chinese_generic_botnet | 008dee530fcd5c8f67e26b2cca613396f6bfa560cd4fe715ddf384e73d3ca175

Analysis

max time kernel
351s
max time network
359s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2023 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tsetup-x64.3.3.1.exe
Size

72.9MB
MD5

8408b8d359a29651181fd1493f22dc9b
SHA1

0a247a3d843d05bcb35dd82830df66742245aa82
SHA256

008dee530fcd5c8f67e26b2cca613396f6bfa560cd4fe715ddf384e73d3ca175
SHA512

f8ad61921f7cc0dae14f46fba74707c153ce50b67f76b34ce132d2fb0332f3bbbf96f20d73daa876cabde557b3e608b363146847c0b6166dbd1fa5b3c40f5b7c
SSDEEP

1572864:LtvgxNf/ycSW/zU/+4AjyvKSNHTZ1tzU1CQMPXJHPIkjJgtOYda:FgrfKc5I+4AjsHl7zfPjJgtza

Score

10^/10

chinese_generic_botnet botnet

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

Processes:

resource	yara_rule
behavioral1/memory/1632-348-0x0000000010000000-0x0000000010017000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 2 IoCs

Processes:

TGlaunch.exeTelegram.exe

pid process

1632 TGlaunch.exe
456 Telegram.exe

pid	process
1632	TGlaunch.exe
456	Telegram.exe

Loads dropped DLL 14 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeTGlaunch.exe

pid	process
2244	MsiExec.exe
4468	MsiExec.exe
4468	MsiExec.exe
4468	MsiExec.exe
4468	MsiExec.exe
4468	MsiExec.exe
4648	MsiExec.exe
4648	MsiExec.exe
4648	MsiExec.exe
4648	MsiExec.exe
4648	MsiExec.exe
4648	MsiExec.exe
2288	MsiExec.exe
1632	TGlaunch.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

tsetup-x64.3.3.1.exemsiexec.exemsiexec.exeTGlaunch.exe

description	ioc	process
File opened (read-only)	\??\Q:	tsetup-x64.3.3.1.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	tsetup-x64.3.3.1.exe
File opened (read-only)	\??\L:	tsetup-x64.3.3.1.exe
File opened (read-only)	\??\M:	tsetup-x64.3.3.1.exe
File opened (read-only)	\??\V:	tsetup-x64.3.3.1.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	TGlaunch.exe
File opened (read-only)	\??\Q:	TGlaunch.exe
File opened (read-only)	\??\P:	tsetup-x64.3.3.1.exe
File opened (read-only)	\??\T:	tsetup-x64.3.3.1.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	TGlaunch.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	TGlaunch.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	TGlaunch.exe
File opened (read-only)	\??\Z:	TGlaunch.exe
File opened (read-only)	\??\H:	tsetup-x64.3.3.1.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	tsetup-x64.3.3.1.exe
File opened (read-only)	\??\E:	TGlaunch.exe
File opened (read-only)	\??\R:	TGlaunch.exe
File opened (read-only)	\??\V:	TGlaunch.exe
File opened (read-only)	\??\W:	TGlaunch.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\E:	tsetup-x64.3.3.1.exe
File opened (read-only)	\??\O:	tsetup-x64.3.3.1.exe
File opened (read-only)	\??\W:	tsetup-x64.3.3.1.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	TGlaunch.exe
File opened (read-only)	\??\G:	tsetup-x64.3.3.1.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	TGlaunch.exe
File opened (read-only)	\??\O:	TGlaunch.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	tsetup-x64.3.3.1.exe
File opened (read-only)	\??\J:	tsetup-x64.3.3.1.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

TGlaunch.exe

pid process

1632 TGlaunch.exe

pid	process
1632	TGlaunch.exe

Drops file in Windows directory 17 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI6E57.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI708C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8B3B.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6C91.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\e5868b8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6F23.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{EDD84136-9B06-448C-88D5-E08EE93AC3D7}\Telegram.exe	msiexec.exe
File created	C:\Windows\Installer\{EDD84136-9B06-448C-88D5-E08EE93AC3D7}\Telegram.exe	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EDD84136-9B06-448C-88D5-E08EE93AC3D7}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7271.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI736C.tmp	msiexec.exe
File created	C:\Windows\Installer\e5868ba.msi	msiexec.exe
File created	C:\Windows\Installer\e5868b8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6ADA.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000206f4107d723b55a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000206f41070000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900206f4107000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000206f410700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000206f410700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TGlaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TGlaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TGlaunch.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63148DDE60B9C844885D0EE89EA33C7D\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63148DDE60B9C844885D0EE89EA33C7D\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C0644BAF8AC3F76469282C346623FB24\63148DDE60B9C844885D0EE89EA33C7D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63148DDE60B9C844885D0EE89EA33C7D\SourceList\PackageName = "Telegram Desktop.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63148DDE60B9C844885D0EE89EA33C7D\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63148DDE60B9C844885D0EE89EA33C7D\SourceList\Media\1 = "Disk1;Disk1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\63148DDE60B9C844885D0EE89EA33C7D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63148DDE60B9C844885D0EE89EA33C7D\PackageCode = "9D6C7604EB57849489C83BA438A555F3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C0644BAF8AC3F76469282C346623FB24	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63148DDE60B9C844885D0EE89EA33C7D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram Desktop 3.0.8\\install\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63148DDE60B9C844885D0EE89EA33C7D\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63148DDE60B9C844885D0EE89EA33C7D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram Desktop 3.0.8\\install\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\63148DDE60B9C844885D0EE89EA33C7D\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63148DDE60B9C844885D0EE89EA33C7D\Language = "2052"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63148DDE60B9C844885D0EE89EA33C7D\ProductIcon = "C:\\Windows\\Installer\\{EDD84136-9B06-448C-88D5-E08EE93AC3D7}\\Telegram.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63148DDE60B9C844885D0EE89EA33C7D\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63148DDE60B9C844885D0EE89EA33C7D\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63148DDE60B9C844885D0EE89EA33C7D\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63148DDE60B9C844885D0EE89EA33C7D\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63148DDE60B9C844885D0EE89EA33C7D\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63148DDE60B9C844885D0EE89EA33C7D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63148DDE60B9C844885D0EE89EA33C7D\ProductName = "Telegram Desktop"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63148DDE60B9C844885D0EE89EA33C7D\Version = "50331656"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63148DDE60B9C844885D0EE89EA33C7D\Clients = 3a0000000000	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Telegram.exe

pid process

456 Telegram.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msiexec.exeTGlaunch.exe

pid process

3068 msiexec.exe
3068 msiexec.exe
1632 TGlaunch.exe
1632 TGlaunch.exe
1632 TGlaunch.exe
1632 TGlaunch.exe

pid	process
3068	msiexec.exe
3068	msiexec.exe
1632	TGlaunch.exe
1632	TGlaunch.exe
1632	TGlaunch.exe
1632	TGlaunch.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exetsetup-x64.3.3.1.exe

description	pid	process
Token: SeSecurityPrivilege	3068	msiexec.exe
Token: SeCreateTokenPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeAssignPrimaryTokenPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeLockMemoryPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeIncreaseQuotaPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeMachineAccountPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeTcbPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeSecurityPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeTakeOwnershipPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeLoadDriverPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeSystemProfilePrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeSystemtimePrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeProfSingleProcessPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeIncBasePriorityPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeCreatePagefilePrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeCreatePermanentPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeBackupPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeRestorePrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeShutdownPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeDebugPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeAuditPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeSystemEnvironmentPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeChangeNotifyPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeRemoteShutdownPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeUndockPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeSyncAgentPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeEnableDelegationPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeManageVolumePrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeImpersonatePrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeCreateGlobalPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeCreateTokenPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeAssignPrimaryTokenPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeLockMemoryPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeIncreaseQuotaPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeMachineAccountPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeTcbPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeSecurityPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeTakeOwnershipPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeLoadDriverPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeSystemProfilePrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeSystemtimePrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeProfSingleProcessPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeIncBasePriorityPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeCreatePagefilePrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeCreatePermanentPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeBackupPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeRestorePrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeShutdownPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeDebugPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeAuditPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeSystemEnvironmentPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeChangeNotifyPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeRemoteShutdownPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeUndockPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeSyncAgentPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeEnableDelegationPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeManageVolumePrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeImpersonatePrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeCreateGlobalPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeCreateTokenPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeAssignPrimaryTokenPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeLockMemoryPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeIncreaseQuotaPrivilege	3900	tsetup-x64.3.3.1.exe
Token: SeMachineAccountPrivilege	3900	tsetup-x64.3.3.1.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

tsetup-x64.3.3.1.exemsiexec.exeTelegram.exe

pid	process
3900	tsetup-x64.3.3.1.exe
1572	msiexec.exe
1572	msiexec.exe
456	Telegram.exe
456	Telegram.exe
456	Telegram.exe
456	Telegram.exe
456	Telegram.exe
456	Telegram.exe
456	Telegram.exe
456	Telegram.exe

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

Telegram.exe

pid process

456 Telegram.exe
456 Telegram.exe
456 Telegram.exe
456 Telegram.exe
456 Telegram.exe
456 Telegram.exe
456 Telegram.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

Telegram.exe

pid	process
456	Telegram.exe
456	Telegram.exe
456	Telegram.exe
456	Telegram.exe
456	Telegram.exe
456	Telegram.exe
456	Telegram.exe
456	Telegram.exe
456	Telegram.exe
456	Telegram.exe
456	Telegram.exe
456	Telegram.exe
456	Telegram.exe
456	Telegram.exe
456	Telegram.exe
456	Telegram.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

msiexec.exetsetup-x64.3.3.1.exeTGlaunch.exe

description	pid	process	target process
PID 3068 wrote to memory of 2244	3068	msiexec.exe	MsiExec.exe
PID 3068 wrote to memory of 2244	3068	msiexec.exe	MsiExec.exe
PID 3068 wrote to memory of 2244	3068	msiexec.exe	MsiExec.exe
PID 3900 wrote to memory of 1572	3900	tsetup-x64.3.3.1.exe	msiexec.exe
PID 3900 wrote to memory of 1572	3900	tsetup-x64.3.3.1.exe	msiexec.exe
PID 3900 wrote to memory of 1572	3900	tsetup-x64.3.3.1.exe	msiexec.exe
PID 3068 wrote to memory of 4468	3068	msiexec.exe	MsiExec.exe
PID 3068 wrote to memory of 4468	3068	msiexec.exe	MsiExec.exe
PID 3068 wrote to memory of 4468	3068	msiexec.exe	MsiExec.exe
PID 3068 wrote to memory of 1272	3068	msiexec.exe	srtasks.exe
PID 3068 wrote to memory of 1272	3068	msiexec.exe	srtasks.exe
PID 3068 wrote to memory of 4648	3068	msiexec.exe	MsiExec.exe
PID 3068 wrote to memory of 4648	3068	msiexec.exe	MsiExec.exe
PID 3068 wrote to memory of 4648	3068	msiexec.exe	MsiExec.exe
PID 3068 wrote to memory of 2288	3068	msiexec.exe	MsiExec.exe
PID 3068 wrote to memory of 2288	3068	msiexec.exe	MsiExec.exe
PID 3068 wrote to memory of 2288	3068	msiexec.exe	MsiExec.exe
PID 1632 wrote to memory of 456	1632	TGlaunch.exe	Telegram.exe
PID 1632 wrote to memory of 456	1632	TGlaunch.exe	Telegram.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\tsetup-x64.3.3.1.exe
"C:\Users\Admin\AppData\Local\Temp\tsetup-x64.3.3.1.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram Desktop 3.0.8\install\Telegram Desktop.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\tsetup-x64.3.3.1.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1678206232 "
2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:1572

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2902B4011491637D30C7F3E21B2CA1DB C
2⤵
- Loads dropped DLL
PID:2244

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D77DFAE0375F22B326A53E7F1C11104B C
2⤵
- Loads dropped DLL
PID:4468

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:1272

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9DD72EB44AEDD8F522E4407A500ECCEB
2⤵
- Loads dropped DLL
PID:4648

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8A986041CE091385C72264B3775F502E E Global\MSI0000
2⤵
- Loads dropped DLL
PID:2288

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4756

C:\Users\Public\Documents\Telegram\TGlaunch.exe
"C:\Users\Public\Documents\Telegram\TGlaunch.exe" et.dll cYreenQillmet
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Public\Documents\Telegram\Telegram.exe
"Telegram.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5868b9.rbs
Filesize
13KB

MD5
b44a945cf3845b7410217c22693a45ca

SHA1
978e68156b450eaa459a62c3f6f41753b5dff55d

SHA256
117cf2b16d87328b8e2e39a9725a90316258962a55a3b38bda142fadce5696f2

SHA512
3bb673027e03c3c25fd497ac76a05c3a2dd1386112bb1128b383d8996e6592f05c75cda59ae04755c27123d5cb58decaf15df8ccc5333bd5ce7904fbd0639aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI20C7.tmp
Filesize
374KB

MD5
5e33a5224c4d523a2517ba8a96aaff42

SHA1
12e41a9380cc890053b5c7e19769c76bfa1608d4

SHA256
d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

SHA512
bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI20C7.tmp
Filesize
374KB

MD5
5e33a5224c4d523a2517ba8a96aaff42

SHA1
12e41a9380cc890053b5c7e19769c76bfa1608d4

SHA256
d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

SHA512
bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI248F.tmp
Filesize
374KB

MD5
5e33a5224c4d523a2517ba8a96aaff42

SHA1
12e41a9380cc890053b5c7e19769c76bfa1608d4

SHA256
d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

SHA512
bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI248F.tmp
Filesize
374KB

MD5
5e33a5224c4d523a2517ba8a96aaff42

SHA1
12e41a9380cc890053b5c7e19769c76bfa1608d4

SHA256
d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

SHA512
bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI254C.tmp
Filesize
374KB

MD5
5e33a5224c4d523a2517ba8a96aaff42

SHA1
12e41a9380cc890053b5c7e19769c76bfa1608d4

SHA256
d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

SHA512
bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI254C.tmp
Filesize
374KB

MD5
5e33a5224c4d523a2517ba8a96aaff42

SHA1
12e41a9380cc890053b5c7e19769c76bfa1608d4

SHA256
d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

SHA512
bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI254C.tmp
Filesize
374KB

MD5
5e33a5224c4d523a2517ba8a96aaff42

SHA1
12e41a9380cc890053b5c7e19769c76bfa1608d4

SHA256
d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

SHA512
bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI25AA.tmp
Filesize
374KB

MD5
5e33a5224c4d523a2517ba8a96aaff42

SHA1
12e41a9380cc890053b5c7e19769c76bfa1608d4

SHA256
d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

SHA512
bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI25AA.tmp
Filesize
374KB

MD5
5e33a5224c4d523a2517ba8a96aaff42

SHA1
12e41a9380cc890053b5c7e19769c76bfa1608d4

SHA256
d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

SHA512
bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI25CB.tmp
Filesize
374KB

MD5
5e33a5224c4d523a2517ba8a96aaff42

SHA1
12e41a9380cc890053b5c7e19769c76bfa1608d4

SHA256
d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

SHA512
bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI25CB.tmp
Filesize
374KB

MD5
5e33a5224c4d523a2517ba8a96aaff42

SHA1
12e41a9380cc890053b5c7e19769c76bfa1608d4

SHA256
d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

SHA512
bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI282D.tmp
Filesize
374KB

MD5
5e33a5224c4d523a2517ba8a96aaff42

SHA1
12e41a9380cc890053b5c7e19769c76bfa1608d4

SHA256
d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

SHA512
bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI282D.tmp
Filesize
374KB

MD5
5e33a5224c4d523a2517ba8a96aaff42

SHA1
12e41a9380cc890053b5c7e19769c76bfa1608d4

SHA256
d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

SHA512
bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram Desktop 3.0.8\install\Telegram Desktop.msi
Filesize
1.4MB

MD5
e3955c3fe76b4bf069130cf2c2542373

SHA1
c5f74693a29160a3d9bb692fa9de59e4d3cf1c37

SHA256
ca3416499f6eb9a301d3e6e938e13d7f4003d4a58b6ebee1bbd86b1c5b1cedbf

SHA512
06f1b4e7bbbc7b390206bc60f67f10025b004b916ef3a54ea28a3d68dbecb5acf4d7e74897581e725aa61095d4a7c503e6441512e55401f3d8d7c70fd78932d8

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram Desktop 3.0.8\install\Telegram Desktop.msi
Filesize
1.4MB

MD5
e3955c3fe76b4bf069130cf2c2542373

SHA1
c5f74693a29160a3d9bb692fa9de59e4d3cf1c37

SHA256
ca3416499f6eb9a301d3e6e938e13d7f4003d4a58b6ebee1bbd86b1c5b1cedbf

SHA512
06f1b4e7bbbc7b390206bc60f67f10025b004b916ef3a54ea28a3d68dbecb5acf4d7e74897581e725aa61095d4a7c503e6441512e55401f3d8d7c70fd78932d8

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram Desktop 3.0.8\install\Telegram Desktop1.cab
Filesize
69.5MB

MD5
29251a9748856b05a41b76f12d2211f9

SHA1
ce75e024ff9f6c4a85938037bc11cd5041b2f9ea

SHA256
4403574e0c8790eb6ed3a863f55baa7d2a75cb0e04fe96bc696a87ebad832409

SHA512
1cc0bb345fb45dff70390ef5541af4daf91c673fd607294dc0b5270cc2f650a3d283a26c56316114c2d387b355378b6b602061cd1da6fea0009cb876717d63ca

Download Submit
C:\Users\Public\Desktop\Telegram.lnk
Filesize
2KB

MD5
0dd245981cebc956b7f209c68efd1232

SHA1
a98007302effee5bf4ea8e709c68db09e025385b

SHA256
764d828dc4a5a8ce3ea14518e309107a135fbeed446380c4a2a92c7f08a274f3

SHA512
656f702a55784aee25885c885fff63a5b66443837cb828b9658a287ce8c6cb00b6f3e16d00f911e3360b9ce874b8398fda720f8c797a480448da5b9ea87d7e81

Download Submit
C:\Users\Public\Documents\Telegram\TGlaunch.exe
Filesize
54KB

MD5
8b58f37fefc0665fff67f2b8c7d45d2b

SHA1
eac428a1b047cb58b211db3f3d0e2c188b0f6709

SHA256
4994600f901938b072bac73c78b2ca14302a54144fde1d9d53062be5df628b8b

SHA512
b897b68232db4281fb742ca7c678436a4f2745c7993f6fb7f44ade86f92c1dfd47e1e166bf9fe7808c5ee57b7be74dd067308caead23f684ce44d7243d3685ec

Download Submit
C:\Users\Public\Documents\Telegram\TGlaunch.exe
Filesize
54KB

MD5
8b58f37fefc0665fff67f2b8c7d45d2b

SHA1
eac428a1b047cb58b211db3f3d0e2c188b0f6709

SHA256
4994600f901938b072bac73c78b2ca14302a54144fde1d9d53062be5df628b8b

SHA512
b897b68232db4281fb742ca7c678436a4f2745c7993f6fb7f44ade86f92c1dfd47e1e166bf9fe7808c5ee57b7be74dd067308caead23f684ce44d7243d3685ec

Download Submit
C:\Users\Public\Documents\Telegram\Telegram.exe
Filesize
96.9MB

MD5
3572a4281dfb994f2cbbb9ad2ef44f7e

SHA1
102ec1d12a8df29ecfbd377a2562445d50e4eea8

SHA256
d4482d2c39d456b45d877dda147e72ec285b7230a72a0393c457179dead12f60

SHA512
db8e3673b4020cb6c206a713558cafe740f23dd770b3b238a7cea9e012d3bd119ca77b5fffd53776e6c298ea0e91d9f304c0be1b956943a47d3fed5819837195

Download Submit
C:\Users\Public\Documents\Telegram\Telegram.exe
Filesize
96.9MB

MD5
3572a4281dfb994f2cbbb9ad2ef44f7e

SHA1
102ec1d12a8df29ecfbd377a2562445d50e4eea8

SHA256
d4482d2c39d456b45d877dda147e72ec285b7230a72a0393c457179dead12f60

SHA512
db8e3673b4020cb6c206a713558cafe740f23dd770b3b238a7cea9e012d3bd119ca77b5fffd53776e6c298ea0e91d9f304c0be1b956943a47d3fed5819837195

Download Submit
C:\Users\Public\Documents\Telegram\et.dll
Filesize
5.9MB

MD5
a4216b905c001fe5bf62d6a403dfce04

SHA1
653985430c85bf17b75a2dbde4a60f4d7daa843c

SHA256
f98d790fe9af0815112773a29c443ecd3747efd730bc59ce2d30cd7bffb8bcef

SHA512
0c3510655949d0af5e3d467878c3e6ef2a76eae90ec3f274525a379dba130fe1fa9702b097c425e741995f23a9a4e3d7bcfd7cdd6180b41eec4cce18dcacf135

Download Submit
C:\Users\Public\Documents\Telegram\et.dll
Filesize
5.9MB

MD5
a4216b905c001fe5bf62d6a403dfce04

SHA1
653985430c85bf17b75a2dbde4a60f4d7daa843c

SHA256
f98d790fe9af0815112773a29c443ecd3747efd730bc59ce2d30cd7bffb8bcef

SHA512
0c3510655949d0af5e3d467878c3e6ef2a76eae90ec3f274525a379dba130fe1fa9702b097c425e741995f23a9a4e3d7bcfd7cdd6180b41eec4cce18dcacf135

Download Submit
C:\Users\Public\Documents\Telegram\log.txt
Filesize
10KB

MD5
382fa6ac1e26acbf67a86fb6a1b03dc2

SHA1
c367f787238b8f0c7aadfe71434935aa47f38471

SHA256
3cfbce9ff0089ccf8b0ed47bc07c9a881d01836a9703e2fad30ee74b4dd03e16

SHA512
19e7e47875e63f91a07e71ccf69fce50d15d8427bfe79ae4bdb17dd5fad7867a3b427fdccdd0718a534238c96d0c10fc3e93ecfcd9c0fe0ecf234a9064119f4a

Download Submit
C:\Users\Public\Documents\Telegram\tdata\048E69C67385AE97s
Filesize
140B

MD5
cc757890f1040a928aafaaa5a4e0d34e

SHA1
bc4254c19c7f0e6e8dbfaedfe507fc4a075c1d7b

SHA256
e8fcd94292f36c2e8178ecc3711e09461deb01d576f51994d5faf24d339c69c0

SHA512
b0c32d7c7072eddb42acf4ca0556f86c3cea1af5832e48219c74e3d666e1e04a8aff8fc00601b691a41775ca4ae05bf5b59023e7e7a43bade6b9ce3d68014d39

Download Submit
C:\Users\Public\Documents\Telegram\tdata\515B1E35759AE626s
Filesize
317KB

MD5
c2a9f14ca9e8ece1d015f143e65b1316

SHA1
e691bc7a005f1c9775779f0266cd34573373df19

SHA256
784cffec42c10e6eef275236708cc94be4c516bd4e926e727b436e6e06e778c1

SHA512
8b6156ee29774a3074bfd5cc5541a18d5ab222ebb565f5bb42d9ea08ccb88d20efd443b7f70584031934f3ade7f3cc2d1eec50310941feed1285305f2e9aa805

Download Submit
C:\Users\Public\Documents\Telegram\tdata\D877F783D5D3EF8C\89E9102497C5C507s
Filesize
92B

MD5
d59dc2ef2cc02ffe1bf43526c48d3557

SHA1
8e126d78aa43ee44e18ac72584141c74f0f34a73

SHA256
ab667edfec9dd85647647fd5045d82c41110d25431a50607a896df13f29a4cbb

SHA512
019dbe320762252aa9b23551e809b0c37fc6d9c68d16483118f38b256c6ef768043e4799c3574460bffcb34ec855706359fee06036d9482078d0912bb15f5a34

Download Submit
C:\Users\Public\Documents\Telegram\tdata\D877F783D5D3EF8C\configs
Filesize
940B

MD5
86221cf9e915755a25150045ef7c7136

SHA1
d4dd6effadb78ea892b1992ec02085aad85a2aeb

SHA256
b6598191c97d3fd35a675f95592f31564ec0522798bcd52b6d05e08ae1619e4d

SHA512
49ec8490b610b2a31e8a17b14f07a1d42186df1a9a2ddecd057e39e1e7f00106da559e802c678b98892c903cc5d0d88721a0614d0c44d876e48f4c99ba1bab5b

Download Submit
C:\Users\Public\Documents\Telegram\tdata\D877F783D5D3EF8C\maps
Filesize
68B

MD5
fbb76ff0d584d78354b4286057baa3eb

SHA1
78b8d1d4c4326af56ed13f1f6f0a0e2178b33c9c

SHA256
efac11e7d3de0853457f56cb6cdbc53bdfffe510ab4b8eaab4ecc99e808fb04f

SHA512
4c64796a9a613b97d134f8814388460f2004f9b16c3f581fea1a0d387ba9b2adc7a8e4829d4ffcd5cd1d524a7914625c20dbdb46ef00bc49b5192cd708ab9112

Download Submit
C:\Users\Public\Documents\Telegram\tdata\D877F783D5D3EF8Cs
Filesize
348B

MD5
227700e31ebfd1a654c6b592bbbfe7d1

SHA1
d611399ed41b25ecd24525e05af6d0468e7b9912

SHA256
fac5b231e7347a84402dfbc7e5bb4bd1fae74b50e14f6a42cb1136bc5e5cedcc

SHA512
552f824b757ef7cf46a781c69ae1959fbf633475cddae3dfef3c9208eccb4d1b2445d9a27ecb9e47f58f51c1c56f71223b7f214f1364f7010fb450fc48cf3609

Download Submit
C:\Users\Public\Documents\Telegram\tdata\countries
Filesize
20KB

MD5
165b5aab89fe4d62279b924b1e6c8d1f

SHA1
38738fd29a134acc3ff288b0758c27ff9f7215da

SHA256
f7963d70c9f4e88c3a6d8d8c93e8a19e0727448c17352f2e901099653a84a748

SHA512
a43d5663d8ecd57d5eb492264039b7bcea735c5d273e6f03975eaeb09ee3f7f17c05ac55e3f7a97dc1568e2cb03f7b85d6e0a41311fdcdc6f05e32be429ac5f6

Download Submit
C:\Users\Public\Documents\Telegram\tdata\devversion
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Public\Documents\Telegram\tdata\key_datas
Filesize
388B

MD5
4d45a3012c333a6f157bf7ba9519ce5e

SHA1
a18c7112959a115ef5c3a78afdaa8c6b0de56f48

SHA256
3814451a5fb4739d4ba4d7cba0e82458db9835b2c41c2cf3843c880a55ce9766

SHA512
bb2e04cd6c5c19b96ca8f8e63ea9ea2c1ed82fd573da16c00b8e40be363da84221463b21fec435771f1bdb18dfde2812c9206c657931e643f1076846a1b1e035

Download Submit
C:\Users\Public\Documents\Telegram\tdata\prefix
Filesize
24B

MD5
3fb9de9c3edf4abc3a42deaf14dfa8d6

SHA1
d02d2382706bffb38831acfcce62e720a6d55733

SHA256
84af1d24b024a1e1670302510fc140e55eb009ed5ab8b8e89bb42fb7f184be28

SHA512
7e60951c5c5cff7f623808e1afa098faff020f000ee4a8fc9af5f848204b8c54fe13f9a32e10bfbc618e41b1be437bb08a775b4b2e10a19122c336b55d093692

Download Submit
C:\Users\Public\Documents\Telegram\tdata\settingss
Filesize
1KB

MD5
bd7aab99d3c1d41f9f60a9a50f7e6f19

SHA1
106e2042aa38d987f1db7f4c330bff8404677fed

SHA256
b69fa7f49b043ad408679490c96c5e57e98f99b59196f617ee24a04a834cc5ab

SHA512
fcae914376f9fd11f026010227e9ab7d33ce84709a4995e9f2c679d35cddf88c82f5fe592f37f62729b765fa35f7d64cc9b1ce92c040bc20edf49afefd9e76e8

Download Submit
C:\Users\Public\Documents\Telegram\tdata\shortcuts-custom.json
Filesize
404B

MD5
874b930b4c2fddc8043f59113c044a14

SHA1
75b14a96fe1194f27913a096e484283b172b1749

SHA256
f4f666f4b831e84710983b0e9e905e87342b669f61109fd693688d89c12309d8

SHA512
f4b0337fba5c5f4d7e7a02aa5d4538334edd38f5df179e4f1701fa2f1c4d3d856a074fa55ea724c4e2a6c5a1ac1dbfc7e9966c814475c7cd2c65cd44fca14621

Download Submit
C:\Users\Public\Documents\Telegram\tdata\shortcuts-default.json
Filesize
2KB

MD5
ae4ad14b0a2af89afedf18d669d5b6e8

SHA1
c1c8f1dc96499e6fb103dd6e30c83ecb7715162f

SHA256
ec37f82f8a7f471f3c742b2cd3258694f0f7d82c98c88a32740709a340ce0bcd

SHA512
403cff1920a6aa52e6f0e97eb110c3b68aea113586d7fd4c18485335629cb69f134f7469c721e8771155acf495fbaa8a85f8b4d92cea4782c82d02e1e0bb8a40

Download Submit
C:\Users\Public\Documents\Telegram\tdata\usertag
Filesize
8B

MD5
d8b8e44c6fbc20f3554bcbb051390a7d

SHA1
ecf4605b7297260cbd070322ce3d34045c4242e1

SHA256
0f39c7671a3cd635a21daa5308d8735bca9a5ee526e02fe4ed75747f371f704e

SHA512
fd30d50a69052591425305415d7b72f403aea59c1ae51bf76a9b85b12cf4e9f9a6ac4f55dac01f3c5629e043a0275aa3ca811709b0cd27a8c1b3d31a4ba48eb7

Download Submit
C:\Windows\Installer\MSI6ADA.tmp
Filesize
374KB

MD5
5e33a5224c4d523a2517ba8a96aaff42

SHA1
12e41a9380cc890053b5c7e19769c76bfa1608d4

SHA256
d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

SHA512
bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

Download Submit
C:\Windows\Installer\MSI6ADA.tmp
Filesize
374KB

MD5
5e33a5224c4d523a2517ba8a96aaff42

SHA1
12e41a9380cc890053b5c7e19769c76bfa1608d4

SHA256
d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

SHA512
bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

Download Submit
C:\Windows\Installer\MSI6C91.tmp
Filesize
374KB

MD5
5e33a5224c4d523a2517ba8a96aaff42

SHA1
12e41a9380cc890053b5c7e19769c76bfa1608d4

SHA256
d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

SHA512
bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

Download Submit
C:\Windows\Installer\MSI6C91.tmp
Filesize
374KB

MD5
5e33a5224c4d523a2517ba8a96aaff42

SHA1
12e41a9380cc890053b5c7e19769c76bfa1608d4

SHA256
d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

SHA512
bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

Download Submit
C:\Windows\Installer\MSI6F23.tmp
Filesize
533KB

MD5
2b6fa5bfa4831df74de91db162bfaad1

SHA1
83c0bf7bbdecd65bcae1757a6a400ed8606cf8ab

SHA256
005e3260c33fb8c8033dec123d4e71613523fc5d11b32c93c74e86a35c876740

SHA512
fc4739b9fc23fb13765c107aa61ea57ae965d329874c4a57a62b980bb363939c53d8a966c0bc9bb92a794ebe6e3b52672bb403f684a273bce7193164d19ecc1c

Download Submit
C:\Windows\Installer\MSI6F23.tmp
Filesize
533KB

MD5
2b6fa5bfa4831df74de91db162bfaad1

SHA1
83c0bf7bbdecd65bcae1757a6a400ed8606cf8ab

SHA256
005e3260c33fb8c8033dec123d4e71613523fc5d11b32c93c74e86a35c876740

SHA512
fc4739b9fc23fb13765c107aa61ea57ae965d329874c4a57a62b980bb363939c53d8a966c0bc9bb92a794ebe6e3b52672bb403f684a273bce7193164d19ecc1c

Download Submit
C:\Windows\Installer\MSI708C.tmp
Filesize
275KB

MD5
dcb6b94b4a41fabdbdbb6fe2a362681d

SHA1
efd8d4c271178a6cc37a265f287abfbc6ea91e13

SHA256
7a370cdf28500d571d1562a9ddb4977f6a837a7b095de9a7c469c7079923da95

SHA512
5dc3fda6012667cdf6f9a5ba96b01a4d74b0d4dc1f53ce2ad36296d79591c8eb34ec787ced4862b768523c3fa69ffef4b88ff653774357d7d5a052efde3bd87d

Download Submit
C:\Windows\Installer\MSI708C.tmp
Filesize
275KB

MD5
dcb6b94b4a41fabdbdbb6fe2a362681d

SHA1
efd8d4c271178a6cc37a265f287abfbc6ea91e13

SHA256
7a370cdf28500d571d1562a9ddb4977f6a837a7b095de9a7c469c7079923da95

SHA512
5dc3fda6012667cdf6f9a5ba96b01a4d74b0d4dc1f53ce2ad36296d79591c8eb34ec787ced4862b768523c3fa69ffef4b88ff653774357d7d5a052efde3bd87d

Download Submit
C:\Windows\Installer\MSI7271.tmp
Filesize
275KB

MD5
dcb6b94b4a41fabdbdbb6fe2a362681d

SHA1
efd8d4c271178a6cc37a265f287abfbc6ea91e13

SHA256
7a370cdf28500d571d1562a9ddb4977f6a837a7b095de9a7c469c7079923da95

SHA512
5dc3fda6012667cdf6f9a5ba96b01a4d74b0d4dc1f53ce2ad36296d79591c8eb34ec787ced4862b768523c3fa69ffef4b88ff653774357d7d5a052efde3bd87d

Download Submit
C:\Windows\Installer\MSI7271.tmp
Filesize
275KB

MD5
dcb6b94b4a41fabdbdbb6fe2a362681d

SHA1
efd8d4c271178a6cc37a265f287abfbc6ea91e13

SHA256
7a370cdf28500d571d1562a9ddb4977f6a837a7b095de9a7c469c7079923da95

SHA512
5dc3fda6012667cdf6f9a5ba96b01a4d74b0d4dc1f53ce2ad36296d79591c8eb34ec787ced4862b768523c3fa69ffef4b88ff653774357d7d5a052efde3bd87d

Download Submit
C:\Windows\Installer\MSI736C.tmp
Filesize
533KB

MD5
2b6fa5bfa4831df74de91db162bfaad1

SHA1
83c0bf7bbdecd65bcae1757a6a400ed8606cf8ab

SHA256
005e3260c33fb8c8033dec123d4e71613523fc5d11b32c93c74e86a35c876740

SHA512
fc4739b9fc23fb13765c107aa61ea57ae965d329874c4a57a62b980bb363939c53d8a966c0bc9bb92a794ebe6e3b52672bb403f684a273bce7193164d19ecc1c

Download Submit
C:\Windows\Installer\MSI736C.tmp
Filesize
533KB

MD5
2b6fa5bfa4831df74de91db162bfaad1

SHA1
83c0bf7bbdecd65bcae1757a6a400ed8606cf8ab

SHA256
005e3260c33fb8c8033dec123d4e71613523fc5d11b32c93c74e86a35c876740

SHA512
fc4739b9fc23fb13765c107aa61ea57ae965d329874c4a57a62b980bb363939c53d8a966c0bc9bb92a794ebe6e3b52672bb403f684a273bce7193164d19ecc1c

Download Submit
C:\Windows\Installer\MSI8B3B.tmp
Filesize
275KB

MD5
dcb6b94b4a41fabdbdbb6fe2a362681d

SHA1
efd8d4c271178a6cc37a265f287abfbc6ea91e13

SHA256
7a370cdf28500d571d1562a9ddb4977f6a837a7b095de9a7c469c7079923da95

SHA512
5dc3fda6012667cdf6f9a5ba96b01a4d74b0d4dc1f53ce2ad36296d79591c8eb34ec787ced4862b768523c3fa69ffef4b88ff653774357d7d5a052efde3bd87d

Download Submit
C:\Windows\Installer\MSI8B3B.tmp
Filesize
275KB

MD5
dcb6b94b4a41fabdbdbb6fe2a362681d

SHA1
efd8d4c271178a6cc37a265f287abfbc6ea91e13

SHA256
7a370cdf28500d571d1562a9ddb4977f6a837a7b095de9a7c469c7079923da95

SHA512
5dc3fda6012667cdf6f9a5ba96b01a4d74b0d4dc1f53ce2ad36296d79591c8eb34ec787ced4862b768523c3fa69ffef4b88ff653774357d7d5a052efde3bd87d

Download Submit
C:\Windows\Installer\MSI8B3B.tmp
Filesize
275KB

MD5
dcb6b94b4a41fabdbdbb6fe2a362681d

SHA1
efd8d4c271178a6cc37a265f287abfbc6ea91e13

SHA256
7a370cdf28500d571d1562a9ddb4977f6a837a7b095de9a7c469c7079923da95

SHA512
5dc3fda6012667cdf6f9a5ba96b01a4d74b0d4dc1f53ce2ad36296d79591c8eb34ec787ced4862b768523c3fa69ffef4b88ff653774357d7d5a052efde3bd87d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
795ca75ce948b413523ceb3f1f0494f6

SHA1
f6401e65b121db0da06f321ede4f992a4e4ccbe8

SHA256
95e9cdae515da7b07196f57025f525045f9d0e1a837e487979f23dc989ccf93b

SHA512
4a7bbee63e720942cdff08b53848aacc25e3f1db4a75a376e13edd1d8dc73d9d5ab5f86c929ee42fa1bf6d148acf6d9a05ee2002e515f9e9d09dd9b362dddd87

Download Submit
\??\Volume{07416f20-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{90ab2797-2fd2-41b0-bd0e-0fa0ff666a2d}_OnDiskSnapshotProp
Filesize
5KB

MD5
a8043723b331bd1520c6810599dc8c79

SHA1
93908c4e75116481a0521ddbcdcbc699ee7cfeb5

SHA256
ef6ecb412b7e051a60e070fcc918b93f8455ffc872f513babec7e7ea6e025374

SHA512
e81e81cf6f691e8f0abf38a751a2531c1c5565009ff3367031c2fa8aa0e0ecbc2a04474e406583f7a6cb88c144be666a5e04d08c5848cdb8010e2ec3246cae2c

Download Submit
memory/456-298-0x00000199D7230000-0x00000199D7240000-memory.dmp

Filesize
64KB

Download
memory/456-334-0x00000199D7230000-0x00000199D7240000-memory.dmp

Filesize
64KB

Download
memory/1632-291-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1632-290-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1632-348-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/1632-292-0x0000000074910000-0x0000000074F05000-memory.dmp

Filesize
6.0MB

Download