aa3f58f228d9d0ef44417c33aa03e3d3c7b3cfde67c0db70a9d21fb8b5cb981c

Analysis

max time kernel
294s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2023 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe
Size

39.1MB
MD5

c12ef4a309a821b55acd077a9a64a397
SHA1

e3f9a27437121c58cb35291ab5dfefae83e9319d
SHA256

2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6
SHA512

ea820e5048a7bb3670cf5433cf3acb084373f5a8ec225ba84aac5ec06dabaf0c9c96f37b2e2de8342dacd9d0106f594bb2876ac27952c8b49d9332911b376902
SSDEEP

786432:9OHnlxUFm6/c37hhtPOmN+FjEaQ9I73VecYiSLzufVcxQwf0ZTTFRp66Q:Mx4ChLOZloI73zSLzSVS0Z3Dp66Q

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	UIAutomationCore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe

Executes dropped EXE 4 IoCs

pid	Process
2684	irsetup.exe
1344	UIAutomationCore.exe
2484	UIAutomationCore.exe
4136	Telegram.exe

Loads dropped DLL 5 IoCs

pid	Process
2684	irsetup.exe
1344	UIAutomationCore.exe
1344	UIAutomationCore.exe
2484	UIAutomationCore.exe
2484	UIAutomationCore.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x0006000000023160-138.dat	upx
behavioral4/files/0x0006000000023160-143.dat	upx
behavioral4/memory/2684-144-0x0000000000A10000-0x0000000000DF8000-memory.dmp	upx
behavioral4/files/0x0006000000023160-148.dat	upx
behavioral4/memory/2684-162-0x0000000000A10000-0x0000000000DF8000-memory.dmp	upx
behavioral4/memory/2684-170-0x0000000000A10000-0x0000000000DF8000-memory.dmp	upx
behavioral4/memory/2684-234-0x0000000000A10000-0x0000000000DF8000-memory.dmp	upx
behavioral4/memory/2684-240-0x0000000000A10000-0x0000000000DF8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Windows\CurrentVersion\Run	UIAutomationCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UIAutomationCore = "C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop 6.28\\jlfdbgj\\UIAutomationCore.exe"	UIAutomationCore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 16 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	UIAutomationCore.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	UIAutomationCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	UIAutomationCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	UIAutomationCore.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	UIAutomationCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	UIAutomationCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	UIAutomationCore.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	UIAutomationCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	UIAutomationCore.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	UIAutomationCore.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	UIAutomationCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	UIAutomationCore.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	UIAutomationCore.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	UIAutomationCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	UIAutomationCore.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	UIAutomationCore.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	UIAutomationCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	UIAutomationCore.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Telegram.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg\URL Protocol	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg\shell	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg\shell\open	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg\shell\open\command	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop 6.28\\Telegram.exe\" -- \"%1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tdesktop.tg\DefaultIcon	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tdesktop.tg\shell\open\command	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg\DefaultIcon	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tdesktop.tg\shell	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tdesktop.tg\shell\open	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop 6.28\\Telegram.exe\" -- \"%1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg\ = "URL:Telegram Link"	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop 6.28\\Telegram.exe,1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tdesktop.tg	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tdesktop.tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop 6.28\\Telegram.exe,1\""	Telegram.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4136	Telegram.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4136	Telegram.exe
4136	Telegram.exe
4136	Telegram.exe
4136	Telegram.exe
4136	Telegram.exe
4136	Telegram.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
4136	Telegram.exe
4136	Telegram.exe
4136	Telegram.exe
4136	Telegram.exe
4136	Telegram.exe
4136	Telegram.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2684	irsetup.exe
2684	irsetup.exe
2684	irsetup.exe
1344	UIAutomationCore.exe
2484	UIAutomationCore.exe
4136	Telegram.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2684	2348	2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe	85
PID 2348 wrote to memory of 2684	2348	2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe	85
PID 2348 wrote to memory of 2684	2348	2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe	85
PID 1344 wrote to memory of 3128	1344	UIAutomationCore.exe	106
PID 1344 wrote to memory of 3128	1344	UIAutomationCore.exe	106
PID 1344 wrote to memory of 3128	1344	UIAutomationCore.exe	106
PID 3128 wrote to memory of 4136	3128	cmd.exe	108
PID 3128 wrote to memory of 4136	3128	cmd.exe	108
PID 3128 wrote to memory of 4136	3128	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe
"C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1865762 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-2890635272-812199704-3564780063-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2684

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe
"C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe" ghkh
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe
    "C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4136

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe
"C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:2484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

Filesize
11KB

MD5
d1b051718019662c277bab1e4103c9ad

SHA1
ede02518fbeaf10d23ee3a6d1f609132da95d5d7

SHA256
727b9b7061ce4222ffa60b71ec559ff84a8998b6d5d6a3c77073167e56da17b2

SHA512
a9ad33225eb9baaf95e6c00890a8eb92e12665113b343dda933609e526b276e92408d94f58edd0ddb64159abfc8ebb10b24bef18ac7bac73791837ea8b6fe7f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.JPG

Filesize
59KB

MD5
0028d88c77614bd1bb9c75c3ec8b23b2

SHA1
ddf237e383d35fd6b0c5edffcef582ec92738b00

SHA256
312bcd1f10bac3f8a0bd9bed46bb8e8a42ed0224ff0e1be3a5f748401b47cdbc

SHA512
bbe62015d6fb2846354f4a208300493ad8e3206e3e790c443f2043e26f7b94fe435a825fee157067b0c9f907d2d25b67e1d7a712470397912ca58cccd3971f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Ico.ico

Filesize
66KB

MD5
bbb9d3f02a53d5c497735cbfb15daa80

SHA1
807f2bbe8e197d473de5f0b904366bf3c1c14009

SHA256
ed1d7d9a65646ae96c0874fec5a93d85a71628f26924f709459af121cc52f7c7

SHA512
c86154ea9a8a9e4d1a86326cdbf39755d93ae48367c78079c3a4f89686e328aa5d177042a27c444b76f5d8847e3bd27553d7e020e550f2135d4252349d093e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
1aa6a97c13b30c8cace9526aad50e3fa

SHA1
9b659ec30a97c4862690eb500f994de0acaf83aa

SHA256
a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00

SHA512
9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
1aa6a97c13b30c8cace9526aad50e3fa

SHA1
9b659ec30a97c4862690eb500f994de0acaf83aa

SHA256
a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00

SHA512
9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
1aa6a97c13b30c8cace9526aad50e3fa

SHA1
9b659ec30a97c4862690eb500f994de0acaf83aa

SHA256
a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00

SHA512
9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe

Filesize
110.2MB

MD5
3771c9a1eeee342b5d6d556f974176c3

SHA1
30c39a1611e7efe5f1ce626b5be77f0aaa255662

SHA256
d7a1bd68f0c241b86b40a0e8b37149e940d1c069a42ec6053f756d22c86f66db

SHA512
5b703ed1af09c7e4ee5b4154613183a5f5c2ddb51b86e99ab15a7119401f2bd2153501bceec8cc2ac1aff8333f942c4116863e01eaf08ef9e06620ba2404e81f

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe

Filesize
110.2MB

MD5
3771c9a1eeee342b5d6d556f974176c3

SHA1
30c39a1611e7efe5f1ce626b5be77f0aaa255662

SHA256
d7a1bd68f0c241b86b40a0e8b37149e940d1c069a42ec6053f756d22c86f66db

SHA512
5b703ed1af09c7e4ee5b4154613183a5f5c2ddb51b86e99ab15a7119401f2bd2153501bceec8cc2ac1aff8333f942c4116863e01eaf08ef9e06620ba2404e81f

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe

Filesize
809KB

MD5
2f5c5f2acdd98034e5320a6eeb1700b7

SHA1
ac6420e723c58e473c0924a25b1bc0d8e0d94640

SHA256
8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9

SHA512
4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe

Filesize
809KB

MD5
2f5c5f2acdd98034e5320a6eeb1700b7

SHA1
ac6420e723c58e473c0924a25b1bc0d8e0d94640

SHA256
8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9

SHA512
4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe

Filesize
809KB

MD5
2f5c5f2acdd98034e5320a6eeb1700b7

SHA1
ac6420e723c58e473c0924a25b1bc0d8e0d94640

SHA256
8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9

SHA512
4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe

Filesize
809KB

MD5
2f5c5f2acdd98034e5320a6eeb1700b7

SHA1
ac6420e723c58e473c0924a25b1bc0d8e0d94640

SHA256
8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9

SHA512
4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.txt

Filesize
9B

MD5
18f43ce321930cb8a58cdaa097cb3fba

SHA1
21ffabcf2d85388cc6a228ee79ec418306b3b00e

SHA256
6f2de64ea421f0b7b63471706524f34b2880079b15b747bc0437a94e3ddee43e

SHA512
e98bcd5a81e683b21799de5b05a9b83758dd590f8965c61fe4702525766723112e97cd9fdee13661732781fc9f26113b90622ccce7b1a68b437926867ec866ad

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.udv

Filesize
2.7MB

MD5
1120ff6713728ff084f9885af6ed628b

SHA1
f608ce6972776bdba091300e9db7b7dd881f5417

SHA256
efd99ac7ade1fc59c033c400e15aeaf5530a59ec3e4198878b00eb5c982986f3

SHA512
6cdeca85ecc7163a19a84823ba025207c5f4389017610a986f72f2eeb2e787e1fdab5115bfa978b9fd6617a3165f4a81ccbc71fe7ff05e711963ca6638aebb31

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\commonbase.dll

Filesize
978KB

MD5
bfb7fef65587cea79c37ecdcafb7346e

SHA1
56cffe9303f55b95353cf4957f2c061d076b515d

SHA256
39673b4f582611c2e7477c82beb580045a8c3e2bbdd3122b66b62fda02909d07

SHA512
91bfc5de181690fc49a97beaacfe0474b8a1f6d93fe1534527331ad075b46ad560a18d30ebb9d5b5fd2de7e84f56a31aee7c6b142113af08684ae6f479f3067d

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\commonbase.dll

Filesize
978KB

MD5
bfb7fef65587cea79c37ecdcafb7346e

SHA1
56cffe9303f55b95353cf4957f2c061d076b515d

SHA256
39673b4f582611c2e7477c82beb580045a8c3e2bbdd3122b66b62fda02909d07

SHA512
91bfc5de181690fc49a97beaacfe0474b8a1f6d93fe1534527331ad075b46ad560a18d30ebb9d5b5fd2de7e84f56a31aee7c6b142113af08684ae6f479f3067d

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\commonbase.dll

Filesize
978KB

MD5
bfb7fef65587cea79c37ecdcafb7346e

SHA1
56cffe9303f55b95353cf4957f2c061d076b515d

SHA256
39673b4f582611c2e7477c82beb580045a8c3e2bbdd3122b66b62fda02909d07

SHA512
91bfc5de181690fc49a97beaacfe0474b8a1f6d93fe1534527331ad075b46ad560a18d30ebb9d5b5fd2de7e84f56a31aee7c6b142113af08684ae6f479f3067d

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\commonbase.dll

Filesize
978KB

MD5
bfb7fef65587cea79c37ecdcafb7346e

SHA1
56cffe9303f55b95353cf4957f2c061d076b515d

SHA256
39673b4f582611c2e7477c82beb580045a8c3e2bbdd3122b66b62fda02909d07

SHA512
91bfc5de181690fc49a97beaacfe0474b8a1f6d93fe1534527331ad075b46ad560a18d30ebb9d5b5fd2de7e84f56a31aee7c6b142113af08684ae6f479f3067d

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\commonbase.dll

Filesize
978KB

MD5
bfb7fef65587cea79c37ecdcafb7346e

SHA1
56cffe9303f55b95353cf4957f2c061d076b515d

SHA256
39673b4f582611c2e7477c82beb580045a8c3e2bbdd3122b66b62fda02909d07

SHA512
91bfc5de181690fc49a97beaacfe0474b8a1f6d93fe1534527331ad075b46ad560a18d30ebb9d5b5fd2de7e84f56a31aee7c6b142113af08684ae6f479f3067d

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\log.txt

Filesize
4KB

MD5
cfdb70e3cc2d1987fce8051c745bce0c

SHA1
1f8e683788a351e45b498681cf074bd149e1be5b

SHA256
e46d0af620421491328b731cd8c7f673624ad8093a5d5912b6cb8963a6da2132

SHA512
b1eb011c955ce32f4bcbee6800a95570ea5f00cb7d43ea40b30d959f913f4c1dc53a2d456eefbe5ef506119ef4642736b73222c4b6bd195642578ea9eafa69f2

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\3BAA486BE9BF1618s

Filesize
299KB

MD5
ead9b55575c1b95f89b5a880323d1efb

SHA1
f4e56cd384c697d5c22967ecf3e184156bdd475d

SHA256
267f45ad8807c739e75466b17b324807724ad0a518f1cb7f07f6a4c88557085a

SHA512
37e10e7d07081ff595b7641fb555f713901892c621fa7a827e650393eeaa17f396a978c93c21fe9005982edce52ec99719267b1757e90ffc50ef3862b5f64b96

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\6E0F31C32448EA2Bs

Filesize
220B

MD5
dd100daf08b20f17f9aa763c3e4e399c

SHA1
f67830b32210064a4f9c40f0b9ee4f9f5c00651e

SHA256
727dff58c9efbd608932dec51bf99438ffa9876962f6176b782e0d9b799a6d7c

SHA512
fae7500da218788e6bf508ea47da483cf3dcb738483e1d5d346788eb53f90ca86522dca5c9d05920ab3c52399831c701d5a78369e73c6ec5ce74f99a4159cba2

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\DA331D8985149F7Fs

Filesize
140B

MD5
e47df1fab5207e9f89eb9530f559e8de

SHA1
83f016b848b7e1e287532c2ff4c87f0daba7f66f

SHA256
cf10c439da8a3a5a304081c95484a17e31b10dc63c54e2e4e8ead5aa016706a1

SHA512
1edf803b40d70ae584fc4f650d25016326b19696c37797788948acf26a83ec7c905c95cadf54006f82462273e41d248937c06b73de4f52f1f5c8547c14a657da

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\key_datas

Filesize
388B

MD5
c688421cae8171e58612890c99bf42d2

SHA1
9e28a7195e26dc8f57db099e8957dbfea8b3d5d6

SHA256
8fd0684a695ea21c877d634017f499f1cdafeb9cdb877b598212b36a625c27b1

SHA512
f637d3bc7a67486a34f665db73563dbd11b0c63b62df35afbb280a601deaae46e77083597c44082cb9fc1d9e222c170b642cd85d83ba00e9585634969fcc9ef7

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\prefix

Filesize
29B

MD5
47cd49108a29b5b5024ce744ed2169b4

SHA1
8a3a7c67f1d66173132c8f52e1e1233658f653f2

SHA256
cf1832f2ffce3c99e046bf48c0f5184da7dcbcafe2c0c64ee7d4ab86ec7aa47b

SHA512
cfc9a98f737969aa52b33a2d04ff03fe81fbd0e85bba34503df9b34b671120dc3b73d2fc4529d3dc87559ef799e7e4bdfc4c4a807ecf43c53f842ee84800c60e

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\settingss

Filesize
1KB

MD5
3380a7e9f7721ec42c0651f434b56c70

SHA1
48568b2c3a21ff296a2a2b85f04e2e2f6105469e

SHA256
d334dba0b423cf74358b794bf9e7c1289333cd86fdef68bac8c45c8f6714653d

SHA512
6b758286625113aa919760d72b61b8bf06b127cfcf3b4baf8e80993fb17b8ad167659c6779ddcda30fabdcfc82e5e4622cbf7ff30b6269cc92930106fb7959b6

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\shortcuts-custom.json

Filesize
404B

MD5
874b930b4c2fddc8043f59113c044a14

SHA1
75b14a96fe1194f27913a096e484283b172b1749

SHA256
f4f666f4b831e84710983b0e9e905e87342b669f61109fd693688d89c12309d8

SHA512
f4b0337fba5c5f4d7e7a02aa5d4538334edd38f5df179e4f1701fa2f1c4d3d856a074fa55ea724c4e2a6c5a1ac1dbfc7e9966c814475c7cd2c65cd44fca14621

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\shortcuts-default.json

Filesize
2KB

MD5
cc850fd9abce3912c944d77d8955ebc9

SHA1
71e699b4b680aad0bc339a6511afc75ebb898064

SHA256
e98e0cc330528886e469d795e74a240693968d6a88f3de214878d8f5b08d4bad

SHA512
a8d5aad5fe365d9ea261636956952f705353833456a6cf9dbb4b88d87bbdb2fd52823dad9e77932af8615f2a3e7a1c1c1bacdb5cb00e65affb2644ee3f2def80

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\usertag

Filesize
8B

MD5
0c17897d0c1fcc4554485537c3ba97f3

SHA1
89d0b8c7afff99f35650ee56ee2e21bec3e47aca

SHA256
85468845a3be98d410eb0cc1b0b193f822af6eb2457b2eb84a061f8ea6cd0a9f

SHA512
2ff0f7f389b8bcf2b35b58be2c8f45f7123c94c4dc07793ab809df699eddbea858e094564fe7819e61381643a6fed8fea50aa0ed37a9a9771c215e0932cb7350

Download Submit
memory/1344-341-0x00000000033B0000-0x000000000367E000-memory.dmp

Filesize
2.8MB

Download
memory/1344-265-0x00000000037F0000-0x00000000037F1000-memory.dmp

Filesize
4KB

Download
memory/1344-264-0x00000000033B0000-0x000000000367E000-memory.dmp

Filesize
2.8MB

Download
memory/1344-249-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/1344-246-0x0000000000AF0000-0x0000000000BEF000-memory.dmp

Filesize
1020KB

Download
memory/1344-286-0x0000000000AF0000-0x0000000000BEF000-memory.dmp

Filesize
1020KB

Download
memory/1344-360-0x0000000000AF0000-0x0000000000BEF000-memory.dmp

Filesize
1020KB

Download
memory/1344-285-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2484-283-0x00000000029E1000-0x0000000002C45000-memory.dmp

Filesize
2.4MB

Download
memory/2484-281-0x0000000000870000-0x000000000096F000-memory.dmp

Filesize
1020KB

Download
memory/2484-273-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2484-266-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2484-262-0x0000000000870000-0x000000000096F000-memory.dmp

Filesize
1020KB

Download
memory/2684-240-0x0000000000A10000-0x0000000000DF8000-memory.dmp

Filesize
3.9MB

Download
memory/2684-234-0x0000000000A10000-0x0000000000DF8000-memory.dmp

Filesize
3.9MB

Download
memory/2684-170-0x0000000000A10000-0x0000000000DF8000-memory.dmp

Filesize
3.9MB

Download
memory/2684-162-0x0000000000A10000-0x0000000000DF8000-memory.dmp

Filesize
3.9MB

Download
memory/2684-144-0x0000000000A10000-0x0000000000DF8000-memory.dmp

Filesize
3.9MB

Download
memory/4136-284-0x00000000076B0000-0x00000000076C0000-memory.dmp

Filesize
64KB

Download
memory/4136-342-0x00000000076B0000-0x00000000076C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads