c8a6f804c77c03e645c77085ea7578de8b8170c737db8dee0b083515c0964ac8

Analysis

max time kernel
145s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2022, 03:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

test.msi
Size

40.0MB
MD5

40071570f238ceedb6c61e1af292cef0
SHA1

0a7ebc42f2083edcf2563258a6e55281f4dab933
SHA256

c8a6f804c77c03e645c77085ea7578de8b8170c737db8dee0b083515c0964ac8
SHA512

158497c0d3fd83b85dd67c45c909b12913b9c88cf2896168f5f2f6bf46921017d2edfe302834087c36014b74a1986692b537dd5799728e3982fd05fc77ad4bc1
SSDEEP

786432:USeuOl8/Sa93dbR7QJFyq0PbP03Eh8WyA77ahnA3NNRc5PDZJixcQ:lOl5aLFdRg3Eh85eC5PDZwx

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
54	5108	MsiExec.exe

Executes dropped EXE 3 IoCs

pid	Process
1636	TGlaunch.exe
2452	Telegram.exe
1420	Telegram.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	TGlaunch.exe

Loads dropped DLL 22 IoCs

pid	Process
5108	MsiExec.exe
5108	MsiExec.exe
3448	MsiExec.exe
3448	MsiExec.exe
3448	MsiExec.exe
3448	MsiExec.exe
3448	MsiExec.exe
3448	MsiExec.exe
3448	MsiExec.exe
3448	MsiExec.exe
2844	MsiExec.exe
2844	MsiExec.exe
2844	MsiExec.exe
2844	MsiExec.exe
1636	TGlaunch.exe
1636	TGlaunch.exe
1636	TGlaunch.exe
1636	TGlaunch.exe
1636	TGlaunch.exe
1636	TGlaunch.exe
1636	TGlaunch.exe
1636	TGlaunch.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Telegram.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI102D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2A3D719B-2D8B-4BE8-B45A-340B42B07BB9}	msiexec.exe
File opened for modification	C:\Windows\Installer\{2A3D719B-2D8B-4BE8-B45A-340B42B07BB9}\TGlaunch.exe	msiexec.exe
File created	C:\Windows\Installer\e570ed7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1197.tmp	msiexec.exe
File created	C:\Windows\Installer\{2A3D719B-2D8B-4BE8-B45A-340B42B07BB9}\TGlaunch.exe	msiexec.exe
File created	C:\Windows\Installer\e570ed5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e570ed5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF90.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI10DA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI13DA.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3036	1636	WerFault.exe	105

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B917D3A2B8D28EB44BA543B0240BB79B\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\tg\ = "URL:Telegram Link"	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\tdesktop.tg	Telegram.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B917D3A2B8D28EB44BA543B0240BB79B\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B917D3A2B8D28EB44BA543B0240BB79B\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B917D3A2B8D28EB44BA543B0240BB79B\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\tg\shell\open\command	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\tdesktop.tg\shell	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\tdesktop.tg\shell\open	Telegram.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B917D3A2B8D28EB44BA543B0240BB79B	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B917D3A2B8D28EB44BA543B0240BB79B\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\tg\shell\open	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\tg	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\tdesktop.tg\DefaultIcon	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\tdesktop.tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\""	Telegram.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B917D3A2B8D28EB44BA543B0240BB79B\PackageCode = "EFDEFD6ABF1905546A6478FBBFDFD712"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B917D3A2B8D28EB44BA543B0240BB79B\Language = "2052"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C825FD30C7DE31249B948A4C703B5729\B917D3A2B8D28EB44BA543B0240BB79B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B917D3A2B8D28EB44BA543B0240BB79B\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\tg\shell	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -workdir \"C:/Users/Admin/AppData/Roaming/Telegram Desktop/\" -- \"%1\""	Telegram.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B917D3A2B8D28EB44BA543B0240BB79B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C825FD30C7DE31249B948A4C703B5729	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B917D3A2B8D28EB44BA543B0240BB79B\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B917D3A2B8D28EB44BA543B0240BB79B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\tg\URL Protocol	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\tdesktop.tg\shell\open\command	Telegram.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B917D3A2B8D28EB44BA543B0240BB79B\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B917D3A2B8D28EB44BA543B0240BB79B\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B917D3A2B8D28EB44BA543B0240BB79B\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B917D3A2B8D28EB44BA543B0240BB79B\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\tg\DefaultIcon	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\""	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -workdir \"C:/Users/Admin/AppData/Roaming/Telegram Desktop/\" -- \"%1\""	Telegram.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B917D3A2B8D28EB44BA543B0240BB79B\ProductName = "Telegram Desktop"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B917D3A2B8D28EB44BA543B0240BB79B\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B917D3A2B8D28EB44BA543B0240BB79B\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B917D3A2B8D28EB44BA543B0240BB79B\Version = "34013188"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B917D3A2B8D28EB44BA543B0240BB79B\SourceList\PackageName = "test.msi"	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2452	Telegram.exe
1420	Telegram.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2012	msiexec.exe
2012	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3752	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3752	msiexec.exe
Token: SeSecurityPrivilege	2012	msiexec.exe
Token: SeCreateTokenPrivilege	3752	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3752	msiexec.exe
Token: SeLockMemoryPrivilege	3752	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3752	msiexec.exe
Token: SeMachineAccountPrivilege	3752	msiexec.exe
Token: SeTcbPrivilege	3752	msiexec.exe
Token: SeSecurityPrivilege	3752	msiexec.exe
Token: SeTakeOwnershipPrivilege	3752	msiexec.exe
Token: SeLoadDriverPrivilege	3752	msiexec.exe
Token: SeSystemProfilePrivilege	3752	msiexec.exe
Token: SeSystemtimePrivilege	3752	msiexec.exe
Token: SeProfSingleProcessPrivilege	3752	msiexec.exe
Token: SeIncBasePriorityPrivilege	3752	msiexec.exe
Token: SeCreatePagefilePrivilege	3752	msiexec.exe
Token: SeCreatePermanentPrivilege	3752	msiexec.exe
Token: SeBackupPrivilege	3752	msiexec.exe
Token: SeRestorePrivilege	3752	msiexec.exe
Token: SeShutdownPrivilege	3752	msiexec.exe
Token: SeDebugPrivilege	3752	msiexec.exe
Token: SeAuditPrivilege	3752	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3752	msiexec.exe
Token: SeChangeNotifyPrivilege	3752	msiexec.exe
Token: SeRemoteShutdownPrivilege	3752	msiexec.exe
Token: SeUndockPrivilege	3752	msiexec.exe
Token: SeSyncAgentPrivilege	3752	msiexec.exe
Token: SeEnableDelegationPrivilege	3752	msiexec.exe
Token: SeManageVolumePrivilege	3752	msiexec.exe
Token: SeImpersonatePrivilege	3752	msiexec.exe
Token: SeCreateGlobalPrivilege	3752	msiexec.exe
Token: SeCreateTokenPrivilege	3752	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3752	msiexec.exe
Token: SeLockMemoryPrivilege	3752	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3752	msiexec.exe
Token: SeMachineAccountPrivilege	3752	msiexec.exe
Token: SeTcbPrivilege	3752	msiexec.exe
Token: SeSecurityPrivilege	3752	msiexec.exe
Token: SeTakeOwnershipPrivilege	3752	msiexec.exe
Token: SeLoadDriverPrivilege	3752	msiexec.exe
Token: SeSystemProfilePrivilege	3752	msiexec.exe
Token: SeSystemtimePrivilege	3752	msiexec.exe
Token: SeProfSingleProcessPrivilege	3752	msiexec.exe
Token: SeIncBasePriorityPrivilege	3752	msiexec.exe
Token: SeCreatePagefilePrivilege	3752	msiexec.exe
Token: SeCreatePermanentPrivilege	3752	msiexec.exe
Token: SeBackupPrivilege	3752	msiexec.exe
Token: SeRestorePrivilege	3752	msiexec.exe
Token: SeShutdownPrivilege	3752	msiexec.exe
Token: SeDebugPrivilege	3752	msiexec.exe
Token: SeAuditPrivilege	3752	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3752	msiexec.exe
Token: SeChangeNotifyPrivilege	3752	msiexec.exe
Token: SeRemoteShutdownPrivilege	3752	msiexec.exe
Token: SeUndockPrivilege	3752	msiexec.exe
Token: SeSyncAgentPrivilege	3752	msiexec.exe
Token: SeEnableDelegationPrivilege	3752	msiexec.exe
Token: SeManageVolumePrivilege	3752	msiexec.exe
Token: SeImpersonatePrivilege	3752	msiexec.exe
Token: SeCreateGlobalPrivilege	3752	msiexec.exe
Token: SeCreateTokenPrivilege	3752	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3752	msiexec.exe
Token: SeLockMemoryPrivilege	3752	msiexec.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
3752	msiexec.exe
3752	msiexec.exe
2452	Telegram.exe
2452	Telegram.exe
2452	Telegram.exe
2452	Telegram.exe
2452	Telegram.exe
2452	Telegram.exe
2452	Telegram.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2452	Telegram.exe
2452	Telegram.exe
2452	Telegram.exe
2452	Telegram.exe
2452	Telegram.exe
2452	Telegram.exe
2452	Telegram.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2452	Telegram.exe
2452	Telegram.exe
1420	Telegram.exe
1420	Telegram.exe
2452	Telegram.exe
2452	Telegram.exe
2452	Telegram.exe
2452	Telegram.exe
2452	Telegram.exe
2452	Telegram.exe
2452	Telegram.exe
2452	Telegram.exe
2452	Telegram.exe
2452	Telegram.exe
2452	Telegram.exe
2452	Telegram.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 5108	2012	msiexec.exe	84
PID 2012 wrote to memory of 5108	2012	msiexec.exe	84
PID 2012 wrote to memory of 5108	2012	msiexec.exe	84
PID 2012 wrote to memory of 3448	2012	msiexec.exe	87
PID 2012 wrote to memory of 3448	2012	msiexec.exe	87
PID 2012 wrote to memory of 3448	2012	msiexec.exe	87
PID 2012 wrote to memory of 2360	2012	msiexec.exe	100
PID 2012 wrote to memory of 2360	2012	msiexec.exe	100
PID 2012 wrote to memory of 2844	2012	msiexec.exe	102
PID 2012 wrote to memory of 2844	2012	msiexec.exe	102
PID 2012 wrote to memory of 2844	2012	msiexec.exe	102
PID 1636 wrote to memory of 2452	1636	TGlaunch.exe	107
PID 1636 wrote to memory of 2452	1636	TGlaunch.exe	107
PID 1636 wrote to memory of 1420	1636	TGlaunch.exe	108
PID 1636 wrote to memory of 1420	1636	TGlaunch.exe	108

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\test.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3752

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BFFC39F56B305907D8F9EA931C21C5EB U
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:5108
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9472265B106AA80183FB2908E8D38BAA C
  2⤵
  - Loads dropped DLL
  PID:3448
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2360
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F6800A854463F839C52354B67D37D35E
  2⤵
  - Loads dropped DLL
  PID:2844

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2832

C:\Users\Admin\AppData\Roaming\Telegram Desktop\TGlaunch.exe
"C:\Users\Admin\AppData\Roaming\Telegram Desktop\TGlaunch.exe" alt.dll x
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
  "C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2452
- C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
  "C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1420
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 820
  2⤵
  - Program crash
  PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1636 -ip 1636
1⤵
PID:2844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AdvinstAnalytics\60aa13ba0af7e85933ffb6b9\2.7.4.0\tracking.ini

Filesize
84B

MD5
034ca6e988686033723ef0291a4c1d68

SHA1
08d6c76a0a5428e6963eb5ef5aa71390c2c809b8

SHA256
98f5a1671091819445c134889f4985d73cc510a2deb7276881e3fabd2a77cdf1

SHA512
c25ce4d36b55247661135947354dd327dfabe37b3ac1c44dce9be9dcc356f5f6369dda0efd928cb2bd9167cbf5ae762e25671776eb98c3fcc32336d860ca5d47

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\60aa13ba0af7e85933ffb6b9\2.7.4.0\tracking.ini

Filesize
84B

MD5
034ca6e988686033723ef0291a4c1d68

SHA1
08d6c76a0a5428e6963eb5ef5aa71390c2c809b8

SHA256
98f5a1671091819445c134889f4985d73cc510a2deb7276881e3fabd2a77cdf1

SHA512
c25ce4d36b55247661135947354dd327dfabe37b3ac1c44dce9be9dcc356f5f6369dda0efd928cb2bd9167cbf5ae762e25671776eb98c3fcc32336d860ca5d47

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\60aa13ba0af7e85933ffb6b9\2.7.4.0\tracking.ini

Filesize
84B

MD5
034ca6e988686033723ef0291a4c1d68

SHA1
08d6c76a0a5428e6963eb5ef5aa71390c2c809b8

SHA256
98f5a1671091819445c134889f4985d73cc510a2deb7276881e3fabd2a77cdf1

SHA512
c25ce4d36b55247661135947354dd327dfabe37b3ac1c44dce9be9dcc356f5f6369dda0efd928cb2bd9167cbf5ae762e25671776eb98c3fcc32336d860ca5d47

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\60aa13ba0af7e85933ffb6b9\2.7.4.0\{DBCCDFCB-3190-42F6-A218-B7FC93799E62}.session

Filesize
940B

MD5
c9401c81b68d4998d7779d00e15dbe6a

SHA1
2f8db36d4ccb49178938e49c65a80a7a296fc784

SHA256
53875852275ad61c347dddd1d42cef8f806816a4f896c7320c00e6c2abdc7f9d

SHA512
38e12fbf7965f577c6de3a271946130f8da46831fccf5508742c2a436e1173e45829e381105e04bec6ee1f387ce078bd565fd6dc0cbde513bacbe286de963ab2

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\60aa13ba0af7e85933ffb6b9\2.7.4.0\{DBCCDFCB-3190-42F6-A218-B7FC93799E62}.session

Filesize
9KB

MD5
f9f284959018e67d4bc2742acdc3ae87

SHA1
d4009bd0b5f70841500f5357ec00adefb42fc51c

SHA256
40726af922ad814e47f17eff1ada25b830cb86dc91b9396bc7c1f715cdc2d42d

SHA512
fb2ae461e3a48b1274465c83ab5cf8f65b56eb7438de4117ce2aca7539a0b3112d2563d4741340ba21711a1a561d5c89455a5aba5ef95dedaeef8c6c07513468

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\60aa13ba0af7e85933ffb6b9\2.7.4.0\{DBCCDFCB-3190-42F6-A218-B7FC93799E62}.session

Filesize
11KB

MD5
4fc5614829c5fd6b72afda6c881d39b0

SHA1
e33dd86670bce2b748a72050d56140881c7eabe6

SHA256
4904f2ed649534ec079f8c177aa0acd354bd3e2b51024c412b3ba194adc43a93

SHA512
572fc486c23d99f89902f60beec6e89d84d46c6a1725a7c2c0f133339390aaa9fb102d794a9cf99990cdddeb8524de0443be52b644c9b82f545bd0fafa1c52e6

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\60aa13ba0af7e85933ffb6b9\2.7.4.0\{DBCCDFCB-3190-42F6-A218-B7FC93799E62}.session

Filesize
11KB

MD5
30ab1bd28960ccf6e7edee7340bac8ec

SHA1
25c9e85241967b7cc91fdb9fcf81d06de456b083

SHA256
f237059608405eb3569482d8b369c4f5bd694f4060f9a442a2b13fcced772c1b

SHA512
6167817e1aeb01dce80b4e538b584d4361c2c9c9dd4d6300e7e1beb94b416722ee977a752b0a0e442f88807fd2f590f11cc94c8d45005a001dc50acc048fd315

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4319\InstallerAnalytics.dll

Filesize
701KB

MD5
1a7aa25f6bc984e0706a5f24967e7599

SHA1
cd9c8ae977e965258a2e54df62efeb95c1e29d82

SHA256
061381b635f3bbd08ff5bc9d946600a1f99c7c8eff956c41efeb79b5cd1570be

SHA512
4e1246efc990c75c482aab3ed0739eb06317746752d25824f85007393205161f26d30ac5278314030f7fde3f5d5a7339f18784e28243221090b5fe31f52aa4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4319\InstallerAnalytics.dll

Filesize
701KB

MD5
1a7aa25f6bc984e0706a5f24967e7599

SHA1
cd9c8ae977e965258a2e54df62efeb95c1e29d82

SHA256
061381b635f3bbd08ff5bc9d946600a1f99c7c8eff956c41efeb79b5cd1570be

SHA512
4e1246efc990c75c482aab3ed0739eb06317746752d25824f85007393205161f26d30ac5278314030f7fde3f5d5a7339f18784e28243221090b5fe31f52aa4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4319\embeddeduiproxy.dll

Filesize
14KB

MD5
ea5f0d2970f884149ede84ca80360041

SHA1
44ad0d2cb4645c48e91cec413e004a71e18d4cbf

SHA256
d5d2a940250721b3962d1f958f6085794c52ea9ff8ce2393b419f8c98b333fc2

SHA512
441a657d58e3511c7fdff23c0d6f28a3e393126922720845a0083a01600cf0794aff980eccbd43cf4146832bc92d00fb3e3aa8fd49f3db3c71dcd3f4a2268b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4319\embeddeduiproxy.dll

Filesize
14KB

MD5
ea5f0d2970f884149ede84ca80360041

SHA1
44ad0d2cb4645c48e91cec413e004a71e18d4cbf

SHA256
d5d2a940250721b3962d1f958f6085794c52ea9ff8ce2393b419f8c98b333fc2

SHA512
441a657d58e3511c7fdff23c0d6f28a3e393126922720845a0083a01600cf0794aff980eccbd43cf4146832bc92d00fb3e3aa8fd49f3db3c71dcd3f4a2268b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8561.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8561.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI862D.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI862D.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI863E.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI863E.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI865E.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI865E.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8788.tmp

Filesize
701KB

MD5
1a7aa25f6bc984e0706a5f24967e7599

SHA1
cd9c8ae977e965258a2e54df62efeb95c1e29d82

SHA256
061381b635f3bbd08ff5bc9d946600a1f99c7c8eff956c41efeb79b5cd1570be

SHA512
4e1246efc990c75c482aab3ed0739eb06317746752d25824f85007393205161f26d30ac5278314030f7fde3f5d5a7339f18784e28243221090b5fe31f52aa4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8788.tmp

Filesize
701KB

MD5
1a7aa25f6bc984e0706a5f24967e7599

SHA1
cd9c8ae977e965258a2e54df62efeb95c1e29d82

SHA256
061381b635f3bbd08ff5bc9d946600a1f99c7c8eff956c41efeb79b5cd1570be

SHA512
4e1246efc990c75c482aab3ed0739eb06317746752d25824f85007393205161f26d30ac5278314030f7fde3f5d5a7339f18784e28243221090b5fe31f52aa4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8825.tmp

Filesize
571KB

MD5
c6dfcdb0b543c32814431435762b42c7

SHA1
d9fc913b503195cdc955c34d10df034f5b83d8a8

SHA256
a65d168e28b913ddc19cca70eb6627a6e5f8d1145ccc86fe36f92064d3d20d7e

SHA512
c13bafbb400e8734ae109f97adc3f66344fd56502f4d03438be5fd598738ee1aa89c488f409cafd072231dfc8d4d934ff741c069447f1887302375790d702ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8825.tmp

Filesize
571KB

MD5
c6dfcdb0b543c32814431435762b42c7

SHA1
d9fc913b503195cdc955c34d10df034f5b83d8a8

SHA256
a65d168e28b913ddc19cca70eb6627a6e5f8d1145ccc86fe36f92064d3d20d7e

SHA512
c13bafbb400e8734ae109f97adc3f66344fd56502f4d03438be5fd598738ee1aa89c488f409cafd072231dfc8d4d934ff741c069447f1887302375790d702ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8A3A.tmp

Filesize
701KB

MD5
1a7aa25f6bc984e0706a5f24967e7599

SHA1
cd9c8ae977e965258a2e54df62efeb95c1e29d82

SHA256
061381b635f3bbd08ff5bc9d946600a1f99c7c8eff956c41efeb79b5cd1570be

SHA512
4e1246efc990c75c482aab3ed0739eb06317746752d25824f85007393205161f26d30ac5278314030f7fde3f5d5a7339f18784e28243221090b5fe31f52aa4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8A3A.tmp

Filesize
701KB

MD5
1a7aa25f6bc984e0706a5f24967e7599

SHA1
cd9c8ae977e965258a2e54df62efeb95c1e29d82

SHA256
061381b635f3bbd08ff5bc9d946600a1f99c7c8eff956c41efeb79b5cd1570be

SHA512
4e1246efc990c75c482aab3ed0739eb06317746752d25824f85007393205161f26d30ac5278314030f7fde3f5d5a7339f18784e28243221090b5fe31f52aa4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8B44.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8B44.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\LIBEAY32.dll

Filesize
1.4MB

MD5
ff5c63efbba91a0eec9fc645da655b4c

SHA1
d225ceff3601b57add69df7d854b2348a8980255

SHA256
e1fbb97ff3607d569d584f78ce77a9dd2cf64dca05aebdbf3e55c9711e07b3be

SHA512
96b963823d7a28e4d4ecd703aa26ad3d3e1d4086e09a4cc08ca88c30c9b8ceb42b7daf184e33b9175f87a566e78028cca3e6ab90ed6537598677f27b15eefce5

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\SSLEAY32.dll

Filesize
371KB

MD5
7456818a22dad2c0965580d8bbf4cabd

SHA1
548714607df2ec3b7c8a22cfba3a1776e6e80861

SHA256
f3a288c5455b074fe9c9d5a160adeb49e84bbe1832b5fcbe8f26093215192f65

SHA512
13f6589bd9c0c60a3df63325c57e94129761adc558d1a65eb4c6e138e6155dd9dbe501d45edde282219dc357593458f5f84a29188d123dcb7770e7479f6a7e68

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\TGlaunch.exe

Filesize
54KB

MD5
8b58f37fefc0665fff67f2b8c7d45d2b

SHA1
eac428a1b047cb58b211db3f3d0e2c188b0f6709

SHA256
4994600f901938b072bac73c78b2ca14302a54144fde1d9d53062be5df628b8b

SHA512
b897b68232db4281fb742ca7c678436a4f2745c7993f6fb7f44ade86f92c1dfd47e1e166bf9fe7808c5ee57b7be74dd067308caead23f684ce44d7243d3685ec

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\TGlaunch.exe

Filesize
54KB

MD5
8b58f37fefc0665fff67f2b8c7d45d2b

SHA1
eac428a1b047cb58b211db3f3d0e2c188b0f6709

SHA256
4994600f901938b072bac73c78b2ca14302a54144fde1d9d53062be5df628b8b

SHA512
b897b68232db4281fb742ca7c678436a4f2745c7993f6fb7f44ade86f92c1dfd47e1e166bf9fe7808c5ee57b7be74dd067308caead23f684ce44d7243d3685ec

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
85.6MB

MD5
c06214a7dace00e9707a816c616dd832

SHA1
1204de31d8d66d7ba7dc3184a2c39b63f2d36bfe

SHA256
17161b98037524a5febeb98b74c826d3b308612d53fe479ad6e417dce7857ebc

SHA512
6ba701dd1f7f4a0d1a2e756df1ec1bb9414ad386eccbe5e1f4eea148510fdab529438f43f80a0a5bb3ce57e10ebd4200b7f130931f9f733f99198cd832b3598e

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
85.6MB

MD5
c06214a7dace00e9707a816c616dd832

SHA1
1204de31d8d66d7ba7dc3184a2c39b63f2d36bfe

SHA256
17161b98037524a5febeb98b74c826d3b308612d53fe479ad6e417dce7857ebc

SHA512
6ba701dd1f7f4a0d1a2e756df1ec1bb9414ad386eccbe5e1f4eea148510fdab529438f43f80a0a5bb3ce57e10ebd4200b7f130931f9f733f99198cd832b3598e

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
85.6MB

MD5
c06214a7dace00e9707a816c616dd832

SHA1
1204de31d8d66d7ba7dc3184a2c39b63f2d36bfe

SHA256
17161b98037524a5febeb98b74c826d3b308612d53fe479ad6e417dce7857ebc

SHA512
6ba701dd1f7f4a0d1a2e756df1ec1bb9414ad386eccbe5e1f4eea148510fdab529438f43f80a0a5bb3ce57e10ebd4200b7f130931f9f733f99198cd832b3598e

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\alt.dll

Filesize
1.9MB

MD5
f4209ba60eb99965e5e4f239ba2be76b

SHA1
0b06af06adeb75056ebfe53fb991a55c7148e223

SHA256
122943df25f63955844ec36c17094e26f16d6fc1f90e432630f7828eb3fe3b30

SHA512
9a6feac16e173d8a3f4cca218e0e7610203f007149aad0cd1f240ebccf98058e28b0f7b124793d7f763cf23fbd9e1403a1077e789e694569f9b3fe11fd87122f

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\alt.dll

Filesize
1.9MB

MD5
f4209ba60eb99965e5e4f239ba2be76b

SHA1
0b06af06adeb75056ebfe53fb991a55c7148e223

SHA256
122943df25f63955844ec36c17094e26f16d6fc1f90e432630f7828eb3fe3b30

SHA512
9a6feac16e173d8a3f4cca218e0e7610203f007149aad0cd1f240ebccf98058e28b0f7b124793d7f763cf23fbd9e1403a1077e789e694569f9b3fe11fd87122f

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\alt.dll

Filesize
1.9MB

MD5
f4209ba60eb99965e5e4f239ba2be76b

SHA1
0b06af06adeb75056ebfe53fb991a55c7148e223

SHA256
122943df25f63955844ec36c17094e26f16d6fc1f90e432630f7828eb3fe3b30

SHA512
9a6feac16e173d8a3f4cca218e0e7610203f007149aad0cd1f240ebccf98058e28b0f7b124793d7f763cf23fbd9e1403a1077e789e694569f9b3fe11fd87122f

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\libcurl.dll

Filesize
706KB

MD5
4b5dfd7e9ac50a741b5ac6102b30cbf5

SHA1
c3ae8f11f12b2160055a28ee8cd0f14d215864dc

SHA256
8fbb6e1c42d6ea9fb1f5651d0cad370cbd36fda89035568c460193b1ae316cdc

SHA512
9099874416956b53bb7a8d63a215f0e40ae806d21bdad6fcdba002f35c5b3d8827c7d5e5c9500a356a7bdf7a3d402c3d8851dd0df69a72fed752277f32b210cc

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\libcurl.dll

Filesize
706KB

MD5
4b5dfd7e9ac50a741b5ac6102b30cbf5

SHA1
c3ae8f11f12b2160055a28ee8cd0f14d215864dc

SHA256
8fbb6e1c42d6ea9fb1f5651d0cad370cbd36fda89035568c460193b1ae316cdc

SHA512
9099874416956b53bb7a8d63a215f0e40ae806d21bdad6fcdba002f35c5b3d8827c7d5e5c9500a356a7bdf7a3d402c3d8851dd0df69a72fed752277f32b210cc

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\libcurl.dll

Filesize
706KB

MD5
4b5dfd7e9ac50a741b5ac6102b30cbf5

SHA1
c3ae8f11f12b2160055a28ee8cd0f14d215864dc

SHA256
8fbb6e1c42d6ea9fb1f5651d0cad370cbd36fda89035568c460193b1ae316cdc

SHA512
9099874416956b53bb7a8d63a215f0e40ae806d21bdad6fcdba002f35c5b3d8827c7d5e5c9500a356a7bdf7a3d402c3d8851dd0df69a72fed752277f32b210cc

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\libeay32.dll

Filesize
1.4MB

MD5
ff5c63efbba91a0eec9fc645da655b4c

SHA1
d225ceff3601b57add69df7d854b2348a8980255

SHA256
e1fbb97ff3607d569d584f78ce77a9dd2cf64dca05aebdbf3e55c9711e07b3be

SHA512
96b963823d7a28e4d4ecd703aa26ad3d3e1d4086e09a4cc08ca88c30c9b8ceb42b7daf184e33b9175f87a566e78028cca3e6ab90ed6537598677f27b15eefce5

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\libeay32.dll

Filesize
1.4MB

MD5
ff5c63efbba91a0eec9fc645da655b4c

SHA1
d225ceff3601b57add69df7d854b2348a8980255

SHA256
e1fbb97ff3607d569d584f78ce77a9dd2cf64dca05aebdbf3e55c9711e07b3be

SHA512
96b963823d7a28e4d4ecd703aa26ad3d3e1d4086e09a4cc08ca88c30c9b8ceb42b7daf184e33b9175f87a566e78028cca3e6ab90ed6537598677f27b15eefce5

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\ssleay32.dll

Filesize
371KB

MD5
7456818a22dad2c0965580d8bbf4cabd

SHA1
548714607df2ec3b7c8a22cfba3a1776e6e80861

SHA256
f3a288c5455b074fe9c9d5a160adeb49e84bbe1832b5fcbe8f26093215192f65

SHA512
13f6589bd9c0c60a3df63325c57e94129761adc558d1a65eb4c6e138e6155dd9dbe501d45edde282219dc357593458f5f84a29188d123dcb7770e7479f6a7e68

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\ssleay32.dll

Filesize
371KB

MD5
7456818a22dad2c0965580d8bbf4cabd

SHA1
548714607df2ec3b7c8a22cfba3a1776e6e80861

SHA256
f3a288c5455b074fe9c9d5a160adeb49e84bbe1832b5fcbe8f26093215192f65

SHA512
13f6589bd9c0c60a3df63325c57e94129761adc558d1a65eb4c6e138e6155dd9dbe501d45edde282219dc357593458f5f84a29188d123dcb7770e7479f6a7e68

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\usertag

Filesize
8B

MD5
b8508ee47768dea5daae0cdf132e5af4

SHA1
c7b101f50420016a608775b6b20f3ba23c578c87

SHA256
545d3463368b3347adddbc701d7efeaee297b23e058f33f6a824100aa2ef6c58

SHA512
b1db0dd0c7bf143c8a66950a33784937f0149160be364fb2cd05b4accb1698473510352b6ce283ab4f7c66d9b5fd1c0744feefd5835920e9e32485fe0538309e

Download Submit
C:\Windows\Installer\MSI102D.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Windows\Installer\MSI102D.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Windows\Installer\MSI10DA.tmp

Filesize
701KB

MD5
1a7aa25f6bc984e0706a5f24967e7599

SHA1
cd9c8ae977e965258a2e54df62efeb95c1e29d82

SHA256
061381b635f3bbd08ff5bc9d946600a1f99c7c8eff956c41efeb79b5cd1570be

SHA512
4e1246efc990c75c482aab3ed0739eb06317746752d25824f85007393205161f26d30ac5278314030f7fde3f5d5a7339f18784e28243221090b5fe31f52aa4fe

Download Submit
C:\Windows\Installer\MSI10DA.tmp

Filesize
701KB

MD5
1a7aa25f6bc984e0706a5f24967e7599

SHA1
cd9c8ae977e965258a2e54df62efeb95c1e29d82

SHA256
061381b635f3bbd08ff5bc9d946600a1f99c7c8eff956c41efeb79b5cd1570be

SHA512
4e1246efc990c75c482aab3ed0739eb06317746752d25824f85007393205161f26d30ac5278314030f7fde3f5d5a7339f18784e28243221090b5fe31f52aa4fe

Download Submit
C:\Windows\Installer\MSI1197.tmp

Filesize
701KB

MD5
1a7aa25f6bc984e0706a5f24967e7599

SHA1
cd9c8ae977e965258a2e54df62efeb95c1e29d82

SHA256
061381b635f3bbd08ff5bc9d946600a1f99c7c8eff956c41efeb79b5cd1570be

SHA512
4e1246efc990c75c482aab3ed0739eb06317746752d25824f85007393205161f26d30ac5278314030f7fde3f5d5a7339f18784e28243221090b5fe31f52aa4fe

Download Submit
C:\Windows\Installer\MSI1197.tmp

Filesize
701KB

MD5
1a7aa25f6bc984e0706a5f24967e7599

SHA1
cd9c8ae977e965258a2e54df62efeb95c1e29d82

SHA256
061381b635f3bbd08ff5bc9d946600a1f99c7c8eff956c41efeb79b5cd1570be

SHA512
4e1246efc990c75c482aab3ed0739eb06317746752d25824f85007393205161f26d30ac5278314030f7fde3f5d5a7339f18784e28243221090b5fe31f52aa4fe

Download Submit
C:\Windows\Installer\MSIF90.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Windows\Installer\MSIF90.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
e842bd1163ad298827c7a7d1f8dd224d

SHA1
31f804452230c61a25d542541822704171c5d980

SHA256
1330930bb4ead6c1ecc3e7923caf4c0ddbf68a1c6867c3a6fe30fda9abcb1b09

SHA512
72985b72c4c8e7ac987fb5fb8be3d176dbda484171b411a1de47032fe1340f7f7a02705081a2df5570382f39366d0ac18a1b1bf7dd6c0f65b03817b9691e44ab

Download Submit
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bd943a54-ca52-4db1-9d15-1c723ad6a6ee}_OnDiskSnapshotProp

Filesize
5KB

MD5
f540ccdc1ea33f14ba2516db1c042004

SHA1
90558a74611262a4ee87b0f5bc48691b8c070d4d

SHA256
268f52ccaf2b6396358651475131348dbfd2fc02e18fff33f461b99ff2a590d6

SHA512
e412783bf1d80d40eb143f2f31b5fbc39e6075ad4e67a42fd522b90197aced233821f4def278dbf71a8f50f7d5931291db8895b2013cca248f8c657ddfdaa806

Download Submit
memory/1420-194-0x000001F0FDEF0000-0x000001F0FDF00000-memory.dmp

Filesize
64KB

Download
memory/1420-195-0x000001F0FDEF0000-0x000001F0FDF00000-memory.dmp

Filesize
64KB

Download
memory/2452-191-0x0000018193420000-0x0000018193430000-memory.dmp

Filesize
64KB

Download