aa3f58f228d9d0ef44417c33aa03e3d3c7b3cfde67c0db70a9d21fb8b5cb981c

Analysis

max time kernel
298s
max time network
283s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30-06-2023 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe
Size

39.1MB
MD5

c12ef4a309a821b55acd077a9a64a397
SHA1

e3f9a27437121c58cb35291ab5dfefae83e9319d
SHA256

2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6
SHA512

ea820e5048a7bb3670cf5433cf3acb084373f5a8ec225ba84aac5ec06dabaf0c9c96f37b2e2de8342dacd9d0106f594bb2876ac27952c8b49d9332911b376902
SSDEEP

786432:9OHnlxUFm6/c37hhtPOmN+FjEaQ9I73VecYiSLzufVcxQwf0ZTTFRp66Q:Mx4ChLOZloI73zSLzSVS0Z3Dp66Q

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
668	irsetup.exe
1616	UIAutomationCore.exe
604	Telegram.exe
1964	UIAutomationCore.exe

Loads dropped DLL 10 IoCs

pid	Process
1636	2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe
1636	2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe
1636	2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe
1636	2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe
668	irsetup.exe
668	irsetup.exe
1616	UIAutomationCore.exe
584	cmd.exe
1616	UIAutomationCore.exe
1964	UIAutomationCore.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x000a000000012306-57.dat	upx
behavioral3/files/0x000a000000012306-60.dat	upx
behavioral3/files/0x000a000000012306-66.dat	upx
behavioral3/files/0x000a000000012306-64.dat	upx
behavioral3/files/0x000a000000012306-61.dat	upx
behavioral3/files/0x000a000000012306-68.dat	upx
behavioral3/files/0x000a000000012306-71.dat	upx
behavioral3/memory/668-73-0x0000000000020000-0x0000000000408000-memory.dmp	upx
behavioral3/memory/668-87-0x0000000000020000-0x0000000000408000-memory.dmp	upx
behavioral3/memory/668-178-0x0000000000020000-0x0000000000408000-memory.dmp	upx
behavioral3/memory/668-184-0x0000000000020000-0x0000000000408000-memory.dmp	upx
behavioral3/memory/668-191-0x0000000000020000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Windows\CurrentVersion\Run	UIAutomationCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Windows\CurrentVersion\Run\UIAutomationCore = "C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop 6.28\\jlfdbgj\\UIAutomationCore.exe"	UIAutomationCore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	UIAutomationCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	UIAutomationCore.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
604	Telegram.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
668	irsetup.exe
668	irsetup.exe
668	irsetup.exe
1616	UIAutomationCore.exe
1964	UIAutomationCore.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 668	1636	2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe	27
PID 1636 wrote to memory of 668	1636	2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe	27
PID 1636 wrote to memory of 668	1636	2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe	27
PID 1636 wrote to memory of 668	1636	2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe	27
PID 1636 wrote to memory of 668	1636	2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe	27
PID 1636 wrote to memory of 668	1636	2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe	27
PID 1636 wrote to memory of 668	1636	2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe	27
PID 1616 wrote to memory of 584	1616	UIAutomationCore.exe	30
PID 1616 wrote to memory of 584	1616	UIAutomationCore.exe	30
PID 1616 wrote to memory of 584	1616	UIAutomationCore.exe	30
PID 1616 wrote to memory of 584	1616	UIAutomationCore.exe	30
PID 584 wrote to memory of 604	584	cmd.exe	32
PID 584 wrote to memory of 604	584	cmd.exe	32
PID 584 wrote to memory of 604	584	cmd.exe	32
PID 584 wrote to memory of 604	584	cmd.exe	32
PID 1900 wrote to memory of 1964	1900	taskeng.exe	34
PID 1900 wrote to memory of 1964	1900	taskeng.exe	34
PID 1900 wrote to memory of 1964	1900	taskeng.exe	34
PID 1900 wrote to memory of 1964	1900	taskeng.exe	34

C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe
"C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1865762 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-3518257231-2980324860-1431329550-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:668

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe
"C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe" ghkh
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe
    "C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    PID:604

C:\Windows\system32\taskeng.exe
taskeng.exe {E8894ABF-7412-4937-A413-50E21F5C476A} S-1-5-21-3518257231-2980324860-1431329550-1000:VWMLZJGN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe
  "C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

Filesize
11KB

MD5
d1b051718019662c277bab1e4103c9ad

SHA1
ede02518fbeaf10d23ee3a6d1f609132da95d5d7

SHA256
727b9b7061ce4222ffa60b71ec559ff84a8998b6d5d6a3c77073167e56da17b2

SHA512
a9ad33225eb9baaf95e6c00890a8eb92e12665113b343dda933609e526b276e92408d94f58edd0ddb64159abfc8ebb10b24bef18ac7bac73791837ea8b6fe7f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.JPG

Filesize
59KB

MD5
0028d88c77614bd1bb9c75c3ec8b23b2

SHA1
ddf237e383d35fd6b0c5edffcef582ec92738b00

SHA256
312bcd1f10bac3f8a0bd9bed46bb8e8a42ed0224ff0e1be3a5f748401b47cdbc

SHA512
bbe62015d6fb2846354f4a208300493ad8e3206e3e790c443f2043e26f7b94fe435a825fee157067b0c9f907d2d25b67e1d7a712470397912ca58cccd3971f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Ico.ico

Filesize
66KB

MD5
bbb9d3f02a53d5c497735cbfb15daa80

SHA1
807f2bbe8e197d473de5f0b904366bf3c1c14009

SHA256
ed1d7d9a65646ae96c0874fec5a93d85a71628f26924f709459af121cc52f7c7

SHA512
c86154ea9a8a9e4d1a86326cdbf39755d93ae48367c78079c3a4f89686e328aa5d177042a27c444b76f5d8847e3bd27553d7e020e550f2135d4252349d093e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
1aa6a97c13b30c8cace9526aad50e3fa

SHA1
9b659ec30a97c4862690eb500f994de0acaf83aa

SHA256
a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00

SHA512
9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
1aa6a97c13b30c8cace9526aad50e3fa

SHA1
9b659ec30a97c4862690eb500f994de0acaf83aa

SHA256
a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00

SHA512
9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
1aa6a97c13b30c8cace9526aad50e3fa

SHA1
9b659ec30a97c4862690eb500f994de0acaf83aa

SHA256
a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00

SHA512
9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe

Filesize
110.2MB

MD5
3771c9a1eeee342b5d6d556f974176c3

SHA1
30c39a1611e7efe5f1ce626b5be77f0aaa255662

SHA256
d7a1bd68f0c241b86b40a0e8b37149e940d1c069a42ec6053f756d22c86f66db

SHA512
5b703ed1af09c7e4ee5b4154613183a5f5c2ddb51b86e99ab15a7119401f2bd2153501bceec8cc2ac1aff8333f942c4116863e01eaf08ef9e06620ba2404e81f

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe

Filesize
110.2MB

MD5
3771c9a1eeee342b5d6d556f974176c3

SHA1
30c39a1611e7efe5f1ce626b5be77f0aaa255662

SHA256
d7a1bd68f0c241b86b40a0e8b37149e940d1c069a42ec6053f756d22c86f66db

SHA512
5b703ed1af09c7e4ee5b4154613183a5f5c2ddb51b86e99ab15a7119401f2bd2153501bceec8cc2ac1aff8333f942c4116863e01eaf08ef9e06620ba2404e81f

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe

Filesize
809KB

MD5
2f5c5f2acdd98034e5320a6eeb1700b7

SHA1
ac6420e723c58e473c0924a25b1bc0d8e0d94640

SHA256
8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9

SHA512
4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe

Filesize
809KB

MD5
2f5c5f2acdd98034e5320a6eeb1700b7

SHA1
ac6420e723c58e473c0924a25b1bc0d8e0d94640

SHA256
8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9

SHA512
4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe

Filesize
809KB

MD5
2f5c5f2acdd98034e5320a6eeb1700b7

SHA1
ac6420e723c58e473c0924a25b1bc0d8e0d94640

SHA256
8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9

SHA512
4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe

Filesize
809KB

MD5
2f5c5f2acdd98034e5320a6eeb1700b7

SHA1
ac6420e723c58e473c0924a25b1bc0d8e0d94640

SHA256
8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9

SHA512
4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.txt

Filesize
9B

MD5
18f43ce321930cb8a58cdaa097cb3fba

SHA1
21ffabcf2d85388cc6a228ee79ec418306b3b00e

SHA256
6f2de64ea421f0b7b63471706524f34b2880079b15b747bc0437a94e3ddee43e

SHA512
e98bcd5a81e683b21799de5b05a9b83758dd590f8965c61fe4702525766723112e97cd9fdee13661732781fc9f26113b90622ccce7b1a68b437926867ec866ad

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.udv

Filesize
2.7MB

MD5
1120ff6713728ff084f9885af6ed628b

SHA1
f608ce6972776bdba091300e9db7b7dd881f5417

SHA256
efd99ac7ade1fc59c033c400e15aeaf5530a59ec3e4198878b00eb5c982986f3

SHA512
6cdeca85ecc7163a19a84823ba025207c5f4389017610a986f72f2eeb2e787e1fdab5115bfa978b9fd6617a3165f4a81ccbc71fe7ff05e711963ca6638aebb31

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\commonbase.dll

Filesize
978KB

MD5
bfb7fef65587cea79c37ecdcafb7346e

SHA1
56cffe9303f55b95353cf4957f2c061d076b515d

SHA256
39673b4f582611c2e7477c82beb580045a8c3e2bbdd3122b66b62fda02909d07

SHA512
91bfc5de181690fc49a97beaacfe0474b8a1f6d93fe1534527331ad075b46ad560a18d30ebb9d5b5fd2de7e84f56a31aee7c6b142113af08684ae6f479f3067d

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\log.txt

Filesize
4KB

MD5
cfdb70e3cc2d1987fce8051c745bce0c

SHA1
1f8e683788a351e45b498681cf074bd149e1be5b

SHA256
e46d0af620421491328b731cd8c7f673624ad8093a5d5912b6cb8963a6da2132

SHA512
b1eb011c955ce32f4bcbee6800a95570ea5f00cb7d43ea40b30d959f913f4c1dc53a2d456eefbe5ef506119ef4642736b73222c4b6bd195642578ea9eafa69f2

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\usertag

Filesize
8B

MD5
0c17897d0c1fcc4554485537c3ba97f3

SHA1
89d0b8c7afff99f35650ee56ee2e21bec3e47aca

SHA256
85468845a3be98d410eb0cc1b0b193f822af6eb2457b2eb84a061f8ea6cd0a9f

SHA512
2ff0f7f389b8bcf2b35b58be2c8f45f7123c94c4dc07793ab809df699eddbea858e094564fe7819e61381643a6fed8fea50aa0ed37a9a9771c215e0932cb7350

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
1aa6a97c13b30c8cace9526aad50e3fa

SHA1
9b659ec30a97c4862690eb500f994de0acaf83aa

SHA256
a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00

SHA512
9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
1aa6a97c13b30c8cace9526aad50e3fa

SHA1
9b659ec30a97c4862690eb500f994de0acaf83aa

SHA256
a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00

SHA512
9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
1aa6a97c13b30c8cace9526aad50e3fa

SHA1
9b659ec30a97c4862690eb500f994de0acaf83aa

SHA256
a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00

SHA512
9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
1aa6a97c13b30c8cace9526aad50e3fa

SHA1
9b659ec30a97c4862690eb500f994de0acaf83aa

SHA256
a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00

SHA512
9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe

Filesize
110.2MB

MD5
3771c9a1eeee342b5d6d556f974176c3

SHA1
30c39a1611e7efe5f1ce626b5be77f0aaa255662

SHA256
d7a1bd68f0c241b86b40a0e8b37149e940d1c069a42ec6053f756d22c86f66db

SHA512
5b703ed1af09c7e4ee5b4154613183a5f5c2ddb51b86e99ab15a7119401f2bd2153501bceec8cc2ac1aff8333f942c4116863e01eaf08ef9e06620ba2404e81f

Download Submit
\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe

Filesize
809KB

MD5
2f5c5f2acdd98034e5320a6eeb1700b7

SHA1
ac6420e723c58e473c0924a25b1bc0d8e0d94640

SHA256
8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9

SHA512
4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96

Download Submit
\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe

Filesize
809KB

MD5
2f5c5f2acdd98034e5320a6eeb1700b7

SHA1
ac6420e723c58e473c0924a25b1bc0d8e0d94640

SHA256
8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9

SHA512
4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96

Download Submit
\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\commonbase.dll

Filesize
978KB

MD5
bfb7fef65587cea79c37ecdcafb7346e

SHA1
56cffe9303f55b95353cf4957f2c061d076b515d

SHA256
39673b4f582611c2e7477c82beb580045a8c3e2bbdd3122b66b62fda02909d07

SHA512
91bfc5de181690fc49a97beaacfe0474b8a1f6d93fe1534527331ad075b46ad560a18d30ebb9d5b5fd2de7e84f56a31aee7c6b142113af08684ae6f479f3067d

Download Submit
\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\commonbase.dll

Filesize
978KB

MD5
bfb7fef65587cea79c37ecdcafb7346e

SHA1
56cffe9303f55b95353cf4957f2c061d076b515d

SHA256
39673b4f582611c2e7477c82beb580045a8c3e2bbdd3122b66b62fda02909d07

SHA512
91bfc5de181690fc49a97beaacfe0474b8a1f6d93fe1534527331ad075b46ad560a18d30ebb9d5b5fd2de7e84f56a31aee7c6b142113af08684ae6f479f3067d

Download Submit
memory/604-204-0x0000000000090000-0x00000000000A0000-memory.dmp

Filesize
64KB

Download
memory/668-87-0x0000000000020000-0x0000000000408000-memory.dmp

Filesize
3.9MB

Download
memory/668-184-0x0000000000020000-0x0000000000408000-memory.dmp

Filesize
3.9MB

Download
memory/668-73-0x0000000000020000-0x0000000000408000-memory.dmp

Filesize
3.9MB

Download
memory/668-178-0x0000000000020000-0x0000000000408000-memory.dmp

Filesize
3.9MB

Download
memory/668-191-0x0000000000020000-0x0000000000408000-memory.dmp

Filesize
3.9MB

Download
memory/1616-229-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/1616-202-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1616-247-0x00000000002F0000-0x00000000003EF000-memory.dmp

Filesize
1020KB

Download
memory/1616-195-0x00000000002F0000-0x00000000003EF000-memory.dmp

Filesize
1020KB

Download
memory/1616-206-0x0000000003350000-0x000000000361E000-memory.dmp

Filesize
2.8MB

Download
memory/1616-220-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/1616-234-0x0000000003350000-0x000000000361E000-memory.dmp

Filesize
2.8MB

Download
memory/1616-230-0x00000000002F0000-0x00000000003EF000-memory.dmp

Filesize
1020KB

Download
memory/1636-72-0x0000000002E90000-0x0000000003278000-memory.dmp

Filesize
3.9MB

Download
memory/1964-231-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/1964-228-0x0000000002F90000-0x000000000325E000-memory.dmp

Filesize
2.8MB

Download
memory/1964-233-0x0000000002F90000-0x000000000325E000-memory.dmp

Filesize
2.8MB

Download
memory/1964-232-0x00000000002D0000-0x00000000003CF000-memory.dmp

Filesize
1020KB

Download
memory/1964-227-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1964-223-0x00000000002D0000-0x00000000003CF000-memory.dmp

Filesize
1020KB

Download