36fbd44761d21b9229fe8260f047a3fd4901c3155818b3089f7bf03d183f05d4

Resubmissions

22-05-2024 12:32

240522-pqnvyabd99 9

22-05-2024 11:59

240522-n5t5tsfh42 9

Analysis

max time kernel
144s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

19.1MB
MD5

34f53da9221434c6348b043bfe5804f2
SHA1

accd7e559edd2bf8841c643e7dc2ef4c3568c8bc
SHA256

36fbd44761d21b9229fe8260f047a3fd4901c3155818b3089f7bf03d183f05d4
SHA512

f8b60f8230b72035eaeb1a1e051b945e2fc2f8323c25a40327b58a14101d134e3fbca0a2940e01955486d3df81cd5f6c8da366382742321e1874f21c850ac8ea
SSDEEP

393216:aI6OdCYRTAGc54PLHn71KPwhuSpbV2AYZxSn1UwOdjVhPoIx4r6B:qmL9AGc54PLJb0Ib4AYZ61N2jX4r6B

Score

9^/10

discovery evasion execution themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

TelegramExpert.exeunis.exeunis.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TelegramExpert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unis.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unis.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

unis.exeTelegramExpert.exeunis.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unis.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TelegramExpert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TelegramExpert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unis.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unis.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unis.exe

Executes dropped EXE 5 IoCs

Processes:

setup.tmpTelegramExpert.exeTelegramExpert.exeunis.exeunis.exe

pid process

2976 setup.tmp
4216 TelegramExpert.exe
4132 TelegramExpert.exe
4788 unis.exe
1120 unis.exe

Loads dropped DLL 64 IoCs

Processes:

TelegramExpert.exeunis.exe

pid	process
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe

Themida packer 21 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Program Files (x86)\TelegramExpert\TelegramExpert.exe	themida
behavioral2/memory/4216-66-0x00007FF6A8900000-0x00007FF6A9FAF000-memory.dmp	themida
behavioral2/memory/4216-67-0x00007FF6A8900000-0x00007FF6A9FAF000-memory.dmp	themida
behavioral2/memory/4216-68-0x00007FF6A8900000-0x00007FF6A9FAF000-memory.dmp	themida
behavioral2/memory/4216-231-0x00007FF6A8900000-0x00007FF6A9FAF000-memory.dmp	themida
behavioral2/memory/4788-237-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp	themida
behavioral2/memory/4788-238-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp	themida
behavioral2/memory/4788-240-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp	themida
behavioral2/memory/4788-239-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp	themida
behavioral2/memory/4788-241-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp	themida
behavioral2/memory/4788-242-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp	themida
behavioral2/memory/4788-243-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp	themida
behavioral2/memory/4788-2407-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp	themida
behavioral2/memory/1120-2408-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp	themida
behavioral2/memory/1120-2411-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp	themida
behavioral2/memory/1120-2414-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp	themida
behavioral2/memory/1120-2415-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp	themida
behavioral2/memory/1120-2413-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp	themida
behavioral2/memory/1120-2412-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp	themida
behavioral2/memory/1120-2410-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp	themida
behavioral2/memory/1120-2428-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

TelegramExpert.exeunis.exeunis.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TelegramExpert.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unis.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unis.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

TelegramExpert.exeunis.exeunis.exe

pid process

4216 TelegramExpert.exe
4788 unis.exe
1120 unis.exe

pid	process
4216	TelegramExpert.exe
4788	unis.exe
1120	unis.exe

Drops file in Program Files directory 64 IoCs

Processes:

unis.exesetup.tmp

description	ioc	process
File created	C:\Program Files (x86)\TelegramExpert\sqlite\iconengines\qsvgicon.dll	unis.exe
File opened for modification	C:\Program Files (x86)\TelegramExpert\TelegramExpert.exe	setup.tmp
File created	C:\Program Files (x86)\TelegramExpert\additives\web\img\flags\da.svg	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\js\registrator_tokens.js	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\libs\datatables-1.13.1\js\dataTables.jqueryui.js	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\send_id.html	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\sqlite\styles\FusionDarkStyle.dll	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\db_clean.html	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\img\icons\arrow-down.svg	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\js\accountTableTwo.js	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\libs\leaflet\images\marker-shadow.png	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\libs\leaflet\img\search-disabled.png	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\libs\select2.min.css	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\db_union.html	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\js\registrator.js	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\libs\datatables-1.13.1\images\sort_asc_disabled.png	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\sqlite\ext\uint.dll	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\img\icons\soft-icon-2.jpg	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\js\invite_admin_auto.js	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\registrator_hide_1.html	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\js\_stream_panel.js	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\libs\datatables-1.13.1\css\jquery.dataTables.min.css	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\registrator_tokens.html	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\browser\locales\ar.pak	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\data\identity\et\person.json	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\libs\datatables-1.13.1\js\dataTables.bulma.js	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\libs\datatables-1.13.1\js\dataTables.dataTables.js	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\libs\jquery.fancybox.min.css	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\browser\locales\en-US.pak	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\browser\118.0.5993.88.manifest	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\group_del_admin.html	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\libs\datatables-1.13.1\css\dataTables.bootstrap4.css	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\sqlite\SQLiteStudio.exe	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\img\icons\people-1.png	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\js\invite_admin.js	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\js\views.js	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\libs\datatables-1.13.1\css\dataTables.jqueryui.css	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\browser\locales\cs.pak	unis.exe
File opened for modification	C:\Program Files (x86)\TelegramExpert\unins000.dat	setup.tmp
File created	C:\Program Files (x86)\TelegramExpert\temp\process.dat	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\fonts\Gilroy-Regular.woff2	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\img\icons\close-icon.svg	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\js\answering_machine_smart.js	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\js\log_panel.js	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\js\parsing_geo.js	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\registrator_vaksms.html	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\sqlite\plugins\SqlExport.dll	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\sqlite\Qt5Core.dll	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\img\icons\people-2.png	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\js\check_links.js	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\js\db_union.js	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\sqlite\Qt5Network.dll	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\browser\icudtl.dat	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\img\flags\de.svg	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\img\flags\fi.svg	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\sqlite\ext\uuid.dll	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\unsubscribe.html	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\sqlite\plugins\PdfExport.dll	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\browser\locales\lt.pak	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\js\db_gender.js	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\js\proxy_checker.js	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\libs\datatables-1.13.1\images\sort_desc.png	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\img\icons\people-5.png	unis.exe
File created	C:\Program Files (x86)\TelegramExpert\additives\web\js\dowload_files.js	unis.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4548 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4548	powershell.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

setup.tmppowershell.exeTelegramExpert.exeunis.exe

pid	process
2976	setup.tmp
2976	setup.tmp
4548	powershell.exe
4548	powershell.exe
4548	powershell.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
4132	TelegramExpert.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe
1120	unis.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeTelegramExpert.exeunis.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	4132	TelegramExpert.exe
Token: SeDebugPrivilege	1120	unis.exe
Token: SeIncreaseQuotaPrivilege	3004	WMIC.exe
Token: SeSecurityPrivilege	3004	WMIC.exe
Token: SeTakeOwnershipPrivilege	3004	WMIC.exe
Token: SeLoadDriverPrivilege	3004	WMIC.exe
Token: SeSystemProfilePrivilege	3004	WMIC.exe
Token: SeSystemtimePrivilege	3004	WMIC.exe
Token: SeProfSingleProcessPrivilege	3004	WMIC.exe
Token: SeIncBasePriorityPrivilege	3004	WMIC.exe
Token: SeCreatePagefilePrivilege	3004	WMIC.exe
Token: SeBackupPrivilege	3004	WMIC.exe
Token: SeRestorePrivilege	3004	WMIC.exe
Token: SeShutdownPrivilege	3004	WMIC.exe
Token: SeDebugPrivilege	3004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3004	WMIC.exe
Token: SeRemoteShutdownPrivilege	3004	WMIC.exe
Token: SeUndockPrivilege	3004	WMIC.exe
Token: SeManageVolumePrivilege	3004	WMIC.exe
Token: 33	3004	WMIC.exe
Token: 34	3004	WMIC.exe
Token: 35	3004	WMIC.exe
Token: 36	3004	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3004	WMIC.exe
Token: SeSecurityPrivilege	3004	WMIC.exe
Token: SeTakeOwnershipPrivilege	3004	WMIC.exe
Token: SeLoadDriverPrivilege	3004	WMIC.exe
Token: SeSystemProfilePrivilege	3004	WMIC.exe
Token: SeSystemtimePrivilege	3004	WMIC.exe
Token: SeProfSingleProcessPrivilege	3004	WMIC.exe
Token: SeIncBasePriorityPrivilege	3004	WMIC.exe
Token: SeCreatePagefilePrivilege	3004	WMIC.exe
Token: SeBackupPrivilege	3004	WMIC.exe
Token: SeRestorePrivilege	3004	WMIC.exe
Token: SeShutdownPrivilege	3004	WMIC.exe
Token: SeDebugPrivilege	3004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3004	WMIC.exe
Token: SeRemoteShutdownPrivilege	3004	WMIC.exe
Token: SeUndockPrivilege	3004	WMIC.exe
Token: SeManageVolumePrivilege	3004	WMIC.exe
Token: 33	3004	WMIC.exe
Token: 34	3004	WMIC.exe
Token: 35	3004	WMIC.exe
Token: 36	3004	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4596	WMIC.exe
Token: SeSecurityPrivilege	4596	WMIC.exe
Token: SeTakeOwnershipPrivilege	4596	WMIC.exe
Token: SeLoadDriverPrivilege	4596	WMIC.exe
Token: SeSystemProfilePrivilege	4596	WMIC.exe
Token: SeSystemtimePrivilege	4596	WMIC.exe
Token: SeProfSingleProcessPrivilege	4596	WMIC.exe
Token: SeIncBasePriorityPrivilege	4596	WMIC.exe
Token: SeCreatePagefilePrivilege	4596	WMIC.exe
Token: SeBackupPrivilege	4596	WMIC.exe
Token: SeRestorePrivilege	4596	WMIC.exe
Token: SeShutdownPrivilege	4596	WMIC.exe
Token: SeDebugPrivilege	4596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4596	WMIC.exe
Token: SeRemoteShutdownPrivilege	4596	WMIC.exe
Token: SeUndockPrivilege	4596	WMIC.exe
Token: SeManageVolumePrivilege	4596	WMIC.exe
Token: 33	4596	WMIC.exe
Token: 34	4596	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

setup.tmp

pid process

2976 setup.tmp

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

setup.exesetup.tmpTelegramExpert.exeTelegramExpert.execmd.exeunis.exeunis.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3484 wrote to memory of 2976	3484	setup.exe	setup.tmp
PID 3484 wrote to memory of 2976	3484	setup.exe	setup.tmp
PID 3484 wrote to memory of 2976	3484	setup.exe	setup.tmp
PID 2976 wrote to memory of 4548	2976	setup.tmp	powershell.exe
PID 2976 wrote to memory of 4548	2976	setup.tmp	powershell.exe
PID 2976 wrote to memory of 4548	2976	setup.tmp	powershell.exe
PID 2976 wrote to memory of 4216	2976	setup.tmp	TelegramExpert.exe
PID 2976 wrote to memory of 4216	2976	setup.tmp	TelegramExpert.exe
PID 4216 wrote to memory of 4132	4216	TelegramExpert.exe	TelegramExpert.exe
PID 4216 wrote to memory of 4132	4216	TelegramExpert.exe	TelegramExpert.exe
PID 4132 wrote to memory of 4436	4132	TelegramExpert.exe	cmd.exe
PID 4132 wrote to memory of 4436	4132	TelegramExpert.exe	cmd.exe
PID 4436 wrote to memory of 4788	4436	cmd.exe	unis.exe
PID 4436 wrote to memory of 4788	4436	cmd.exe	unis.exe
PID 4788 wrote to memory of 1120	4788	unis.exe	unis.exe
PID 4788 wrote to memory of 1120	4788	unis.exe	unis.exe
PID 1120 wrote to memory of 4792	1120	unis.exe	cmd.exe
PID 1120 wrote to memory of 4792	1120	unis.exe	cmd.exe
PID 1120 wrote to memory of 4232	1120	unis.exe	cmd.exe
PID 1120 wrote to memory of 4232	1120	unis.exe	cmd.exe
PID 1120 wrote to memory of 872	1120	unis.exe	cmd.exe
PID 1120 wrote to memory of 872	1120	unis.exe	cmd.exe
PID 872 wrote to memory of 3004	872	cmd.exe	WMIC.exe
PID 872 wrote to memory of 3004	872	cmd.exe	WMIC.exe
PID 1120 wrote to memory of 1256	1120	unis.exe	cmd.exe
PID 1120 wrote to memory of 1256	1120	unis.exe	cmd.exe
PID 1256 wrote to memory of 4596	1256	cmd.exe	WMIC.exe
PID 1256 wrote to memory of 4596	1256	cmd.exe	WMIC.exe
PID 1120 wrote to memory of 1556	1120	unis.exe	cmd.exe
PID 1120 wrote to memory of 1556	1120	unis.exe	cmd.exe
PID 1556 wrote to memory of 1820	1556	cmd.exe	WMIC.exe
PID 1556 wrote to memory of 1820	1556	cmd.exe	WMIC.exe
PID 1120 wrote to memory of 880	1120	unis.exe	cmd.exe
PID 1120 wrote to memory of 880	1120	unis.exe	cmd.exe
PID 880 wrote to memory of 1248	880	cmd.exe	WMIC.exe
PID 880 wrote to memory of 1248	880	cmd.exe	WMIC.exe
PID 1120 wrote to memory of 2832	1120	unis.exe	cmd.exe
PID 1120 wrote to memory of 2832	1120	unis.exe	cmd.exe
PID 2832 wrote to memory of 3312	2832	cmd.exe	WMIC.exe
PID 2832 wrote to memory of 3312	2832	cmd.exe	WMIC.exe
PID 1120 wrote to memory of 4364	1120	unis.exe	cmd.exe
PID 1120 wrote to memory of 4364	1120	unis.exe	cmd.exe
PID 4364 wrote to memory of 4120	4364	cmd.exe	WMIC.exe
PID 4364 wrote to memory of 4120	4364	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Users\Admin\AppData\Local\Temp\is-UVM6F.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-UVM6F.tmp\setup.tmp" /SL5="$D0066,19198697,792064,C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Program Files (x86)\TelegramExpert\install_sert.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4548
- - C:\Program Files (x86)\TelegramExpert\TelegramExpert.exe
    "C:\Program Files (x86)\TelegramExpert\TelegramExpert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:4216
  - - C:\Users\Admin\AppData\Local\Temp\onefile_4216_133608528095043671\TelegramExpert.exe
      "C:\Program Files (x86)\TelegramExpert\TelegramExpert.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4132
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c unis.exe -checked
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4436
      - C:\Program Files (x86)\TelegramExpert\unis.exe
        
        unis.exe -checked
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Program Files (x86)\TelegramExpert\unis.exe
        
        unis.exe -checked
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:4792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        8⤵
        
        PID:4232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid /VALUE"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid /VALUE
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid /VALUE"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid /VALUE
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic CPU get ProcessorId /VALUE"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic CPU get ProcessorId /VALUE
        9⤵
        
        PID:1820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic CPU get caption /VALUE"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic CPU get caption /VALUE
        9⤵
        
        PID:1248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic DISKDRIVE where "MediaType='Fixed hard disk media'" get SerialNumber /VALUE"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic DISKDRIVE where "MediaType='Fixed hard disk media'" get SerialNumber /VALUE
        9⤵
        
        PID:3312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic DISKDRIVE where "MediaType='Fixed hard disk media'" get Model /VALUE"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic DISKDRIVE where "MediaType='Fixed hard disk media'" get Model /VALUE
        9⤵
        
        PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\TelegramExpert\TelegramExpert.exe

Filesize
17.4MB

MD5
99974195d2ace89ba50ccb692cd74cae

SHA1
b54132da35de58c4bb6502de0b86167a8bec2b05

SHA256
f7e5c0accdfa631517ebc1001a3211e4b07f72743f6ea2129cb880513331814d

SHA512
d6cf9aa60df3d9ed9c1631950abf93f00fe8bd46a81cf5645101bda76ce241eadb48ee995862f6d3855443e47c7ba6e35c72b0b41a803a05d5516a90ef125106

Download Submit
C:\Program Files (x86)\TelegramExpert\additives\web\libs\datatables-1.13.1\css\dataTables.foundation.css

Filesize
10KB

MD5
ed8bbf12af68f902f0fb514dee07f729

SHA1
604f6154d24a6d93d38a6f41f46aba238ec66f59

SHA256
87264653eda5c1f8ee772837029968d363c4d8f020d0b63c8f5ade3f01053e01

SHA512
a99ccc505c1c8c04051d41e2b8fa31a83a63fbff3bf6664ea66d25ac3c023b63f4d8be92c21736469309eb1e34e2f392e36b52af2c32f9442d7d0f4908af8901

Download Submit
C:\Program Files (x86)\TelegramExpert\additives\web\libs\datatables-1.13.1\css\dataTables.foundation.min.css

Filesize
8KB

MD5
1a6c8ab4e72b87bb259301b392b839d2

SHA1
372df3be0a7dbc7dc19b0a4be9f814076461534b

SHA256
e88bebdf0cfc52006a575846bc9799992f9cd6913c049e94b2e89f4e638d32e3

SHA512
38a6e5f7d832971450385ff48be51417319b0cae0e01b053d243ff7e21868ccacdbde155bb2f2bde63313bd2125bbac71df99f8aeda3fbbba6b3df13f837ef41

Download Submit
C:\Program Files (x86)\TelegramExpert\additives\web\registrator_smsactivate.html

Filesize
159KB

MD5
1b36ab2339fd2f9567dc2e50c9a4582a

SHA1
3a651b11ea7d62bcb9dede9fe338de1fc8211bb2

SHA256
bdf275861cf86a8182db04a0eb214411e1c3a378dc3c2d89deb2b9136182f2bc

SHA512
cf17ccc02a05155a549067d2a35221369e9e30ca0b7ddb2009f0e1682e2b80c016e6043741934dcd8e8835cef2b44aaf411220b5a9823dce384a9530769deb4e

Download Submit
C:\Program Files (x86)\TelegramExpert\install_sert.ps1

Filesize
731B

MD5
89ef43ee000ac0c09904a6e97a4c561f

SHA1
13c3d2e39bae9503b3e2bfd29f8e2b2fbfbd743a

SHA256
6fafccd90da8e556199f9216ee832af22e8d3b9e71f3d768c08aea11c0192ca0

SHA512
a59f6226caf83aa1fbb335094bfd8936e761f911480019e3cd21f6b11ec44503fa1bab0659f25c7cc472a61f5ea9090442ea72310c231073019fb73474888d24

Download Submit
C:\Program Files (x86)\TelegramExpert\sert.pfx

Filesize
2KB

MD5
3e503be6ade3f3a86dec583d462a22ee

SHA1
f612b84300012cd3d44d2478dd971ab4e4a21caf

SHA256
69e91f10d431980fae7de5531c1f0dded3b9984db1db6264d5015aad4df04b54

SHA512
27b9ea699b414233a501db51e454d39552de28d709966efa85e89861c31783ccf0c7b3d47a919f1d8745fa35fc49e5d44ac5b61ab4fd1d799e07a5cb7ad0a5dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Cryptodome\Cipher\_Salsa20.pyd

Filesize
13KB

MD5
b625901b579272698580a7872c55d7d5

SHA1
dbe00e27164072acbee55fd8207861fb00cc618b

SHA256
e35223a351faa644929b8a610dbda5d3cf21bc6b0625e5607927db92c3488f94

SHA512
0631f5d094279086c47d2e1a1d4d8d30e87dbb8ee2ee70b2fd7277b93d89877a797bf73868f84aa88409ba3bd448089a9d339f91dd90d4bfb8a7b4a2d8736cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Cryptodome\Cipher\_raw_aes.pyd

Filesize
35KB

MD5
58e72f40cfb188e90605f2c058bd58fb

SHA1
a839d178219ee996976837465b4b6ddcfaa70f0d

SHA256
bce12a831fd1f549a4042d59ea847cc32f321d55fc3153de6d1e43aad090f4fa

SHA512
66172a33e5854a167ff94d8b6ba317097dbbe8efd88854259bdc82dcb10cd442556ade8c67f8a142af6442f8c40e28e2a0977c2d9d215fc1faa7627eec43a142

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Cryptodome\Cipher\_raw_cbc.pyd

Filesize
12KB

MD5
32251a04dc9767afc3044ae04958e501

SHA1
12861524dbe3c47b1411bff6e108dc25dd7f5483

SHA256
301840824183b7ce7bcbe0ffecc439739318eef11722dae266b31746843a8da0

SHA512
d83d557d3f31a598934baae6125dc2c0d7b87c4d7de92d357ec79c10d5d1df9197d8702137d824c42f55dd1c3bc3d8f48649042c833ce9b66d035bd4c0cd0412

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Cryptodome\Cipher\_raw_ocb.pyd

Filesize
17KB

MD5
2f84d693cf84cf80d60dca3cdfec3ff1

SHA1
f44090b4e331cbd3f755193390b46fef61db915d

SHA256
74886dd7a790c7380c864dc56cbde9acde3b72732554a0f4c1514f314c525a47

SHA512
7e3e406dd1ce508fe0d0c834c2f92a137e0f06dd04742f1968aa15f60449c7d9cb6e34e50fcc868511eddb4fcd03e3d9c9b5ccb8eab64edf04194d8c38c74b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Cryptodome\Hash\_BLAKE2s.pyd

Filesize
14KB

MD5
55d5a2afb3db229e97c8cfd54fd473f2

SHA1
5e02b08a9af462615968873d1ba41ff0b955b257

SHA256
9864c0e5798f26c911988bf5423bd313fe0f8c23ff5d167178cc59f38cea87ca

SHA512
6d6fa3afab8bd3a72266a984d045eaee6e5a7943cac345f789aa57af9bedd5e82d1a987cfd3185159126cda5e988ff2ebee2267f74e80368ae5321b2cf6c4b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Cryptodome\Hash\_MD5.pyd

Filesize
15KB

MD5
2daf19bb93be442d8cac9fd872cbd909

SHA1
5ba775f9f433e0d556aa47dc85957c7f698b075f

SHA256
be9545f1329d83067aaf59ae45399827f21de19d3929827148ef8cd463e2364d

SHA512
f5d9fee593e11448d719ad5953928b3d174b13c9a655f653a85b519dce686d9309c1a402a7739e4e2318e66a18b3b40ae7462f3ba82d2ee91029c190dc6d9a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Cryptodome\Hash\_SHA1.pyd

Filesize
17KB

MD5
a507ec059ef64011f1f5fbc92fdbd1c3

SHA1
2b4a40d515d90bfd635c2cc262c54061f7597d3f

SHA256
f93775a4af65df141d8267cef68cb31fa6363e9891f4a397bda088691e91a021

SHA512
91ca6fc43649ba28c2af6cf17d0bdab4856e7c5b94448c64b0ec1a85beed1349b752d8f953688374284b206c17be622a97be769cfb73416631c68f5b561e6f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Cryptodome\Hash\_ghash_portable.pyd

Filesize
13KB

MD5
2b973ca6823cb104d8ca494f0e148254

SHA1
62d148e5b4512a3d4908b5d0255940ad9c957fae

SHA256
71811ad2d62bc81ea09b0a909764da3cf0f61c93514c782c5d9f14ab3db481c1

SHA512
21f30fad38bf4165365d05d0bec71a927606b87dcdba208a9f387ae88498e656c2a42b275a3f54996f54ecae6b7b9c0834960c5c080f8e760576b29fbbd1d385

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

Filesize
157KB

MD5
0a7eb5d67b14b983a38f82909472f380

SHA1
596f94c4659a055d8c629bc21a719ce441d8b924

SHA256
3bac94d8713a143095ef8e2f5d2b4a3765ebc530c8ca051080d415198cecf380

SHA512
3b78fd4c03ee1b670e46822a7646e668fbaf1ef0f2d4cd53ccfcc4abc2399fcc74822f94e60af13b3cdcb522783c008096b0b265dc9588000b7a46c0ed5973e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

Filesize
29KB

MD5
4ac28414a1d101e94198ae0ac3bd1eb8

SHA1
718fbf58ab92a2be2efdb84d26e4d37eb50ef825

SHA256
b5d4d5b6da675376bd3b2824d9cda957b55fe3d8596d5675381922ef0e64a0f5

SHA512
2ac15e6a178c69115065be9d52c60f8ad63c2a8749af0b43634fc56c20220afb9d2e71ebed76305d7b0dcf86895ed5cdfb7d744c3be49122286b63b5ebce20c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47882\gevent-23.9.1.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47882\mimesis\data\en-au\text.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47882\pytz\zoneinfo\Africa\Conakry

Filesize
148B

MD5
09a9397080948b96d97819d636775e33

SHA1
5cc9b028b5bd2222200e20091a18868ea62c4f18

SHA256
d2efac4e5f23d88c95d72c1db42807170f52f43dd98a205af5a92a91b9f2d997

SHA512
2eccf2515599ed261e96da3fbcfbab0b6a2dfc86a1d87e3814091709f0bfe2f600c3044c8555ed027978a8ae9045666ee639a8c249f48d665d8e5c60f0597799

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47882\pytz\zoneinfo\Africa\Djibouti

Filesize
265B

MD5
86dcc322e421bc8bdd14925e9d61cd6c

SHA1
289d1fb5a419107bc1d23a84a9e06ad3f9ee8403

SHA256
c89b2e253a8926a6cecf7eff34e4bfcdb7fe24daff22d84718c30deec0ea4968

SHA512
d32771be8629fb3186723c8971f06c3803d31389438b29bf6baa958b3f9db9a38971019583ba272c7a8f5eb4a633dfc467bfcb6f76faa8e290bad4fd7366bb2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47882\pytz\zoneinfo\Africa\Kigali

Filesize
149B

MD5
b77fb20b4917d76b65c3450a7117023c

SHA1
b99f3115100292d9884a22ed9aef9a9c43b31ccd

SHA256
93f19e9551d58868ae5820752d2c93a486124c364463dc9c9489d0458f8bc682

SHA512
a088c2a4c7d72717257c3125c7c2aca28463d68306ea452afaad75b8a0f9e5730a8d9c430d14668809717a672dc63c4816762acb046b339da662da421a6d65df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47882\pytz\zoneinfo\Africa\Lagos

Filesize
235B

MD5
8244c4cc8508425b6612fa24df71e603

SHA1
30ba925b4670235915dddfa1dd824dd9d7295eac

SHA256
cffeb0282ccbd7fba0e493ff8677a1e5a6dd5197885042e437f95a773f844846

SHA512
560c7581dcb2c800eae779005e41406beaf15d24efc763304e3111b9bb6074fe0ba59c48b5a2c5511245551b94418bbc35934d9bd46313fcc6e383323056668c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47882\pytz\zoneinfo\America\Curacao

Filesize
246B

MD5
adf95d436701b9774205f9315ec6e4a4

SHA1
fcf8be5296496a5dd3a7a97ed331b0bb5c861450

SHA256
8491e557ff801a8306516b8ca5946ff5f2e6821af31477eb47d7d191cc5a6497

SHA512
f8fceff3c346224d693315af1ab12433eb046415200abaa6cdd65fd0ad40673fdddf67b83563d351e4aa520565881a4226fb37d578d3ba88a135e596ebb9b348

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47882\pytz\zoneinfo\America\Toronto

Filesize
3KB

MD5
8dabdbbb4e33dcb0683c8a2db78fedc4

SHA1
a6d038ecff7126ee19ebb08a40d157c9a79964cd

SHA256
a587a1a1607439f7bac283e1815f2bdbafb9649a453d18e06c2e44e6996d888f

SHA512
35bfd5182535f5257d7ee693eb6827751993915129d7f3cc276783926b1f4db7a00d8f0b44a95ac80c294a9cc1b84bda6418134c2a5c10ba6c89946bd8ef97a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47882\pytz\zoneinfo\Etc\Greenwich

Filesize
114B

MD5
9cd2aef183c064f630dfcf6018551374

SHA1
2a8483df5c2809f1dfe0c595102c474874338379

SHA256
6d9f378883c079f86c0387a5547a92c449869d806e07de10084ab04f0249018d

SHA512
dafa0cb9d0a8e0ff75a19be499751ad85372aafa856ff06dd68ecf2b1c5578bb98a040becaecf0aed2c3e4ff7372ff200fe7614334756d19fe79dd61c01d4e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47882\pytz\zoneinfo\Europe\London

Filesize
3KB

MD5
a40006ee580ef0a4b6a7b925fee2e11f

SHA1
1beba7108ea93c7111dabc9d7f4e4bfdea383992

SHA256
c85495070dca42687df6a1c3ee780a27cbcb82f1844750ea6f642833a44d29b4

SHA512
316ecacc34136294ce11dcb6d0f292570ad0515f799fd59fbff5e7121799860b1347d802b6439a291f029573a3715e043009e2c1d5275f38957be9e04f92e62e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47882\pytz\zoneinfo\Europe\Oslo

Filesize
2KB

MD5
7db6c3e5031eaf69e6d1e5583ab2e870

SHA1
918341ad71f9d3acd28997326e42d5b00fba41e0

SHA256
5ee475f71a0fc1a32faeb849f8c39c6e7aa66d6d41ec742b97b3a7436b3b0701

SHA512
688eaa6d3001192addaa49d4e15f57aa59f3dd9dc511c063aa2687f36ffd28ffef01d937547926be6477bba8352a8006e8295ee77690be935f76d977c3ea12fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47882\pytz\zoneinfo\Europe\Skopje

Filesize
1KB

MD5
6213fc0a706f93af6ff6a831fecbc095

SHA1
961a2223fd1573ab344930109fbd905336175c5f

SHA256
3a95adb06156044fd2fa662841c0268c2b5af47c1b19000d9d299563d387093a

SHA512
8149de3fd09f8e0f5a388f546ffe8823bdcda662d3e285b5cebc92738f0c6548ccb6ed2a5d086fd738cb3edc8e9e1f81c5e2e48edb0571e7ea7f131675b99327

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47882\pytz\zoneinfo\PRC

Filesize
561B

MD5
09dd479d2f22832ce98c27c4db7ab97c

SHA1
79360e38e040eaa15b6e880296c1d1531f537b6f

SHA256
64ffc2e43a94435a043c040d1d3af7e92d031adc78e7737af1861baa4eeef3e6

SHA512
f88ae25f3f04c7d5d5f98aafecc03cc7e4e56f1cd4c8deba6afd043f0fb7fe67b4d50e4df5493e77c6b34ba183e019442e736a13f784ba8c2847c06fd74ff200

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47882\pytz\zoneinfo\Pacific\Wallis

Filesize
152B

MD5
5bdd7374e21e3df324a5b3d178179715

SHA1
244ed7d52bc39d915e1f860727ecfe3f4b1ae121

SHA256
53268a8a6b11f0b8e02fc67683ae48d074efaf7b4c66e036c1478107afd9a7d7

SHA512
9c76f39e8795c50e6c5b384a7ff1f308a1c5173f42f810759b36cdeae7d33d1dac4934efeed580c59d988c152e2d7f8d9b8eb2073ab1fc15e4b9c10900c7b383

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47882\pytz\zoneinfo\Pacific\Yap

Filesize
172B

MD5
ec972f59902432836f93737f75c5116f

SHA1
331542d6faf6ab15ffd364d57fbaa62629b52b94

SHA256
9c1dfa1c15994dd8774e53f40cb14dcf529143468721f1dba7b2c2e14ae9f5f0

SHA512
e8e8c8f6d096c352d1244280254e4c6ecf93f7c2ff69ecc6fa4363a6be8a2daf6cfcd7f0d96bc2669268ced5565532fa06be348a139b0742ccccb83953c6324d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47882\pytz\zoneinfo\UCT

Filesize
114B

MD5
38bb24ba4d742dd6f50c1cba29cd966a

SHA1
d0b8991654116e9395714102c41d858c1454b3bd

SHA256
8b85846791ab2c8a5463c83a5be3c043e2570d7448434d41398969ed47e3e6f2

SHA512
194867d0cf66c2de4969dbfeb58c775964ecb2132acdc1b000b5ef0998cefde4a2979ffc04ec8b7dcb430e43326a79d9cedb28ecea184345aa7d742eaf9234ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5f1b5ulu.q0d.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UVM6F.tmp\setup.tmp

Filesize
3.0MB

MD5
f8520510d1b6a61c0100970e8a9a3df6

SHA1
4d1732cb5c5fc9255eab5555d623eee35e76165b

SHA256
57a8ae7920e79bb62f104c70779b1272d30f61abb784e6fe1aa76e90c163669f

SHA512
d8178c2ba60868ef202ef3f3212ae18942b8a6ae05cac77521620df4b0560db8c69aa20e3ec628ba38cca535764a43e5e62c4f2d3ad483f346471e5fd23ac019

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4216_133608528095043671\Cryptodome\Cipher\_raw_aesni.pyd

Filesize
15KB

MD5
9afdf3c7bcb3dc7591041fd48cb39335

SHA1
1a4b9e424601fdfc099752e0ecf396e54336e9ff

SHA256
946338651c0953521b1a104782896ceb66c713d685934ca79a81c78d19304057

SHA512
9321923023989532a2deaa8508aeb539ba95572798631bc828f641c9504ba21861468cda11806c13dd77c59b0039d24575d2acf931d1cf8a484dc6a1934ca1b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4216_133608528095043671\Cryptodome\Cipher\_raw_cfb.pyd

Filesize
13KB

MD5
ccf05569127b49f9175747b0faf3784f

SHA1
acacc32436027fb5e77861c8223863f2a1d0e9a8

SHA256
3346ef1c6ac23382f860d79f1310a147ef765ece14e934e8eb1bf2231b0d5800

SHA512
d12e20afc891e4d537b8da55f808e94a881d36b9cdc62a425c458667264e7b90eb5278e4de44843b06ee405d18e651bed651cc72fbfc51e7b8c8d5dfca9c9c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4216_133608528095043671\Cryptodome\Cipher\_raw_ctr.pyd

Filesize
14KB

MD5
9331b1bb21d0e689fb7851e156776c0b

SHA1
754c281688c86fa4819e80ea6fce10a8af8f4532

SHA256
a7a17dc7bb72faba8b504edc6673b1f5b2fdb7d40028a9c9daef1b8e60a05eb9

SHA512
6a9a190536eb75a9248dd081126a5343f5b5ff7c2cc3c6f93a7919e5736ebb27fe9471bee931093b6e1d659df3a3a35b75b1acfabe30086fc2d42ef6f25c852f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4216_133608528095043671\Cryptodome\Cipher\_raw_ecb.pyd

Filesize
10KB

MD5
e1bad37f5e316cfa3ec255200126bf19

SHA1
77c3f4e54005c6e25fa3ac47e3487cf4b761d99a

SHA256
75178e3ab98e75a9946d061ea4dc9ba30a56ba1150547924ab63eaa2b0102478

SHA512
9abd48451b505af93bc6b6e0617ceb288634793355bbc480f4f54ed7d3440768223380ca63442dd942b40ad3b94e43419c2f4dbb28be6b81013c3c12a2bc8ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4216_133608528095043671\Cryptodome\Cipher\_raw_ofb.pyd

Filesize
12KB

MD5
964c4fc8b06fcfe9ccae6c4a32169d0b

SHA1
d0fe162eeb005535bdec929d604832d872897623

SHA256
73df383cbacc3c79c75c94145349c399ae2006b41398379c3665f41e3c73f73f

SHA512
aa8c7ea164459bd41f9ce3a1be4b9ecff124163dcfbc7a4e91bdbdc13d41393e2a94b1322083239ee009a82847688b120750f8ca5eb74ccaa409a950c7fd052f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4216_133608528095043671\Cryptodome\Hash\_SHA256.pyd

Filesize
21KB

MD5
8b852e8f87f22b5c8c6df573a4e509e4

SHA1
0faef9824694bdc860e0b787f427a70b26ef2833

SHA256
dde2537391d95d53086d5098b0b0eb313ef5b7a72495e73d7b0dff0b48b61911

SHA512
553a58791df2e326e23b4328d5118afcaac7fe538cec11bb4e9b9334026a0ac722485cf486d4047e23da32b79266d7944dacdae62fc208d71dca1a9611d44529

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4216_133608528095043671\Cryptodome\Hash\_ghash_clmul.pyd

Filesize
12KB

MD5
4d4e767f661d94bf2f203f3f6dfd0e27

SHA1
769468246848cabacce7f085ab3e61eb4814b09f

SHA256
9705dbf1b9a74576bb5adae038822dffe705901fe42d1ba79ba72538a135425a

SHA512
11185e36a7adc2a1697b69a890088feeed5a8d8a9dcbbb0ab81cd6388aac4885feccc9144115a1904c74afc4559988194ccf47e26d0011acbd2684bb85332d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4216_133608528095043671\Cryptodome\Protocol\_scrypt.pyd

Filesize
12KB

MD5
162fcdc5b4eb361d2e052a2d520a28bc

SHA1
699a9f2bafe703d8b5f7e3946a5cad2bcfdb6acb

SHA256
5a967cfe7401c7448be2e8b45928e1a4942ac591712e11b070ca4b147c48a2b4

SHA512
b426b9360d9b8543db7be65357b3933413c485121a0c32c7e890969929bfe8f68b040e35b79b2795d6b7fe7c13b9940fc033f414280828b2168890c3fc93c1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4216_133608528095043671\Cryptodome\Util\_cpuid_c.pyd

Filesize
10KB

MD5
876d132628d8a13a05a8dcbc8ec99da6

SHA1
82f8f3018611404161e31cb5d4f8e07fa2d3b476

SHA256
64101360ad840c1e732dd2d0e7cca79dc0eab02ea24a4a54aa620125951fbf10

SHA512
4020fb2bd73332bd8dcc697e0f930964eb1209dcd15b931cc71d595a72f931ac410fdad628f3b913a96e3a157bc4c26e3678047090ecf80cf6e8176ded8d493a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4216_133608528095043671\Cryptodome\Util\_strxor.pyd

Filesize
10KB

MD5
b32f09b5437466f79126168ffb9ade1f

SHA1
c53a60f7165f150c094ac72fb824f18dbd8e69a3

SHA256
845266db75bf928761580b15ea06645a1f6ae7d9b7926bfc737f335da97499b0

SHA512
1eff2832a524e2b16fc2bd4d1f3a8b46753c1977f442aa4c6c110e28a4c3686501ca09de90f9f88b911ef38c1ce9f3a210717ab590f0ec915d970e4a8da3b81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4216_133608528095043671\TelegramExpert.exe

Filesize
23.5MB

MD5
daf1a8de1adbea49c13590be7b6e2b2f

SHA1
340556c8cf92143afb43940ea69b28f08b11cccf

SHA256
8a701e6406006c3ef01869ecc2e61d9d96549a873f72f9bffcc3c88db326cc88

SHA512
628ac6f8a1009cf5560bba2e4e9aedee595f6858f5bdfa6870b170c1aec07ed3895815703f9e81f974230e461469e0b31013f97d50b44593f447357656c7163a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4216_133608528095043671\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4216_133608528095043671\_cffi_backend.pyd

Filesize
177KB

MD5
fde9a1d6590026a13e81712cd2f23522

SHA1
ca99a48caea0dbaccf4485afd959581f014277ed

SHA256
16eccc4baf6cf4ab72acd53c72a1f2b04d952e07e385e9050a933e78074a7d5b

SHA512
a522661f5c3eeea89a39df8bbb4d23e6428c337aac1d231d32b39005ea8810fce26af18454586e0e94e51ea4ac0e034c88652c1c09b1ed588aeac461766981f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4216_133608528095043671\_ctypes.pyd

Filesize
120KB

MD5
496dcf8821ffc12f476878775999a8f3

SHA1
6b89b8fdd7cd610c08e28c3a14b34f751580cffd

SHA256
b59e103f8ec6c1190ded21eef27bea01579220909c3968eeec37d46d2ed39e80

SHA512
07118f44b83d58f333bc4b853e9be66dffb3f7db8e65e0226975297bf5794ebdaa2c7a51ef84971faf4d4233a68a6b5e9ac02e737d16c0ac19a6cf65fad9443f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4216_133608528095043671\_socket.pyd

Filesize
77KB

MD5
290dbf92268aebde8b9507b157bef602

SHA1
bea7221d7abbbc48840b46a19049217b27d3d13a

SHA256
e05c5342d55cb452e88e041061faba492d6dd9268a7f67614a8143540aca2bfe

SHA512
9ae02b75e722a736b2d76cec9c456d20f341327f55245fa6c5f78200be47cc5885cb73dc3e42e302c6f251922ba7b997c6d032b12a4a988f39bc03719f21d1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4216_133608528095043671\libffi-8.dll

Filesize
37KB

MD5
d86a9d75380fab7640bb950aeb05e50e

SHA1
1c61aaf9022cd1f09a959f7b2a65fb1372d187d7

SHA256
68fba9dd89bfad35f8fd657b9af22a8aebda31bffda35058a7f5ae376136e89b

SHA512
18437e64061221be411a1587f634b4b8efa60e661dbc35fd96a6d0e7eff812752de0ada755c01f286efefc47fb5f2daf07953b4cfc4119121b6bee7756c88d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4216_133608528095043671\psutil\_psutil_windows.pyd

Filesize
76KB

MD5
ebefbc98d468560b222f2d2d30ebb95c

SHA1
ee267e3a6e5bed1a15055451efcccac327d2bc43

SHA256
67c17558b635d6027ddbb781ea4e79fc0618bbec7485bd6d84b0ebcd9ef6a478

SHA512
ab9f949adfe9475b0ba8c37fa14b0705923f79c8a10b81446abc448ad38d5d55516f729b570d641926610c99df834223567c1efde166e6a0f805c9e2a35556e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4216_133608528095043671\python3.dll

Filesize
65KB

MD5
2ad3039bd03669f99e948f449d9f778b

SHA1
dae8f661990c57adb171667b9206c8d84c50ecad

SHA256
852b901e17022c437f8fc3039a5af2ee80c5d509c9ef5f512041af17c48fcd61

SHA512
8ffeaa6cd491d7068f9176fd628002c84256802bd47a17742909f561ca1da6a2e7c600e17cd983063e8a93c2bbe9b981bd43e55443d28e32dfb504d7f1e120c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4216_133608528095043671\python311.dll

Filesize
5.5MB

MD5
1fe47c83669491bf38a949253d7d960f

SHA1
de5cc181c0e26cbcb31309fe00d9f2f5264d2b25

SHA256
0a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae

SHA512
05cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4

Download Submit
memory/1120-2410-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp

Filesize
8.2MB

Download
memory/1120-2414-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp

Filesize
8.2MB

Download
memory/1120-2413-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp

Filesize
8.2MB

Download
memory/1120-2408-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp

Filesize
8.2MB

Download
memory/1120-2412-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp

Filesize
8.2MB

Download
memory/1120-2411-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp

Filesize
8.2MB

Download
memory/1120-2429-0x00000000655C0000-0x0000000065664000-memory.dmp

Filesize
656KB

Download
memory/1120-2428-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp

Filesize
8.2MB

Download
memory/1120-2415-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp

Filesize
8.2MB

Download
memory/2976-28-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2976-9-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2976-6-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2976-64-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/3484-0-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3484-65-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3484-8-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3484-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4132-1640-0x00007FF6C26B0000-0x00007FF6C3E88000-memory.dmp

Filesize
23.8MB

Download
memory/4132-232-0x00007FF6C26B0000-0x00007FF6C3E88000-memory.dmp

Filesize
23.8MB

Download
memory/4216-231-0x00007FF6A8900000-0x00007FF6A9FAF000-memory.dmp

Filesize
22.7MB

Download
memory/4216-66-0x00007FF6A8900000-0x00007FF6A9FAF000-memory.dmp

Filesize
22.7MB

Download
memory/4216-67-0x00007FF6A8900000-0x00007FF6A9FAF000-memory.dmp

Filesize
22.7MB

Download
memory/4216-68-0x00007FF6A8900000-0x00007FF6A9FAF000-memory.dmp

Filesize
22.7MB

Download
memory/4548-54-0x0000000008B20000-0x000000000919A000-memory.dmp

Filesize
6.5MB

Download
memory/4548-34-0x0000000006090000-0x00000000060B2000-memory.dmp

Filesize
136KB

Download
memory/4548-27-0x0000000002FA0000-0x0000000002FD6000-memory.dmp

Filesize
216KB

Download
memory/4548-50-0x0000000007880000-0x0000000007916000-memory.dmp

Filesize
600KB

Download
memory/4548-52-0x0000000006DF0000-0x0000000006E12000-memory.dmp

Filesize
136KB

Download
memory/4548-43-0x0000000006250000-0x00000000065A4000-memory.dmp

Filesize
3.3MB

Download
memory/4548-58-0x0000000072390000-0x0000000072B40000-memory.dmp

Filesize
7.7MB

Download
memory/4548-48-0x0000000006A80000-0x0000000006ACC000-memory.dmp

Filesize
304KB

Download
memory/4548-47-0x0000000006890000-0x00000000068AE000-memory.dmp

Filesize
120KB

Download
memory/4548-53-0x0000000007EF0000-0x0000000008494000-memory.dmp

Filesize
5.6MB

Download
memory/4548-51-0x0000000006DA0000-0x0000000006DBA000-memory.dmp

Filesize
104KB

Download
memory/4548-35-0x0000000006130000-0x0000000006196000-memory.dmp

Filesize
408KB

Download
memory/4548-36-0x00000000061A0000-0x0000000006206000-memory.dmp

Filesize
408KB

Download
memory/4548-26-0x000000007239E000-0x000000007239F000-memory.dmp

Filesize
4KB

Download
memory/4548-32-0x0000000072390000-0x0000000072B40000-memory.dmp

Filesize
7.7MB

Download
memory/4548-30-0x0000000072390000-0x0000000072B40000-memory.dmp

Filesize
7.7MB

Download
memory/4548-29-0x00000000059F0000-0x0000000006018000-memory.dmp

Filesize
6.2MB

Download
memory/4788-237-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp

Filesize
8.2MB

Download
memory/4788-238-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp

Filesize
8.2MB

Download
memory/4788-240-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp

Filesize
8.2MB

Download
memory/4788-2407-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp

Filesize
8.2MB

Download
memory/4788-239-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp

Filesize
8.2MB

Download
memory/4788-241-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp

Filesize
8.2MB

Download
memory/4788-242-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp

Filesize
8.2MB

Download
memory/4788-243-0x00007FF6882B0000-0x00007FF688AD8000-memory.dmp

Filesize
8.2MB

Download