f3cbebc053adee0f4c1916b6cd580dc5451a

SHA512
04a8cef79f8f644af9daf937c20c1372eea55c747e2e3ebc7511263cc6d803ca5d959f856bcab3d1df8ac98939b2eb66c5ae506418f8317475b566480fe32fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\Crypto\Cipher\_raw_ofb.cp37-win_amd64.pyd
MD5
f61b7704ddc6e8a3cdef746ce273e9b4

SHA1
724ca28ece5e600397b37ca92ab73d8ef28420d1

SHA256
bb04cfa6485c766cc980b317c4bc6afa776b9fb2f550cd24d4d31091942aa579

SHA512
56b1f4f6aa275303afdd1ec292f4f5908bb2eae0d71236cb00ade785c74ea0180f494c78a73269c8a0532e4daa71cd9a5cbebde5db3788d93f343ac7f53bcae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\Crypto\Cipher\_raw_ofb.cp37-win_amd64.pyd
MD5
f61b7704ddc6e8a3cdef746ce273e9b4

SHA1
724ca28ece5e600397b37ca92ab73d8ef28420d1

SHA256
bb04cfa6485c766cc980b317c4bc6afa776b9fb2f550cd24d4d31091942aa579

SHA512
56b1f4f6aa275303afdd1ec292f4f5908bb2eae0d71236cb00ade785c74ea0180f494c78a73269c8a0532e4daa71cd9a5cbebde5db3788d93f343ac7f53bcae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\Crypto\Hash\_BLAKE2s.cp37-win_amd64.pyd
MD5
80bcd0e98ccd489062d84d9fac968bdb

SHA1
4754c9ec593ff821c9249053eb5e257ccc6dc630

SHA256
4fbdf3c3057e8eef60fa7382be1c303db96c06d3d846723ce19a5982d92d0179

SHA512
f82a856bf72c3bd9906992d0733e4b0e6ec6d183e7557f431e2d8ed6f5a058f7ad1e7a9f4abf787f40bda800757dc03a64454df3183a1626096e78e85a0c6ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\Crypto\Hash\_BLAKE2s.cp37-win_amd64.pyd
MD5
80bcd0e98ccd489062d84d9fac968bdb

SHA1
4754c9ec593ff821c9249053eb5e257ccc6dc630

SHA256
4fbdf3c3057e8eef60fa7382be1c303db96c06d3d846723ce19a5982d92d0179

SHA512
f82a856bf72c3bd9906992d0733e4b0e6ec6d183e7557f431e2d8ed6f5a058f7ad1e7a9f4abf787f40bda800757dc03a64454df3183a1626096e78e85a0c6ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\Crypto\Hash\_MD5.cp37-win_amd64.pyd
MD5
01c4ff8f2c1b7de289412e0b991fc3ea

SHA1
cf61c41da1d0828c585b00f1fe1a5806dfca4abe

SHA256
f65db1b2870dd515a21f0a54c41648e46c084f69397b9e490c851dfbe16a94d1

SHA512
20c5440dc6c2580b65c5554f1613dfc2fef564739f8ab53032806894521ac5459c5b616d2c95a01dbc68177e38079059da8bae033c25379b8a08a6eb9069a2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\Crypto\Hash\_MD5.cp37-win_amd64.pyd
MD5
01c4ff8f2c1b7de289412e0b991fc3ea

SHA1
cf61c41da1d0828c585b00f1fe1a5806dfca4abe

SHA256
f65db1b2870dd515a21f0a54c41648e46c084f69397b9e490c851dfbe16a94d1

SHA512
20c5440dc6c2580b65c5554f1613dfc2fef564739f8ab53032806894521ac5459c5b616d2c95a01dbc68177e38079059da8bae033c25379b8a08a6eb9069a2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\Crypto\Hash\_SHA1.cp37-win_amd64.pyd
MD5
130c190ea34d050d11ddb438aa85ee38

SHA1
608e400fc970d132081149284336f065532f50b2

SHA256
c8b01a857fff18abda746b703376373b5f9b66eec8e4fee124dbd0dfab73cdbb

SHA512
3109d48cb3bea9d061dfe1c22e0795dac12c8d5468fd866286fc9349876843f5650159f41afbb3162ce060ccd258486ddc2622fdd041f1d5c0867ac6577f59d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\Crypto\Hash\_SHA1.cp37-win_amd64.pyd
MD5
130c190ea34d050d11ddb438aa85ee38

SHA1
608e400fc970d132081149284336f065532f50b2

SHA256
c8b01a857fff18abda746b703376373b5f9b66eec8e4fee124dbd0dfab73cdbb

SHA512
3109d48cb3bea9d061dfe1c22e0795dac12c8d5468fd866286fc9349876843f5650159f41afbb3162ce060ccd258486ddc2622fdd041f1d5c0867ac6577f59d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\Crypto\Hash\_SHA256.cp37-win_amd64.pyd
MD5
604980ebcb7a6f094fafbf7fbddb024d

SHA1
0062fe88f899f28df8682be6e7820db51eb7ae50

SHA256
cd7909a8da1136c930daab4b496640f6a23f89c6423e9e1cad829874ff499c6c

SHA512
2fc270a5aca29157d82e0be5be1eb49bf58edeefd8591b72f1a2857a78c2d534dd0b3ddcbf702d3b741170fdd86e5fa901d1028a3cde2e8518fbdbf0f2bbb354

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\Crypto\Hash\_SHA256.cp37-win_amd64.pyd
MD5
604980ebcb7a6f094fafbf7fbddb024d

SHA1
0062fe88f899f28df8682be6e7820db51eb7ae50

SHA256
cd7909a8da1136c930daab4b496640f6a23f89c6423e9e1cad829874ff499c6c

SHA512
2fc270a5aca29157d82e0be5be1eb49bf58edeefd8591b72f1a2857a78c2d534dd0b3ddcbf702d3b741170fdd86e5fa901d1028a3cde2e8518fbdbf0f2bbb354

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\Crypto\Protocol\_scrypt.cp37-win_amd64.pyd
MD5
ce04b6e8504eeb82439db577b45cd064

SHA1
79a6e03f6e4a453497fdc0bd1c8da59992a052e9

SHA256
d51ad472f474f02d03fac74fd7c13b57158227ac685494667cb9f1eb7c0ea313

SHA512
5647e71dcfa00d2dc56b416bf52657207d7009066eed78c5d60c68b54c333e180fa7c1445d15dcf52237a635c7ff050236a883e33de3a6b2b08078ea731c4d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\Crypto\Protocol\_scrypt.cp37-win_amd64.pyd
MD5
ce04b6e8504eeb82439db577b45cd064

SHA1
79a6e03f6e4a453497fdc0bd1c8da59992a052e9

SHA256
d51ad472f474f02d03fac74fd7c13b57158227ac685494667cb9f1eb7c0ea313

SHA512
5647e71dcfa00d2dc56b416bf52657207d7009066eed78c5d60c68b54c333e180fa7c1445d15dcf52237a635c7ff050236a883e33de3a6b2b08078ea731c4d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\Crypto\Util\_cpuid_c.cp37-win_amd64.pyd
MD5
abe63928bac4999e03f2499f0285cbe6

SHA1
c85b49c25bceb3a9089d668af947f60794bec804

SHA256
f86f141433cdbae6eddc1190be1e64ba9c205c65cb5d6af9d513315d0a4ac85d

SHA512
52df415b1b3f05c86a9eb3319f40741cfa97e43f2fbe8263060b776938aadf1ee253de489e286d36b331abce40e0f95bd03f230506a917f94be1b6f691e14945

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\Crypto\Util\_strxor.cp37-win_amd64.pyd
MD5
8b0290798b02b21fb79521c7914b24f7

SHA1
2f7ab160f2bf26734ecffecba69889035e3bd930

SHA256
2c21a97fb28c49b2d92ab0f6e7b3a55a821bc465ddcd4e29558a1d063d9fe5c1

SHA512
9898575c8894599069877bbff9109b28ca624f5bb1ac88a623a5de4fa40a8e02c64dfbb2c142aac1a65ec6b7fa24c7f9399c28083a666e18fd68ea5b2e24a81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\Crypto\Util\_strxor.cp37-win_amd64.pyd
MD5
8b0290798b02b21fb79521c7914b24f7

SHA1
2f7ab160f2bf26734ecffecba69889035e3bd930

SHA256
2c21a97fb28c49b2d92ab0f6e7b3a55a821bc465ddcd4e29558a1d063d9fe5c1

SHA512
9898575c8894599069877bbff9109b28ca624f5bb1ac88a623a5de4fa40a8e02c64dfbb2c142aac1a65ec6b7fa24c7f9399c28083a666e18fd68ea5b2e24a81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\VCRUNTIME140.dll
MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\VCRUNTIME140.dll
MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\_bz2.pyd
MD5
92075c2759ac8246953e6fa6323e43fe

SHA1
6818befe630c2656183ea7fe735db159804b7773

SHA256
e7af6119b56ddd47fd0a909710f7163d7ef4822405fc138d24e6ce9de7a5022f

SHA512
7f3a4409859695f53291c96dd487bca2649815bad5f4610c2c6f92777411d39210e293d962573a20dfe73ea15331de7e6c18b017ae1d6f226387eab1fc1f586c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\_bz2.pyd
MD5
92075c2759ac8246953e6fa6323e43fe

SHA1
6818befe630c2656183ea7fe735db159804b7773

SHA256
e7af6119b56ddd47fd0a909710f7163d7ef4822405fc138d24e6ce9de7a5022f

SHA512
7f3a4409859695f53291c96dd487bca2649815bad5f4610c2c6f92777411d39210e293d962573a20dfe73ea15331de7e6c18b017ae1d6f226387eab1fc1f586c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\_cffi_backend.cp37-win_amd64.pyd
MD5
14f20693bab4313f83cbc6be23a9ce43

SHA1
17e46a13f3d84df3914e7b9d029a7d7a06bd0632

SHA256
da351fa678b4d33a470b17f64cadcac8c4994bdb99154411cd88bd9289289f71

SHA512
08da32cd42437595b16d5502a91b6e651b891a19a6e482357bcde7cffa9853f873c6b178013b1b835fbb1518ca1501d5d8214e5b94e6f17ca814998c31c25d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\_cffi_backend.cp37-win_amd64.pyd
MD5
14f20693bab4313f83cbc6be23a9ce43

SHA1
17e46a13f3d84df3914e7b9d029a7d7a06bd0632

SHA256
da351fa678b4d33a470b17f64cadcac8c4994bdb99154411cd88bd9289289f71

SHA512
08da32cd42437595b16d5502a91b6e651b891a19a6e482357bcde7cffa9853f873c6b178013b1b835fbb1518ca1501d5d8214e5b94e6f17ca814998c31c25d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\_ctypes.pyd
MD5
2787764fe3056f37c79a3fc79e620172

SHA1
a64d1a047ba644d0588dc4288b74925ed72e6ed4

SHA256
41c593c960f3f89b1e1629c6b7bd6171fe306168f816bef02027332a263de117

SHA512
1dc5bb470be558c643a3f68e23423697384bc547b1192cd398dff640e28f7df85563bc87643cdcde9b8b4f880f272e13a673a018ae251e100bd99790f993afa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\_ctypes.pyd
MD5
2787764fe3056f37c79a3fc79e620172

SHA1
a64d1a047ba644d0588dc4288b74925ed72e6ed4

SHA256
41c593c960f3f89b1e1629c6b7bd6171fe306168f816bef02027332a263de117

SHA512
1dc5bb470be558c643a3f68e23423697384bc547b1192cd398dff640e28f7df85563bc87643cdcde9b8b4f880f272e13a673a018ae251e100bd99790f993afa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\_hashlib.pyd
MD5
7808b500fbfb17c968f10ee6d68461df

SHA1
2a8e54037e7d03d20244fefd8247cf218e1d668f

SHA256
e2701f4e4a7556adab7415e448070289ba4fe047227f48c3a049d7c3154aff0b

SHA512
b4239e792141bcf924f61bfd46033934337079b245f423b34820d36c6599ca35ab06bc525acfff4cafa75e31975fcd0409dedd203377d642fc5dc55ec2c1fa27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\_hashlib.pyd
MD5
7808b500fbfb17c968f10ee6d68461df

SHA1
2a8e54037e7d03d20244fefd8247cf218e1d668f

SHA256
e2701f4e4a7556adab7415e448070289ba4fe047227f48c3a049d7c3154aff0b

SHA512
b4239e792141bcf924f61bfd46033934337079b245f423b34820d36c6599ca35ab06bc525acfff4cafa75e31975fcd0409dedd203377d642fc5dc55ec2c1fa27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\_lzma.pyd
MD5
ab582419629183e1615b76fc5d2c7704

SHA1
b78ee7e725a417bef50cca47590950e970eae200

SHA256
5a45f7cd517ad396a042bc2767ae73221dc68f934e828a9433249924a371ee5e

SHA512
3f38441dd0b88b486dafaa1e15d07f0ee467a362c1603071a2fa79de770fa061ced25ca790f0d3139f31178c719cc82ac88601262e2a0ca809708dfa3f6f76ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\_lzma.pyd
MD5
ab582419629183e1615b76fc5d2c7704

SHA1
b78ee7e725a417bef50cca47590950e970eae200

SHA256
5a45f7cd517ad396a042bc2767ae73221dc68f934e828a9433249924a371ee5e

SHA512
3f38441dd0b88b486dafaa1e15d07f0ee467a362c1603071a2fa79de770fa061ced25ca790f0d3139f31178c719cc82ac88601262e2a0ca809708dfa3f6f76ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\_pytransform.dll
MD5
aca15fb5aa27ad468a9538c18f1bcddd

SHA1
c61569354dfbb2b99d31376cff511c066246c257

SHA256
adfcc8961f6fad033c4f70502de0eee6d8c383af242dbb6767289bea8f867839

SHA512
86cb51990b52a108bfa0cd088b8044e4a449b811e26b72e424de3465c49da0da14cbed12c919c19173361fb6010dd29b4c351a4cc5a8da2c06c39e71bc4d2ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\_pytransform.dll
MD5
aca15fb5aa27ad468a9538c18f1bcddd

SHA1
c61569354dfbb2b99d31376cff511c066246c257

SHA256
adfcc8961f6fad033c4f70502de0eee6d8c383af242dbb6767289bea8f867839

SHA512
86cb51990b52a108bfa0cd088b8044e4a449b811e26b72e424de3465c49da0da14cbed12c919c19173361fb6010dd29b4c351a4cc5a8da2c06c39e71bc4d2ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\_queue.pyd
MD5
a48af48dd880c11673469c1ade525558

SHA1
01e9bbcd7eccaa6d5033544e875c7c20f8812124

SHA256
a98e9f330eeaf40ef516237ab5bc1efac1fc49ed321a128be78dd3fb8733e0a4

SHA512
a535dadb79c1ca10506858226442d1d1fb00e5d6f99afa6b539e2506a6627a7bd624a7ee2bc61f55c974113de80fd7a95e6c18e9402736d32d5099077ca1b913

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\_queue.pyd
MD5
a48af48dd880c11673469c1ade525558

SHA1
01e9bbcd7eccaa6d5033544e875c7c20f8812124

SHA256
a98e9f330eeaf40ef516237ab5bc1efac1fc49ed321a128be78dd3fb8733e0a4

SHA512
a535dadb79c1ca10506858226442d1d1fb00e5d6f99afa6b539e2506a6627a7bd624a7ee2bc61f55c974113de80fd7a95e6c18e9402736d32d5099077ca1b913

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\_socket.pyd
MD5
10cd16bb63862536570c717ffc453da4

SHA1
b3ef50d7ac4652b5c35f1d86a0130fb43dd5a669

SHA256
e002a1bd6fba44681d557b64d439585dba9820226e1c3da5a62628bbaa930ae3

SHA512
55ee581c4005901661efaf9aad6ea39b2b2e265579539d464d62e4209638567b3b9fdd945d0bed0a1047f977d374a5707a970c621ca289077e2d6c5aeca491b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\_socket.pyd
MD5
10cd16bb63862536570c717ffc453da4

SHA1
b3ef50d7ac4652b5c35f1d86a0130fb43dd5a669

SHA256
e002a1bd6fba44681d557b64d439585dba9820226e1c3da5a62628bbaa930ae3

SHA512
55ee581c4005901661efaf9aad6ea39b2b2e265579539d464d62e4209638567b3b9fdd945d0bed0a1047f977d374a5707a970c621ca289077e2d6c5aeca491b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\_ssl.pyd
MD5
8b5af5ac31b6bde9023a4adc3e7f0ce1

SHA1
c5d7eaaed9be784227a0854bfb8a983058410a35

SHA256
7040d3712f31b7d11882ce8c907452fa725678b646b900f6868f43ab3e4ddab6

SHA512
499aa2321a2e5492c700513d63cf08fc12d3a430a5e9f5d865279919f6d7b74385b6767bbee63616f84b52d02070b16b2d4c3921163c42864f33e7b5331b1444

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\_ssl.pyd
MD5
8b5af5ac31b6bde9023a4adc3e7f0ce1

SHA1
c5d7eaaed9be784227a0854bfb8a983058410a35

SHA256
7040d3712f31b7d11882ce8c907452fa725678b646b900f6868f43ab3e4ddab6

SHA512
499aa2321a2e5492c700513d63cf08fc12d3a430a5e9f5d865279919f6d7b74385b6767bbee63616f84b52d02070b16b2d4c3921163c42864f33e7b5331b1444

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\base_library.zip
MD5
0c8b544aa139f0c7913c34c09bac3577

SHA1
ef66b610a83d110effcfb32cbe9f1e23a454b1d1

SHA256
7cf809c0c4452751d552bfc34b8f3ef70ad4693071dd95ad700597685319ae4d

SHA512
0b9e00abb5a7bd196496bfe6077784edd88179801c6fefa27f3e35c174257edbee17da64718a91cd99c79abdbf770c526fa1e3fac98acafaa24a8c704068cc89

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\libcrypto-1_1.dll
MD5
bf83f8ad60cb9db462ce62c73208a30d

SHA1
f1bc7dbc1e5b00426a51878719196d78981674c4

SHA256
012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d

SHA512
ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\libcrypto-1_1.dll
MD5
bf83f8ad60cb9db462ce62c73208a30d

SHA1
f1bc7dbc1e5b00426a51878719196d78981674c4

SHA256
012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d

SHA512
ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\libssl-1_1.dll
MD5
fe1f3632af98e7b7a2799e3973ba03cf

SHA1
353c7382e2de3ccdd2a4911e9e158e7c78648496

SHA256
1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b

SHA512
a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\libssl-1_1.dll
MD5
fe1f3632af98e7b7a2799e3973ba03cf

SHA1
353c7382e2de3ccdd2a4911e9e158e7c78648496

SHA256
1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b

SHA512
a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\pyexpat.pyd
MD5
02d615171b805cc573b28e17611f663f

SHA1
2e63b78316b4eae6ee1c25f1f10fbbb84ecef054

SHA256
e60b5cbdf7480db1fc829e05ce45703d43d5ba25fdf7fba21cca1d38b1f3b3a4

SHA512
b61cd3d16d1a192016a50342ae71fee8f764c4c156e275a320f74cc4ec65755c91c022231d09a76b59d6225960f5a930f1887003b1d6984beeb5a9648b045427

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\pyexpat.pyd
MD5
02d615171b805cc573b28e17611f663f

SHA1
2e63b78316b4eae6ee1c25f1f10fbbb84ecef054

SHA256
e60b5cbdf7480db1fc829e05ce45703d43d5ba25fdf7fba21cca1d38b1f3b3a4

SHA512
b61cd3d16d1a192016a50342ae71fee8f764c4c156e275a320f74cc4ec65755c91c022231d09a76b59d6225960f5a930f1887003b1d6984beeb5a9648b045427

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\python37.dll
MD5
c4e99d7375888d873d2478769a8d844c

SHA1
881e42ad9b7da068ee7a6d133484f9d39519ca7e

SHA256
12f26beb439ddf8d56e7544b06a0675d5da6670c02f8f9cede7aad1de71eb116

SHA512
a5b79a919f15cda2c295c8da923ffe5dd30408376e459669e4e376b9d4d504d43671518d7085352bb90c4ce4efc6d81c91ac6cedbdaa896f916d80f7346a695b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\python37.dll
MD5
c4e99d7375888d873d2478769a8d844c

SHA1
881e42ad9b7da068ee7a6d133484f9d39519ca7e

SHA256
12f26beb439ddf8d56e7544b06a0675d5da6670c02f8f9cede7aad1de71eb116

SHA512
a5b79a919f15cda2c295c8da923ffe5dd30408376e459669e4e376b9d4d504d43671518d7085352bb90c4ce4efc6d81c91ac6cedbdaa896f916d80f7346a695b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\pythoncom37.dll
MD5
59296c90a2eb361dcbef671abad742b5

SHA1
f5558469a56c049cbd8a7e5e15656677a46de7a1

SHA256
4477f2d9c38767cb328a9e92f70d37b670a15e944e8c6064a49a1970bd00617c

SHA512
6b8fb678f640462682a2406e6d6ca2988eba8251098cb108dac09d11ed5972406c0c88e3c3e37b1a03b69f9e54c828f97391911058c1ef0100c2b2223dd1c998

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\pythoncom37.dll
MD5
59296c90a2eb361dcbef671abad742b5

SHA1
f5558469a56c049cbd8a7e5e15656677a46de7a1

SHA256
4477f2d9c38767cb328a9e92f70d37b670a15e944e8c6064a49a1970bd00617c

SHA512
6b8fb678f640462682a2406e6d6ca2988eba8251098cb108dac09d11ed5972406c0c88e3c3e37b1a03b69f9e54c828f97391911058c1ef0100c2b2223dd1c998

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\pywintypes37.dll
MD5
77b6875977e77c4619bbb471d5eaf790

SHA1
f08c3bc5e918c0a197fbfd1b15e7c0491bd5fade

SHA256
780a72ba3215ff413d5a9e98861d8bb87c15c43a75bb81dc985034ae7dcf5ef6

SHA512
783939fc97b2445dfe7e21eb6b71711aba6d85e275e489eddcc4f20c2ed018678d8d14c9e1856f66e3876f318312d69c22cee77f9105a72e56a1be4f3e8a7c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\pywintypes37.dll
MD5
77b6875977e77c4619bbb471d5eaf790

SHA1
f08c3bc5e918c0a197fbfd1b15e7c0491bd5fade

SHA256
780a72ba3215ff413d5a9e98861d8bb87c15c43a75bb81dc985034ae7dcf5ef6

SHA512
783939fc97b2445dfe7e21eb6b71711aba6d85e275e489eddcc4f20c2ed018678d8d14c9e1856f66e3876f318312d69c22cee77f9105a72e56a1be4f3e8a7c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\select.pyd
MD5
39b7c056bca546778690b9922315f9ff

SHA1
5f62169c8de1f72db601d30b37d157478723859b

SHA256
9514b4c40c35396b1952a8acf805e993a3875b37370f44ef36ed33c7151412ef

SHA512
229538131d83299ea90652818c99972c1ee692c070e7fea9599420c99dd8ae75fb2367e9509aad23984fe0a8d21221a59bd57493b5cd1d6c7391c3c55d714e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\select.pyd
MD5
39b7c056bca546778690b9922315f9ff

SHA1
5f62169c8de1f72db601d30b37d157478723859b

SHA256
9514b4c40c35396b1952a8acf805e993a3875b37370f44ef36ed33c7151412ef

SHA512
229538131d83299ea90652818c99972c1ee692c070e7fea9599420c99dd8ae75fb2367e9509aad23984fe0a8d21221a59bd57493b5cd1d6c7391c3c55d714e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\unicodedata.pyd
MD5
d2ab7f9a441bb139feeb0e11eb600371

SHA1
467aeb881fccd4a43a16f319635da81f05279cc6

SHA256
465ab1b24c39a5a5da9415c96740dfdb4d071b25a7a87e275841e1d66a57e88f

SHA512
cf8eaae07c176fab5ca54a3935ec2fd6933e3f2d0ca107bf60f1389f2258865d101685918c7a04802da2a97980747935f1b56b0da3d1db3a1ea282f74db0b6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\unicodedata.pyd
MD5
d2ab7f9a441bb139feeb0e11eb600371

SHA1
467aeb881fccd4a43a16f319635da81f05279cc6

SHA256
465ab1b24c39a5a5da9415c96740dfdb4d071b25a7a87e275841e1d66a57e88f

SHA512
cf8eaae07c176fab5ca54a3935ec2fd6933e3f2d0ca107bf60f1389f2258865d101685918c7a04802da2a97980747935f1b56b0da3d1db3a1ea282f74db0b6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\win32api.pyd
MD5
e14680d97acf0bb1be0910f5646f7aba

SHA1
f727a73469c03e68175d06245a8dd8aebda1f8ae

SHA256
b1ec6335b9bf77829d112b1ac1eb664e7c45fc359e7c8efe86a3a698af4aa715

SHA512
bc323a081169c520d1b4ce391448da74f1f4c0dee54d32f7a51a13c55bb7860629b09dc79fd4cf9b6452fbae131d81dc54cacaf9e598fa4fe0fdfc221636585f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3802\win32api.pyd
MD5
e14680d97acf0bb1be0910f5646f7aba

SHA1
f727a73469c03e68175d06245a8dd8aebda1f8ae

SHA256
b1ec6335b9bf77829d112b1ac1eb664e7c45fc359e7c8efe86a3a698af4aa715

SHA512
bc323a081169c520d1b4ce391448da74f1f4c0dee54d32f7a51a13c55bb7860629b09dc79fd4cf9b6452fbae131d81dc54cacaf9e598fa4fe0fdfc221636585f

Download Submit
memory/380-130-0x00007FFB1F790000-0x00007FFB1F792000-memory.dmp

Filesize
8KB

Download
memory/380-136-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp

Filesize
8.9MB

Download
memory/380-135-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp

Filesize
8.9MB

Download
memory/380-134-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp

Filesize
8.9MB

Download
memory/544-209-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp

Filesize
8.9MB

Download
memory/544-208-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp

Filesize
8.9MB

Download
memory/544-207-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp

Filesize
8.9MB

Download
memory/1412-224-0x00000000002C0000-0x0000000000A14000-memory.dmp

Filesize
7.3MB

Download
memory/1412-221-0x00000000002C0000-0x0000000000A14000-memory.dmp

Filesize
7.3MB

Download
memory/1412-223-0x00000000002C0000-0x0000000000A14000-memory.dmp

Filesize
7.3MB

Download
memory/1412-222-0x00000000002C0000-0x0000000000A14000-memory.dmp

Filesize
7.3MB

Download
memory/2168-137-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp

Filesize
8.9MB

Download
memory/2168-138-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp

Filesize
8.9MB

Download
memory/2168-139-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp

Filesize
8.9MB

Download
memory/3784-205-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp

Filesize
8.9MB

Download
memory/3784-206-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp

Filesize
8.9MB

Download
memory/3784-204-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp

Filesize
8.9MB

Download
memory/4480-217-0x00000000002C0000-0x0000000000A14000-memory.dmp

Filesize
7.3MB

Download
memory/4480-218-0x00000000002C0000-0x0000000000A14000-memory.dmp

Filesize
7.3MB

Download
memory/4480-219-0x00000000002C0000-0x0000000000A14000-memory.dmp

Filesize
7.3MB

Download
memory/4480-220-0x00000000002C0000-0x0000000000A14000-memory.dmp

Filesize
7.3MB

Download
memory/4560-214-0x00000000002C0000-0x0000000000A14000-memory.dmp

Filesize
7.3MB

Download
memory/4560-216-0x00000000002C0000-0x0000000000A14000-memory.dmp

Filesize
7.3MB

Download
memory/4560-215-0x00000000770B4000-0x00000000770B6000-memory.dmp

Filesize
8KB

Download
memory/4560-213-0x00000000002C0000-0x0000000000A14000-memory.dmp

Filesize
7.3MB

Download
memory/4560-212-0x00000000002C0000-0x0000000000A14000-memory.dmp

Filesize
7.3MB

Download