Analysis Overview
SHA256
aa3f58f228d9d0ef44417c33aa03e3d3c7b3cfde67c0db70a9d21fb8b5cb981c
Threat Level: Known bad
The file kousaka.7z was found to be: Known bad.
Malicious Activity Summary
FatalRat
Fatal Rat payload
Checks computer location settings
UPX packed file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Drops desktop.ini file(s)
Enumerates connected drives
Checks installed software on the system
Suspicious use of SetThreadContext
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Modifies registry class
Uses Volume Shadow Copy service COM API
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-30 00:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-30 00:17
Reported
2023-06-30 00:26
Platform
win7-20230621-en
Max time kernel
300s
Max time network
308s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\tg\FTvrst.exe | N/A |
| N/A | N/A | C:\WINDOWS\DNomb\spolsvt.exe | N/A |
| N/A | N/A | C:\WINDOWS\DNomb\audidog.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Therecontinuous = "C:\\WINDOWS\\DNomb\\FTvrst.exe" | C:\Users\Public\tg\FTvrst.exe | N/A |
Enumerates connected drives
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1460 set thread context of 1700 | N/A | C:\Users\Public\tg\FTvrst.exe | C:\WINDOWS\DNomb\spolsvt.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.TxlWoh | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\countries | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\shortcuts-custom.json | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\key_datas.NxMXCc | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.HIPlXJ | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.KgahCI | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.emGpRD | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.oOiCno | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.TxlWoh | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\key_datas | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_1 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.OsBEij | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.OsBEij | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.KgahCI | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_5 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\90AB52E6EF1558C8s.PqGjBQ | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.GiaiXR | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.NxssNW | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\7B7D9BF38A42FD50s | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\shortcuts-default.json | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\opengl_crash_check | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\key_datas.NxMXCc | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\Updater.exe | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\log.txt | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_1 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\7B7D9BF38A42FD50s.soEPvA | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.oOiCno | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.SUDSjL | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.dIyGLU | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8C\configs.ekqrct | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.wUeEYm | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_0 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_6 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.SUDSjL | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.jUaeoY | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8C\configs.OQdWwc | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\Telegram.exe | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\A7FDF864FBC10B77s | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_0 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_4 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.jUaeoY | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\log_start0.txt | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_4 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\90AB52E6EF1558C8s.PqGjBQ | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\90AB52E6EF1558C8s | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\spoiler\text | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_3 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_5 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\prefix | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\shortcuts-default.json | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.HIPlXJ | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_2 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\countries | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\tupdate4008003 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\F8806DD0C461824Fs | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\usertag | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.emGpRD | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_6 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\modules\x86\d3d\d3dcompiler_47.dll | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\ | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\working | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\tdata\version | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSIADCD.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB6B6.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\DNomb\spolsvt.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\DNomb\FTvrst.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\WINDOWS\DNombaudidog.exe | C:\WINDOWS\DNomb\audidog.exe | N/A |
| File created | C:\Windows\Installer\6cad42.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\6cad42.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0EA.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB3E7.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\DNomb\Mpec.mbt | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\DNomb\audidog.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBD8A.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\6cad41.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\6cad41.msi | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tdesktop.tg\DefaultIcon\ = "\"C:\\Program Files (x86)\\Telegram X\\Telegram中文版\\Telegram.exe,1\"" | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg\ = "URL:Telegram Link" | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg\shell\open | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tdesktop.tg\DefaultIcon | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg\URL Protocol | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg\DefaultIcon | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg\DefaultIcon\ = "\"C:\\Program Files (x86)\\Telegram X\\Telegram中文版\\Telegram.exe,1\"" | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg\shell\open\command\ = "\"C:\\Program Files (x86)\\Telegram X\\Telegram中文版\\Telegram.exe\" -- \"%1\"" | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tdesktop.tg\shell\open | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tdesktop.tg\shell | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg\shell | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tdesktop.tg | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tdesktop.tg\shell\open\command\ = "\"C:\\Program Files (x86)\\Telegram X\\Telegram中文版\\Telegram.exe\" -- \"%1\"" | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg\shell\open\command | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tdesktop.tg\shell\open\command | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\tg\FTvrst.exe | N/A |
| N/A | N/A | C:\Users\Public\tg\FTvrst.exe | N/A |
| N/A | N/A | C:\WINDOWS\DNomb\audidog.exe | N/A |
| N/A | N/A | C:\WINDOWS\DNomb\audidog.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
"C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 51D7AA03420024851281B65254BBDC71 C
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\飞机.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1688077399 "
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F1C099BAFCC4498191245C899F31E9CE C
C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
"C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe" /groupsextract:100; /out:"C:\Users\Public" /callbackid:1472
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003DC" "00000000000004AC"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding FC5E5EF5B1C0A405D00E29A15F59DD02
C:\Users\Public\tg\FTvrst.exe
"C:\Users\Public\tg\FTvrst.exe"
C:\WINDOWS\DNomb\spolsvt.exe
C:\WINDOWS\DNomb\spolsvt.exe
C:\WINDOWS\DNomb\audidog.exe
C:\WINDOWS\DNomb\audidog.exe
C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe
"C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nn.wccabc.com | udp |
| HK | 47.242.146.124:3927 | nn.wccabc.com | tcp |
| HK | 47.242.146.124:3927 | nn.wccabc.com | tcp |
| HK | 47.242.146.124:3927 | nn.wccabc.com | tcp |
| NL | 149.154.167.51:443 | tcp | |
| NL | 149.154.167.51:443 | tcp | |
| NL | 149.154.167.51:80 | 149.154.167.51 | tcp |
| HK | 47.242.146.124:3927 | nn.wccabc.com | tcp |
| US | 149.154.175.100:443 | tcp | |
| US | 149.154.175.100:80 | 149.154.175.100 | tcp |
| NL | 149.154.167.91:443 | tcp | |
| NL | 149.154.167.51:443 | tcp | |
| NL | 149.154.167.51:80 | 149.154.167.51 | tcp |
| NL | 149.154.167.91:80 | 149.154.167.91 | tcp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.4.4:443 | dns.google.com | tcp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 162.159.61.4:443 | mozilla.cloudflare-dns.com | tcp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| NL | 149.154.167.99:443 | td.telegram.org | tcp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| NL | 149.154.167.99:443 | td.telegram.org | tcp |
| NL | 149.154.167.91:443 | tcp | |
| NL | 149.154.167.91:80 | 149.154.167.91 | tcp |
| HK | 47.242.146.124:3927 | nn.wccabc.com | tcp |
| HK | 47.242.146.124:3927 | nn.wccabc.com | tcp |
| HK | 47.242.146.124:3927 | nn.wccabc.com | tcp |
| HK | 47.242.146.124:3927 | nn.wccabc.com | tcp |
| HK | 47.242.146.124:3927 | nn.wccabc.com | tcp |
| HK | 47.242.146.124:3927 | nn.wccabc.com | tcp |
| HK | 47.242.146.124:3927 | nn.wccabc.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\飞机.msi
| MD5 | f4adbf929ac90c4a9fff6142b5daa670 |
| SHA1 | 9d0c56596957d04bb9582a2e0e556dbe7977e9c1 |
| SHA256 | e79ef9535612ba30be0b07a9666d0fe26466eca698a1dbf5a014b176def2df7a |
| SHA512 | ffed2c3da71bb4c6f66c04152df70a2756cc49c7c3eeb4940c08d43bf6e58b7c1656a4915b96f5e87f561ed715c47c68419d4ae89082b221f5e8e0a147aa3a38 |
memory/1524-61-0x0000000000760000-0x0000000000761000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSI2434.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
\Users\Admin\AppData\Local\Temp\MSI2434.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\飞机.msi
| MD5 | f4adbf929ac90c4a9fff6142b5daa670 |
| SHA1 | 9d0c56596957d04bb9582a2e0e556dbe7977e9c1 |
| SHA256 | e79ef9535612ba30be0b07a9666d0fe26466eca698a1dbf5a014b176def2df7a |
| SHA512 | ffed2c3da71bb4c6f66c04152df70a2756cc49c7c3eeb4940c08d43bf6e58b7c1656a4915b96f5e87f561ed715c47c68419d4ae89082b221f5e8e0a147aa3a38 |
C:\Users\Admin\AppData\Local\Temp\MSI281B.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
\Users\Admin\AppData\Local\Temp\MSI281B.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI2925.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI2925.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
\Users\Admin\AppData\Local\Temp\MSI2925.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI2C22.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
\Users\Admin\AppData\Local\Temp\MSI2C22.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI2F6E.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
\Users\Admin\AppData\Local\Temp\MSI2F6E.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSI302A.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
\Users\Admin\AppData\Local\Temp\MSI302A.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI30B7.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
\Users\Admin\AppData\Local\Temp\MSI30B7.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI44D4.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
\Users\Admin\AppData\Local\Temp\MSI44D4.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSI4590.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSI4590.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
\Users\Admin\AppData\Local\Temp\MSI4590.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSI48FB.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
\Users\Admin\AppData\Local\Temp\MSI48FB.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Windows\Installer\MSIADCD.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
\Windows\Installer\MSIADCD.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Windows\Installer\MSIB0EA.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
\Windows\Installer\MSIB0EA.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Windows\Installer\MSIB3E7.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
\Windows\Installer\MSIB3E7.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Windows\Installer\MSIB6B6.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
\Windows\Installer\MSIB6B6.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\0469A94410170880s
| MD5 | 237b2bc4ba380664d0e69d95bfbdca62 |
| SHA1 | 42fb204f0fb1b5a1e7d7152070accee988747198 |
| SHA256 | bfb3af061014f48924f4412402ee99f566725932e80f8a27c5bc429544b0dad6 |
| SHA512 | 15bd8b90b1508e40e5e20b4630cf69f3ff597cb11768d78528a0db4a9ef3fd6f20aa1e93cf0b945bff3d6864d4182e1ac4cb33f0d3c83462d6db7c3d53bc2741 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\7B7D9BF38A42FD50s
| MD5 | 4d28d8121c1365d8b66048804cf85431 |
| SHA1 | e19b061f138c52b1a67c123fd8cff8d2f6f3e7ce |
| SHA256 | f620154eb8472755c58e631803e45e08279e5f70b381aa71bfc256a4f06fe6eb |
| SHA512 | 4ef49fb867af0894fa42537832bfd567a0fc6e1f9fbd6966cac6215b30d91617f43acfb3b20b62a6f43163162a0f2123dc8e2ad36f493b5c3b9202689c54a482 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\90AB52E6EF1558C8s
| MD5 | 0aa0727f6230692e520295abca999a94 |
| SHA1 | 2dca6accd906adf49bfd4cfa93b2d862a9c29651 |
| SHA256 | 9676ed8e4497fab0d92b1e2c8c63dec8b9f309db8e379ffbbff919d3c6762e10 |
| SHA512 | 8d0633ef21107c7e5ca4f4ba50ba762bf62956c5bcd3ccfc3ab9b7845bb2a5388b5bacd7c9ddff0b2c7d0b4ed761c15ebb437deb912cf4a573a1fab5e328093d |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\A7FDF864FBC10B77s
| MD5 | 72339e5b4ca4743c2c1313c90fa38b27 |
| SHA1 | 8123ac4d35080c0c397478845b2ab16944636bae |
| SHA256 | 6a8a6995f4f87336681017417d6ae78223cd725e1118c4e336c93e203c17a9e4 |
| SHA512 | 3eb657959bdfc0b30124a7e087d44b33aa7814ee9a18a20205b5debc1b290754024d8529174f3e17646fae77339d28a02312584bd6bda7021ad5b59c67d6fa0d |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\countries
| MD5 | 5d1f2b862acb26f8353cb1d178a2116f |
| SHA1 | e3989f717bb652b4ee3fd18e4dc3f2e0193c75bd |
| SHA256 | 3d6d4e33dcaeff17425ea9451d37bb9c866d711d6ece51ef5c09d2fbd296e85e |
| SHA512 | adb1ef7675a0292b236aafdd923be94705eb7ea7baf25a0d3c001fba2014b8f90473375e96739d8af43a7bd9a123f1ce38c532516da3d1a46db50bf66a0c1a73 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\D877F783D5D3EF8Cs
| MD5 | e58b4c34a563191cfee1d6d617a78216 |
| SHA1 | 83ff6975bacf2f4e5ff44dbf5f8de38f7dd7f437 |
| SHA256 | 729c64f4ee746214839002d6e79bd82baebc2eba5e38e47307e65fcf25a83cf1 |
| SHA512 | 3d875550e6f0f43cc1306f3eb2f83d2b5a06ddc211dcd03c31abc0cce0350481b19015adde62ed8632b8a902138c345e6f7c533be50a55343566903e8d593eeb |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\F8806DD0C461824Fs
| MD5 | fb9a1cbbd1b3531943eecfefa15df5de |
| SHA1 | 0295ac1bdc3a668a5f488e6c98a34ad71a53c67b |
| SHA256 | 438c768ac7851e93d1081c4291c2b14c250b7cc847050d7716626ab3948760d8 |
| SHA512 | abc104efdbf46c9ff9621e9d3c7e3be2d803208e62b63658a1a7f94c8deb823302896b0878c8d9f4962045a7d257afe51047b1ff73f64c2f8e440680a3ef1e60 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\key_datas
| MD5 | eb7e5e1d7636232186c42fe52b7611b6 |
| SHA1 | ae235dcf06db5931e082155da14936ed7c7db2fb |
| SHA256 | 66d374699b23bd425bb68f5480785ae70f0f87f2e5948d0bd51ce7838fdb706a |
| SHA512 | 813d9318d6937ba6a6def9bd676a26999cb97e0f0b744c0a99174d4fd6163414cff9f5195d420fdd7cdc86442cceb7a7130ad0fe2f93ab5d961381b90df859e5 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\prefix
| MD5 | 3fb9de9c3edf4abc3a42deaf14dfa8d6 |
| SHA1 | d02d2382706bffb38831acfcce62e720a6d55733 |
| SHA256 | 84af1d24b024a1e1670302510fc140e55eb009ed5ab8b8e89bb42fb7f184be28 |
| SHA512 | 7e60951c5c5cff7f623808e1afa098faff020f000ee4a8fc9af5f848204b8c54fe13f9a32e10bfbc618e41b1be437bb08a775b4b2e10a19122c336b55d093692 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\settingss
| MD5 | d149ddf991c084294f019fc76161fb15 |
| SHA1 | d42777f18ed62c3f4c8ff5d326f63fccfe06d454 |
| SHA256 | 9afef05acbb201afd6007584482f01c93628484d9d80858f8cb67ef9f0c18875 |
| SHA512 | f45c7fc6ba1e192b41fcb267572a81342eb2657f9025181b5be660095c19e7d39c50190fe62ee400d7d1cf8132fb757cbd90222f8ba6aad91d3458bd82de6da6 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\shortcuts-custom.json
| MD5 | 874b930b4c2fddc8043f59113c044a14 |
| SHA1 | 75b14a96fe1194f27913a096e484283b172b1749 |
| SHA256 | f4f666f4b831e84710983b0e9e905e87342b669f61109fd693688d89c12309d8 |
| SHA512 | f4b0337fba5c5f4d7e7a02aa5d4538334edd38f5df179e4f1701fa2f1c4d3d856a074fa55ea724c4e2a6c5a1ac1dbfc7e9966c814475c7cd2c65cd44fca14621 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\shortcuts-default.json
| MD5 | a56b95951d30537236b8a4b5792abbe4 |
| SHA1 | ca418e143fa5bf6930cea986f2f02914ba2b34c8 |
| SHA256 | 422a4c74d98877f87f5d3eb6f70a903782d00e362e9fca75f06a1f84be387808 |
| SHA512 | 20f2fa66f02ff3da80ec67ff89a232bd6642051702a6ddd94fb382980b46502ca0bda8ba09793fae2f068b4dc18c80ab0186e6426af9760670e8a328ef3c1e95 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\usertag
| MD5 | 87ccdff6d764416c75d4aa695f9be3e4 |
| SHA1 | d4c197cb78f5e5f62aef16af3840d3be0509020a |
| SHA256 | e02453e232a9fdc9446885a629109231c07b35f8d2adf886e010cdf07685fdec |
| SHA512 | 0224a43341ad897613a233b9b170d4ed523ac45d8d13ab8ae023c6c0b266cb7b68abf3e365f3474045d103f6ce7682d009719592578b601edfceab31d678dca5 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\Telegram.exe
| MD5 | 5a6de14a436de1c22e6f328fa40c4835 |
| SHA1 | 454f68ad0a02cb29d3f11a0f4f187b6b384994d9 |
| SHA256 | 663726ede77de2960f7b53c85b1eb19af394e1710d43ef7718ae832067d0a2ce |
| SHA512 | 1a4406b6b6fdccd9ec105932b790c0a0599dd0b74cd7c0afe17b3c655c595230cb753bfc2c1a6b7e1577ca5d825e5c3a2e827a9f8b3acf51bb41ffaddde3c552 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\WindowsFolder\DNomb\Mpec.mbt
| MD5 | e3c9c776015c5b25b99ae3913988548d |
| SHA1 | 8b00bc9e7d0e24e56da14bfd7f41aa482cdae8a9 |
| SHA256 | 04e8a2953aa566fb433eab669cf35bfa3240353ab8cec1457b3a75263178c96e |
| SHA512 | 4995cf0660485aa615ac3c54bfc554ca4d6fbc54019133cb51046c3badadc28591783d185345ef889ab731c9dc853f74ee025843e0221ea08f7c3ac700f8cc10 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\WindowsFolder\DNomb\spolsvt.exe
| MD5 | 523d5c39f9d8d2375c3df68251fa2249 |
| SHA1 | d4ed365c44bec9246fc1a65a32a7791792647a10 |
| SHA256 | 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78 |
| SHA512 | 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\WindowsFolder\DNomb\audidog.exe
| MD5 | 3a9c682b077bc044b21131216bdf6304 |
| SHA1 | afdd419f084b56838c7eb07ff2b28ff9b960e27e |
| SHA256 | 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8 |
| SHA512 | 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\WindowsFolder\DNomb\FTvrst.exe
| MD5 | 3a9c682b077bc044b21131216bdf6304 |
| SHA1 | afdd419f084b56838c7eb07ff2b28ff9b960e27e |
| SHA256 | 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8 |
| SHA512 | 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14 |
C:\Windows\DNomb\FTvrst.exe
| MD5 | 3a9c682b077bc044b21131216bdf6304 |
| SHA1 | afdd419f084b56838c7eb07ff2b28ff9b960e27e |
| SHA256 | 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8 |
| SHA512 | 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14 |
C:\Config.Msi\6cad43.rbs
| MD5 | 5f0ac849a811141194f6828d362eaf13 |
| SHA1 | b8b750cc7b5e7b81a68b065f8f5c180c84533228 |
| SHA256 | a29db1fbae78abde4c9fb851b4a8c57c2b500f1ee7504f45d429a192b90e4c23 |
| SHA512 | f5d81894101899467c4df82fefc3b43ae45dcacfb874ffc92aa8f4a96b3642aed2ff36acbaefcc09075acae8d8059926805728378685bd9c08d09a462bcff9f8 |
\Users\Admin\AppData\Local\Temp\MSID0B1.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Public\tg\FTvrst.exe
| MD5 | 3a9c682b077bc044b21131216bdf6304 |
| SHA1 | afdd419f084b56838c7eb07ff2b28ff9b960e27e |
| SHA256 | 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8 |
| SHA512 | 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14 |
C:\Users\Public\tg\FTvrst.exe
| MD5 | 3a9c682b077bc044b21131216bdf6304 |
| SHA1 | afdd419f084b56838c7eb07ff2b28ff9b960e27e |
| SHA256 | 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8 |
| SHA512 | 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14 |
\Users\Public\tg\FTvrst.exe
| MD5 | 3a9c682b077bc044b21131216bdf6304 |
| SHA1 | afdd419f084b56838c7eb07ff2b28ff9b960e27e |
| SHA256 | 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8 |
| SHA512 | 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14 |
\Users\Public\tg\FTvrst.exe
| MD5 | 3a9c682b077bc044b21131216bdf6304 |
| SHA1 | afdd419f084b56838c7eb07ff2b28ff9b960e27e |
| SHA256 | 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8 |
| SHA512 | 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14 |
C:\Users\Admin\AppData\Local\Temp\MSID0B1.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
memory/1472-208-0x0000000002990000-0x00000000031F4000-memory.dmp
memory/1472-210-0x0000000002990000-0x00000000031F4000-memory.dmp
memory/1460-212-0x0000000000400000-0x0000000000C64000-memory.dmp
memory/1460-209-0x00000000757F0000-0x0000000075837000-memory.dmp
memory/1460-618-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-619-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-617-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-620-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-621-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-622-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-625-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-623-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-624-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-626-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-627-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-628-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-629-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-630-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-631-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-632-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-633-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-634-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-635-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-636-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-637-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-640-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-638-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-639-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-641-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-642-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-643-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-644-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-645-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-646-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-647-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-649-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-648-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-651-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-652-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-650-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-653-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-654-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-655-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-656-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-657-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-658-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-659-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-660-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-662-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-661-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-663-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-666-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-664-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-665-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-667-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-669-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-668-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-670-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-672-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-673-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-671-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-674-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-675-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-676-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-678-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-677-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-679-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1472-1488-0x0000000002990000-0x00000000031F4000-memory.dmp
memory/1472-1489-0x0000000002990000-0x00000000031F4000-memory.dmp
memory/1460-1491-0x00000000024A0000-0x00000000025A0000-memory.dmp
memory/1460-1493-0x0000000002640000-0x00000000027C1000-memory.dmp
memory/1460-4971-0x00000000024A0000-0x00000000025A0000-memory.dmp
memory/1460-4972-0x0000000002A50000-0x0000000002B61000-memory.dmp
memory/1460-4973-0x0000000002930000-0x0000000002A31000-memory.dmp
memory/1460-4974-0x0000000002B70000-0x0000000002C11000-memory.dmp
C:\WINDOWS\DNomb\Mpec.mbt
| MD5 | e3c9c776015c5b25b99ae3913988548d |
| SHA1 | 8b00bc9e7d0e24e56da14bfd7f41aa482cdae8a9 |
| SHA256 | 04e8a2953aa566fb433eab669cf35bfa3240353ab8cec1457b3a75263178c96e |
| SHA512 | 4995cf0660485aa615ac3c54bfc554ca4d6fbc54019133cb51046c3badadc28591783d185345ef889ab731c9dc853f74ee025843e0221ea08f7c3ac700f8cc10 |
\Windows\DNomb\spolsvt.exe
| MD5 | 523d5c39f9d8d2375c3df68251fa2249 |
| SHA1 | d4ed365c44bec9246fc1a65a32a7791792647a10 |
| SHA256 | 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78 |
| SHA512 | 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4 |
C:\WINDOWS\DNomb\spolsvt.exe
| MD5 | 523d5c39f9d8d2375c3df68251fa2249 |
| SHA1 | d4ed365c44bec9246fc1a65a32a7791792647a10 |
| SHA256 | 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78 |
| SHA512 | 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4 |
\Windows\DNomb\spolsvt.exe
| MD5 | 523d5c39f9d8d2375c3df68251fa2249 |
| SHA1 | d4ed365c44bec9246fc1a65a32a7791792647a10 |
| SHA256 | 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78 |
| SHA512 | 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4 |
C:\Windows\DNomb\spolsvt.exe
| MD5 | 523d5c39f9d8d2375c3df68251fa2249 |
| SHA1 | d4ed365c44bec9246fc1a65a32a7791792647a10 |
| SHA256 | 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78 |
| SHA512 | 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4 |
C:\WINDOWS\DNomb\audidog.exe
| MD5 | 3a9c682b077bc044b21131216bdf6304 |
| SHA1 | afdd419f084b56838c7eb07ff2b28ff9b960e27e |
| SHA256 | 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8 |
| SHA512 | 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14 |
\Windows\DNomb\audidog.exe
| MD5 | 3a9c682b077bc044b21131216bdf6304 |
| SHA1 | afdd419f084b56838c7eb07ff2b28ff9b960e27e |
| SHA256 | 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8 |
| SHA512 | 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14 |
\Windows\DNomb\audidog.exe
| MD5 | 3a9c682b077bc044b21131216bdf6304 |
| SHA1 | afdd419f084b56838c7eb07ff2b28ff9b960e27e |
| SHA256 | 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8 |
| SHA512 | 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14 |
C:\Windows\DNomb\audidog.exe
| MD5 | 3a9c682b077bc044b21131216bdf6304 |
| SHA1 | afdd419f084b56838c7eb07ff2b28ff9b960e27e |
| SHA256 | 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8 |
| SHA512 | 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14 |
memory/1460-5184-0x0000000003360000-0x0000000003BC4000-memory.dmp
memory/1788-5188-0x0000000000400000-0x0000000000C64000-memory.dmp
memory/1460-6204-0x0000000000400000-0x0000000000C64000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSI7C0E.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
\Users\Admin\AppData\Local\Temp\MSI7C0E.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
memory/1788-6348-0x00000000002E0000-0x00000000003E0000-memory.dmp
memory/1788-6350-0x0000000002930000-0x0000000002AB1000-memory.dmp
memory/1500-8362-0x0000000000090000-0x00000000000A0000-memory.dmp
memory/1788-8609-0x0000000000400000-0x0000000000C64000-memory.dmp
memory/1500-8744-0x0000000000270000-0x000000000027A000-memory.dmp
memory/1788-9174-0x00000000002E0000-0x00000000003E0000-memory.dmp
memory/1500-9176-0x0000000000EA0000-0x0000000000EAA000-memory.dmp
memory/1500-9178-0x0000000000EA0000-0x0000000000EAA000-memory.dmp
memory/1788-9791-0x00000000027A0000-0x00000000028B1000-memory.dmp
memory/1788-9797-0x0000000002650000-0x0000000002751000-memory.dmp
memory/1788-9798-0x0000000002AC0000-0x0000000002B61000-memory.dmp
memory/1500-9800-0x0000000000270000-0x000000000027A000-memory.dmp
memory/1500-9831-0x0000000000EA0000-0x0000000000EAA000-memory.dmp
memory/1500-9832-0x0000000000EA0000-0x0000000000EAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab232D.tmp
| MD5 | 3ac860860707baaf32469fa7cc7c0192 |
| SHA1 | c33c2acdaba0e6fa41fd2f00f186804722477639 |
| SHA256 | d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904 |
| SHA512 | d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c |
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-30 00:17
Reported
2023-06-30 00:26
Platform
win10v2004-20230621-en
Max time kernel
302s
Max time network
307s
Command Line
Signatures
FatalRat
Fatal Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\tg\FTvrst.exe | N/A |
| N/A | N/A | C:\WINDOWS\DNomb\spolsvt.exe | N/A |
| N/A | N/A | C:\WINDOWS\DNomb\audidog.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Therecontinuous = "C:\\WINDOWS\\DNomb\\FTvrst.exe" | C:\Users\Public\tg\FTvrst.exe | N/A |
Enumerates connected drives
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2448 set thread context of 3844 | N/A | C:\Users\Public\tg\FTvrst.exe | C:\WINDOWS\DNomb\spolsvt.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_6 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\ | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\log.txt | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.yRbCbR | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.iwkLCx | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\7B7D9BF38A42FD50s.uvGMyi | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8C\configs.ccTITP | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\log_start0.txt | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\key_datas.CMfeMj | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\key_datas.CMfeMj | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8C0 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\countries | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.dRVMPN | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\log.txt | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\shortcuts-default.json | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\7B7D9BF38A42FD50s.ivljfr | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\tupdate4008003 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.mdrssw | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\spoiler\text | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.iwkLCx | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.XxdYAP | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\opengl_crash_check | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.dRVMPN | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_0 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.yRbCbR | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_6 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.YIQeuh | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\Telegram.exe | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\modules\x86\d3d\d3dcompiler_47.dll | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\A7FDF864FBC10B77s | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_3 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.nQVxah | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_4 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_2 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_4 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\shortcuts-custom.json | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\tdata\version | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\usertag | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A944101708800 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\90AB52E6EF1558C8s.OrATKG | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\ready | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_2 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_5 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.CWNxDs | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\7B7D9BF38A42FD50s.uvGMyi | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\7B7D9BF38A42FD50s.ivljfr | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.nQVxah | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\shortcuts-default.json | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\working | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.IUHLUh | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.IUHLUh | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\countries | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_5 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.YIQeuh | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.AKxZre | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_1 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_1 | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.CWNxDs | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\Updater.exe | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\90AB52E6EF1558C8s | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\key_datas | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8C\configs.oAHEFe | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\e58877b.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\DNomb\Mpec.mbt | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\WINDOWS\DNombaudidog.exe | C:\WINDOWS\DNomb\audidog.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8930.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8A3B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8A99.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8CDE.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\DNomb\FTvrst.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\DNomb\spolsvt.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\DNomb\audidog.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e58877b.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8C02.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{463B1E3F-726C-45AE-BA5B-6DD11BC72C1C} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9DB7.tmp | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000081ef621b6f8a8ae20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000081ef621b0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff00000000070001000068090081ef621b000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff00000000070001000068091981ef621b000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000081ef621b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\DefaultIcon\ = "\"C:\\Program Files (x86)\\Telegram X\\Telegram中文版\\Telegram.exe,1\"" | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\shell\open | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\shell\open\command\ = "\"C:\\Program Files (x86)\\Telegram X\\Telegram中文版\\Telegram.exe\" -- \"%1\"" | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg\DefaultIcon | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Program Files (x86)\\Telegram X\\Telegram中文版\\Telegram.exe\" -- \"%1\"" | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\DefaultIcon | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg\shell\open | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\ = "URL:Telegram Link" | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\shell | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg\shell | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg\shell\open\command | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\shell\open\command | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg\DefaultIcon\ = "\"C:\\Program Files (x86)\\Telegram X\\Telegram中文版\\Telegram.exe,1\"" | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\URL Protocol | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\tg\FTvrst.exe | N/A |
| N/A | N/A | C:\Users\Public\tg\FTvrst.exe | N/A |
| N/A | N/A | C:\WINDOWS\DNomb\audidog.exe | N/A |
| N/A | N/A | C:\WINDOWS\DNomb\audidog.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
"C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 38484FF2BED28525FBB7B671FB537640 C
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\飞机.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1687843898 "
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 09C4BAA69F83110CCD53A4A65C4F0C9F C
C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
"C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe" /groupsextract:100; /out:"C:\Users\Public" /callbackid:2724
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7FD4C073B37BF23A6C16226E80CC0715
C:\Users\Public\tg\FTvrst.exe
"C:\Users\Public\tg\FTvrst.exe"
C:\WINDOWS\DNomb\spolsvt.exe
C:\WINDOWS\DNomb\spolsvt.exe
C:\WINDOWS\DNomb\audidog.exe
C:\WINDOWS\DNomb\audidog.exe
C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe
"C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 20.189.173.14:443 | tcp | |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| GB | 96.16.110.41:443 | tcp | |
| US | 8.8.8.8:53 | 203.151.224.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| NL | 2.19.195.233:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.195.19.2.in-addr.arpa | udp |
| US | 8.248.1.254:80 | tcp | |
| US | 8.248.1.254:80 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.112.50.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.100.206.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nn.wccabc.com | udp |
| HK | 47.242.146.124:3927 | nn.wccabc.com | tcp |
| HK | 47.242.146.124:3927 | nn.wccabc.com | tcp |
| NL | 149.154.167.51:443 | tcp | |
| NL | 149.154.167.51:80 | tcp | |
| US | 8.8.8.8:53 | td.telegram.org | udp |
| US | 8.8.8.8:53 | 51.167.154.149.in-addr.arpa | udp |
| NL | 149.154.167.99:443 | td.telegram.org | tcp |
| NL | 149.154.167.91:443 | tcp | |
| NL | 149.154.167.41:443 | tcp | |
| NL | 149.154.167.99:443 | td.telegram.org | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.167.154.149.in-addr.arpa | udp |
| HK | 47.242.146.124:3927 | nn.wccabc.com | tcp |
| HK | 47.242.146.124:3927 | nn.wccabc.com | tcp |
| NL | 149.154.167.91:443 | tcp | |
| NL | 149.154.167.91:80 | 149.154.167.91 | tcp |
| HK | 47.242.146.124:3927 | nn.wccabc.com | tcp |
| HK | 47.242.146.124:3927 | nn.wccabc.com | tcp |
| HK | 47.242.146.124:3927 | nn.wccabc.com | tcp |
| HK | 47.242.146.124:3927 | nn.wccabc.com | tcp |
| US | 8.8.8.8:53 | 50.192.11.51.in-addr.arpa | udp |
| HK | 47.242.146.124:3927 | nn.wccabc.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\飞机.msi
| MD5 | f4adbf929ac90c4a9fff6142b5daa670 |
| SHA1 | 9d0c56596957d04bb9582a2e0e556dbe7977e9c1 |
| SHA256 | e79ef9535612ba30be0b07a9666d0fe26466eca698a1dbf5a014b176def2df7a |
| SHA512 | ffed2c3da71bb4c6f66c04152df70a2756cc49c7c3eeb4940c08d43bf6e58b7c1656a4915b96f5e87f561ed715c47c68419d4ae89082b221f5e8e0a147aa3a38 |
C:\Users\Admin\AppData\Local\Temp\MSI346F.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI346F.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\飞机.msi
| MD5 | f4adbf929ac90c4a9fff6142b5daa670 |
| SHA1 | 9d0c56596957d04bb9582a2e0e556dbe7977e9c1 |
| SHA256 | e79ef9535612ba30be0b07a9666d0fe26466eca698a1dbf5a014b176def2df7a |
| SHA512 | ffed2c3da71bb4c6f66c04152df70a2756cc49c7c3eeb4940c08d43bf6e58b7c1656a4915b96f5e87f561ed715c47c68419d4ae89082b221f5e8e0a147aa3a38 |
C:\Users\Admin\AppData\Local\Temp\MSI3865.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI3865.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI39AE.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI39AE.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI39AE.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI3A4C.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI3A4C.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI3ACA.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI3ACA.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI3DF7.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSI3DF7.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSI3F31.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI3F31.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI3FDE.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI3FDE.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIA9D4.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIA9D4.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIAA90.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIAA90.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIAA90.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIB09C.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIB09C.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Windows\Installer\MSI8930.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Windows\Installer\MSI8930.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Windows\Installer\MSI8A3B.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Windows\Installer\MSI8A3B.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Windows\Installer\MSI8A99.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Windows\Installer\MSI8A99.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Windows\Installer\MSI8C02.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Windows\Installer\MSI8C02.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Windows\Installer\MSI8CDE.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Windows\Installer\MSI8CDE.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\0469A94410170880s
| MD5 | 237b2bc4ba380664d0e69d95bfbdca62 |
| SHA1 | 42fb204f0fb1b5a1e7d7152070accee988747198 |
| SHA256 | bfb3af061014f48924f4412402ee99f566725932e80f8a27c5bc429544b0dad6 |
| SHA512 | 15bd8b90b1508e40e5e20b4630cf69f3ff597cb11768d78528a0db4a9ef3fd6f20aa1e93cf0b945bff3d6864d4182e1ac4cb33f0d3c83462d6db7c3d53bc2741 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\Telegram.exe
| MD5 | 5a6de14a436de1c22e6f328fa40c4835 |
| SHA1 | 454f68ad0a02cb29d3f11a0f4f187b6b384994d9 |
| SHA256 | 663726ede77de2960f7b53c85b1eb19af394e1710d43ef7718ae832067d0a2ce |
| SHA512 | 1a4406b6b6fdccd9ec105932b790c0a0599dd0b74cd7c0afe17b3c655c595230cb753bfc2c1a6b7e1577ca5d825e5c3a2e827a9f8b3acf51bb41ffaddde3c552 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\WindowsFolder\DNomb\Mpec.mbt
| MD5 | e3c9c776015c5b25b99ae3913988548d |
| SHA1 | 8b00bc9e7d0e24e56da14bfd7f41aa482cdae8a9 |
| SHA256 | 04e8a2953aa566fb433eab669cf35bfa3240353ab8cec1457b3a75263178c96e |
| SHA512 | 4995cf0660485aa615ac3c54bfc554ca4d6fbc54019133cb51046c3badadc28591783d185345ef889ab731c9dc853f74ee025843e0221ea08f7c3ac700f8cc10 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\WindowsFolder\DNomb\audidog.exe
| MD5 | 3a9c682b077bc044b21131216bdf6304 |
| SHA1 | afdd419f084b56838c7eb07ff2b28ff9b960e27e |
| SHA256 | 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8 |
| SHA512 | 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\WindowsFolder\DNomb\FTvrst.exe
| MD5 | 3a9c682b077bc044b21131216bdf6304 |
| SHA1 | afdd419f084b56838c7eb07ff2b28ff9b960e27e |
| SHA256 | 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8 |
| SHA512 | 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\shortcuts-default.json
| MD5 | a56b95951d30537236b8a4b5792abbe4 |
| SHA1 | ca418e143fa5bf6930cea986f2f02914ba2b34c8 |
| SHA256 | 422a4c74d98877f87f5d3eb6f70a903782d00e362e9fca75f06a1f84be387808 |
| SHA512 | 20f2fa66f02ff3da80ec67ff89a232bd6642051702a6ddd94fb382980b46502ca0bda8ba09793fae2f068b4dc18c80ab0186e6426af9760670e8a328ef3c1e95 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\settingss
| MD5 | d149ddf991c084294f019fc76161fb15 |
| SHA1 | d42777f18ed62c3f4c8ff5d326f63fccfe06d454 |
| SHA256 | 9afef05acbb201afd6007584482f01c93628484d9d80858f8cb67ef9f0c18875 |
| SHA512 | f45c7fc6ba1e192b41fcb267572a81342eb2657f9025181b5be660095c19e7d39c50190fe62ee400d7d1cf8132fb757cbd90222f8ba6aad91d3458bd82de6da6 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\shortcuts-custom.json
| MD5 | 874b930b4c2fddc8043f59113c044a14 |
| SHA1 | 75b14a96fe1194f27913a096e484283b172b1749 |
| SHA256 | f4f666f4b831e84710983b0e9e905e87342b669f61109fd693688d89c12309d8 |
| SHA512 | f4b0337fba5c5f4d7e7a02aa5d4538334edd38f5df179e4f1701fa2f1c4d3d856a074fa55ea724c4e2a6c5a1ac1dbfc7e9966c814475c7cd2c65cd44fca14621 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\prefix
| MD5 | 3fb9de9c3edf4abc3a42deaf14dfa8d6 |
| SHA1 | d02d2382706bffb38831acfcce62e720a6d55733 |
| SHA256 | 84af1d24b024a1e1670302510fc140e55eb009ed5ab8b8e89bb42fb7f184be28 |
| SHA512 | 7e60951c5c5cff7f623808e1afa098faff020f000ee4a8fc9af5f848204b8c54fe13f9a32e10bfbc618e41b1be437bb08a775b4b2e10a19122c336b55d093692 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\D877F783D5D3EF8Cs
| MD5 | e58b4c34a563191cfee1d6d617a78216 |
| SHA1 | 83ff6975bacf2f4e5ff44dbf5f8de38f7dd7f437 |
| SHA256 | 729c64f4ee746214839002d6e79bd82baebc2eba5e38e47307e65fcf25a83cf1 |
| SHA512 | 3d875550e6f0f43cc1306f3eb2f83d2b5a06ddc211dcd03c31abc0cce0350481b19015adde62ed8632b8a902138c345e6f7c533be50a55343566903e8d593eeb |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\F8806DD0C461824Fs
| MD5 | fb9a1cbbd1b3531943eecfefa15df5de |
| SHA1 | 0295ac1bdc3a668a5f488e6c98a34ad71a53c67b |
| SHA256 | 438c768ac7851e93d1081c4291c2b14c250b7cc847050d7716626ab3948760d8 |
| SHA512 | abc104efdbf46c9ff9621e9d3c7e3be2d803208e62b63658a1a7f94c8deb823302896b0878c8d9f4962045a7d257afe51047b1ff73f64c2f8e440680a3ef1e60 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\usertag
| MD5 | 87ccdff6d764416c75d4aa695f9be3e4 |
| SHA1 | d4c197cb78f5e5f62aef16af3840d3be0509020a |
| SHA256 | e02453e232a9fdc9446885a629109231c07b35f8d2adf886e010cdf07685fdec |
| SHA512 | 0224a43341ad897613a233b9b170d4ed523ac45d8d13ab8ae023c6c0b266cb7b68abf3e365f3474045d103f6ce7682d009719592578b601edfceab31d678dca5 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\key_datas
| MD5 | eb7e5e1d7636232186c42fe52b7611b6 |
| SHA1 | ae235dcf06db5931e082155da14936ed7c7db2fb |
| SHA256 | 66d374699b23bd425bb68f5480785ae70f0f87f2e5948d0bd51ce7838fdb706a |
| SHA512 | 813d9318d6937ba6a6def9bd676a26999cb97e0f0b744c0a99174d4fd6163414cff9f5195d420fdd7cdc86442cceb7a7130ad0fe2f93ab5d961381b90df859e5 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\countries
| MD5 | 5d1f2b862acb26f8353cb1d178a2116f |
| SHA1 | e3989f717bb652b4ee3fd18e4dc3f2e0193c75bd |
| SHA256 | 3d6d4e33dcaeff17425ea9451d37bb9c866d711d6ece51ef5c09d2fbd296e85e |
| SHA512 | adb1ef7675a0292b236aafdd923be94705eb7ea7baf25a0d3c001fba2014b8f90473375e96739d8af43a7bd9a123f1ce38c532516da3d1a46db50bf66a0c1a73 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\A7FDF864FBC10B77s
| MD5 | 72339e5b4ca4743c2c1313c90fa38b27 |
| SHA1 | 8123ac4d35080c0c397478845b2ab16944636bae |
| SHA256 | 6a8a6995f4f87336681017417d6ae78223cd725e1118c4e336c93e203c17a9e4 |
| SHA512 | 3eb657959bdfc0b30124a7e087d44b33aa7814ee9a18a20205b5debc1b290754024d8529174f3e17646fae77339d28a02312584bd6bda7021ad5b59c67d6fa0d |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\90AB52E6EF1558C8s
| MD5 | 0aa0727f6230692e520295abca999a94 |
| SHA1 | 2dca6accd906adf49bfd4cfa93b2d862a9c29651 |
| SHA256 | 9676ed8e4497fab0d92b1e2c8c63dec8b9f309db8e379ffbbff919d3c6762e10 |
| SHA512 | 8d0633ef21107c7e5ca4f4ba50ba762bf62956c5bcd3ccfc3ab9b7845bb2a5388b5bacd7c9ddff0b2c7d0b4ed761c15ebb437deb912cf4a573a1fab5e328093d |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\7B7D9BF38A42FD50s
| MD5 | 4d28d8121c1365d8b66048804cf85431 |
| SHA1 | e19b061f138c52b1a67c123fd8cff8d2f6f3e7ce |
| SHA256 | f620154eb8472755c58e631803e45e08279e5f70b381aa71bfc256a4f06fe6eb |
| SHA512 | 4ef49fb867af0894fa42537832bfd567a0fc6e1f9fbd6966cac6215b30d91617f43acfb3b20b62a6f43163162a0f2123dc8e2ad36f493b5c3b9202689c54a482 |
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\WindowsFolder\DNomb\spolsvt.exe
| MD5 | 523d5c39f9d8d2375c3df68251fa2249 |
| SHA1 | d4ed365c44bec9246fc1a65a32a7791792647a10 |
| SHA256 | 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78 |
| SHA512 | 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4 |
C:\Windows\DNomb\FTvrst.exe
| MD5 | 3a9c682b077bc044b21131216bdf6304 |
| SHA1 | afdd419f084b56838c7eb07ff2b28ff9b960e27e |
| SHA256 | 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8 |
| SHA512 | 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14 |
C:\Config.Msi\e58877c.rbs
| MD5 | 7c23184b471060f50caee8f669f5f0d6 |
| SHA1 | 3a77fd5ef4e8aea87cb519aaaf575c2a6d59f541 |
| SHA256 | 43a9325c0a0a8a6032609768d568062bab771e48283e165519f52e89d332c80c |
| SHA512 | f6cdd55d884802e557664b860ecfe9f770766fed998d82d3b29da2559f6ff1bc95ae36f9050ae1c1d0f1a17651714f437231b646bb51163d5452d6ef1bf34977 |
C:\Users\Admin\AppData\Local\Temp\MSIAADB.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIAADB.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Public\tg\FTvrst.exe
| MD5 | 3a9c682b077bc044b21131216bdf6304 |
| SHA1 | afdd419f084b56838c7eb07ff2b28ff9b960e27e |
| SHA256 | 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8 |
| SHA512 | 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14 |
C:\Users\Public\tg\FTvrst.exe
| MD5 | 3a9c682b077bc044b21131216bdf6304 |
| SHA1 | afdd419f084b56838c7eb07ff2b28ff9b960e27e |
| SHA256 | 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8 |
| SHA512 | 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14 |
memory/2448-298-0x0000000000400000-0x0000000000C64000-memory.dmp
\??\Volume{1b62ef81-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f55d956f-4091-439a-8c45-734e49c0dda8}_OnDiskSnapshotProp
| MD5 | 86d616502ed4bd6d2e806e238c7bc98a |
| SHA1 | ddefde442420a6b872bc1dd3bcce5f728a622276 |
| SHA256 | 9cd7ffdde6dbda7bab25a2c841ef7a365bb367aa40f31d17a62e5c016843f54c |
| SHA512 | 223d14480ed620969f76bac4b02d3d1394d2367545e7dd0a70b83d12cec919c757d4f41265615190f8c4140b72df792aa8eaf762b56cf43b636504304594d6f4 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 1f29e3557c40597e3a0cb92cc80b312d |
| SHA1 | 95b496b43ccc3e18d40b99ed66d7984125d285ac |
| SHA256 | 69f9ce856fe79d411d97c4b7251b3698cc59d3e7ae2b13222d22143cf816e35a |
| SHA512 | 6fdcf1bdb9f3ba65eef28a8a1ba0f44af0fa502210ecb7ab2974b9416c1e7b0db22025b431ccc68f37f4fb4004ad8f70c84e272c32665d2caf29fd9923cc8a1c |
memory/2448-301-0x0000000075BE0000-0x0000000075DF5000-memory.dmp
memory/2448-2239-0x00000000765F0000-0x0000000076790000-memory.dmp
memory/2448-3244-0x0000000075790000-0x000000007580A000-memory.dmp
memory/2448-3387-0x0000000000400000-0x0000000000C64000-memory.dmp
memory/2448-6838-0x0000000000400000-0x0000000000C64000-memory.dmp
memory/2448-6839-0x0000000000400000-0x0000000000C64000-memory.dmp
memory/2448-6840-0x0000000000400000-0x0000000000C64000-memory.dmp
memory/2448-6841-0x0000000000400000-0x0000000000C64000-memory.dmp
C:\WINDOWS\DNomb\Mpec.mbt
| MD5 | e3c9c776015c5b25b99ae3913988548d |
| SHA1 | 8b00bc9e7d0e24e56da14bfd7f41aa482cdae8a9 |
| SHA256 | 04e8a2953aa566fb433eab669cf35bfa3240353ab8cec1457b3a75263178c96e |
| SHA512 | 4995cf0660485aa615ac3c54bfc554ca4d6fbc54019133cb51046c3badadc28591783d185345ef889ab731c9dc853f74ee025843e0221ea08f7c3ac700f8cc10 |
memory/3844-6844-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3844-6845-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3844-6846-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\DNomb\spolsvt.exe
| MD5 | 523d5c39f9d8d2375c3df68251fa2249 |
| SHA1 | d4ed365c44bec9246fc1a65a32a7791792647a10 |
| SHA256 | 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78 |
| SHA512 | 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4 |
memory/3844-6850-0x0000000000400000-0x0000000000430000-memory.dmp
C:\WINDOWS\DNomb\spolsvt.exe
| MD5 | 523d5c39f9d8d2375c3df68251fa2249 |
| SHA1 | d4ed365c44bec9246fc1a65a32a7791792647a10 |
| SHA256 | 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78 |
| SHA512 | 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4 |
C:\Windows\DNomb\audidog.exe
| MD5 | 3a9c682b077bc044b21131216bdf6304 |
| SHA1 | afdd419f084b56838c7eb07ff2b28ff9b960e27e |
| SHA256 | 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8 |
| SHA512 | 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14 |
C:\WINDOWS\DNomb\audidog.exe
| MD5 | 3a9c682b077bc044b21131216bdf6304 |
| SHA1 | afdd419f084b56838c7eb07ff2b28ff9b960e27e |
| SHA256 | 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8 |
| SHA512 | 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14 |
memory/3844-6854-0x0000000010000000-0x000000001002A000-memory.dmp
memory/2448-6859-0x0000000000400000-0x0000000000C64000-memory.dmp
memory/2448-6860-0x0000000002C50000-0x0000000002D50000-memory.dmp
memory/4144-6861-0x0000000000400000-0x0000000000C64000-memory.dmp
memory/4144-6862-0x0000000075BE0000-0x0000000075DF5000-memory.dmp
memory/4144-8800-0x00000000765F0000-0x0000000076790000-memory.dmp
memory/4144-9805-0x0000000075790000-0x000000007580A000-memory.dmp
memory/2448-10405-0x0000000000400000-0x0000000000C64000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSI1791.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSI1791.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
memory/4144-12492-0x0000000000400000-0x0000000000C64000-memory.dmp
memory/4144-13404-0x0000000000400000-0x0000000000C64000-memory.dmp
memory/4144-13405-0x0000000000400000-0x0000000000C64000-memory.dmp
memory/4144-13406-0x0000000000400000-0x0000000000C64000-memory.dmp
memory/4144-13407-0x0000000000400000-0x0000000000C64000-memory.dmp
memory/4144-13410-0x0000000002D30000-0x0000000002E30000-memory.dmp
memory/2316-13417-0x0000000008EA0000-0x0000000008EB0000-memory.dmp
memory/4144-13418-0x0000000000400000-0x0000000000C64000-memory.dmp
memory/4144-13469-0x0000000002D30000-0x0000000002E30000-memory.dmp
memory/2316-13474-0x0000000008EA0000-0x0000000008EB0000-memory.dmp
memory/4144-13488-0x0000000000400000-0x0000000000C64000-memory.dmp
memory/4144-13499-0x0000000000400000-0x0000000000C64000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-06-30 00:17
Reported
2023-06-30 00:26
Platform
win7-20230621-en
Max time kernel
298s
Max time network
283s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Windows\CurrentVersion\Run\UIAutomationCore = "C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop 6.28\\jlfdbgj\\UIAutomationCore.exe" | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe
"C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe"
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1865762 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-3518257231-2980324860-1431329550-1000"
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe
"C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe" ghkh
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe"
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe
"C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {E8894ABF-7412-4937-A413-50E21F5C476A} S-1-5-21-3518257231-2980324860-1431329550-1000:VWMLZJGN\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe
"C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bakchilou.com | udp |
| US | 107.148.190.229:1516 | bakchilou.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 1aa6a97c13b30c8cace9526aad50e3fa |
| SHA1 | 9b659ec30a97c4862690eb500f994de0acaf83aa |
| SHA256 | a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00 |
| SHA512 | 9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 1aa6a97c13b30c8cace9526aad50e3fa |
| SHA1 | 9b659ec30a97c4862690eb500f994de0acaf83aa |
| SHA256 | a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00 |
| SHA512 | 9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0 |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 1aa6a97c13b30c8cace9526aad50e3fa |
| SHA1 | 9b659ec30a97c4862690eb500f994de0acaf83aa |
| SHA256 | a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00 |
| SHA512 | 9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0 |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 1aa6a97c13b30c8cace9526aad50e3fa |
| SHA1 | 9b659ec30a97c4862690eb500f994de0acaf83aa |
| SHA256 | a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00 |
| SHA512 | 9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0 |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 1aa6a97c13b30c8cace9526aad50e3fa |
| SHA1 | 9b659ec30a97c4862690eb500f994de0acaf83aa |
| SHA256 | a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00 |
| SHA512 | 9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 1aa6a97c13b30c8cace9526aad50e3fa |
| SHA1 | 9b659ec30a97c4862690eb500f994de0acaf83aa |
| SHA256 | a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00 |
| SHA512 | 9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
| MD5 | 80d93d38badecdd2b134fe4699721223 |
| SHA1 | e829e58091bae93bc64e0c6f9f0bac999cfda23d |
| SHA256 | c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59 |
| SHA512 | 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4 |
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
| MD5 | 80d93d38badecdd2b134fe4699721223 |
| SHA1 | e829e58091bae93bc64e0c6f9f0bac999cfda23d |
| SHA256 | c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59 |
| SHA512 | 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 1aa6a97c13b30c8cace9526aad50e3fa |
| SHA1 | 9b659ec30a97c4862690eb500f994de0acaf83aa |
| SHA256 | a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00 |
| SHA512 | 9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0 |
memory/1636-72-0x0000000002E90000-0x0000000003278000-memory.dmp
memory/668-73-0x0000000000020000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Ico.ico
| MD5 | bbb9d3f02a53d5c497735cbfb15daa80 |
| SHA1 | 807f2bbe8e197d473de5f0b904366bf3c1c14009 |
| SHA256 | ed1d7d9a65646ae96c0874fec5a93d85a71628f26924f709459af121cc52f7c7 |
| SHA512 | c86154ea9a8a9e4d1a86326cdbf39755d93ae48367c78079c3a4f89686e328aa5d177042a27c444b76f5d8847e3bd27553d7e020e550f2135d4252349d093e64 |
memory/668-87-0x0000000000020000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG
| MD5 | d1b051718019662c277bab1e4103c9ad |
| SHA1 | ede02518fbeaf10d23ee3a6d1f609132da95d5d7 |
| SHA256 | 727b9b7061ce4222ffa60b71ec559ff84a8998b6d5d6a3c77073167e56da17b2 |
| SHA512 | a9ad33225eb9baaf95e6c00890a8eb92e12665113b343dda933609e526b276e92408d94f58edd0ddb64159abfc8ebb10b24bef18ac7bac73791837ea8b6fe7f8 |
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe
| MD5 | 2f5c5f2acdd98034e5320a6eeb1700b7 |
| SHA1 | ac6420e723c58e473c0924a25b1bc0d8e0d94640 |
| SHA256 | 8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9 |
| SHA512 | 4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96 |
memory/668-178-0x0000000000020000-0x0000000000408000-memory.dmp
\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe
| MD5 | 2f5c5f2acdd98034e5320a6eeb1700b7 |
| SHA1 | ac6420e723c58e473c0924a25b1bc0d8e0d94640 |
| SHA256 | 8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9 |
| SHA512 | 4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.JPG
| MD5 | 0028d88c77614bd1bb9c75c3ec8b23b2 |
| SHA1 | ddf237e383d35fd6b0c5edffcef582ec92738b00 |
| SHA256 | 312bcd1f10bac3f8a0bd9bed46bb8e8a42ed0224ff0e1be3a5f748401b47cdbc |
| SHA512 | bbe62015d6fb2846354f4a208300493ad8e3206e3e790c443f2043e26f7b94fe435a825fee157067b0c9f907d2d25b67e1d7a712470397912ca58cccd3971f03 |
memory/668-184-0x0000000000020000-0x0000000000408000-memory.dmp
memory/668-191-0x0000000000020000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe
| MD5 | 2f5c5f2acdd98034e5320a6eeb1700b7 |
| SHA1 | ac6420e723c58e473c0924a25b1bc0d8e0d94640 |
| SHA256 | 8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9 |
| SHA512 | 4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96 |
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\commonbase.dll
| MD5 | bfb7fef65587cea79c37ecdcafb7346e |
| SHA1 | 56cffe9303f55b95353cf4957f2c061d076b515d |
| SHA256 | 39673b4f582611c2e7477c82beb580045a8c3e2bbdd3122b66b62fda02909d07 |
| SHA512 | 91bfc5de181690fc49a97beaacfe0474b8a1f6d93fe1534527331ad075b46ad560a18d30ebb9d5b5fd2de7e84f56a31aee7c6b142113af08684ae6f479f3067d |
\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\commonbase.dll
| MD5 | bfb7fef65587cea79c37ecdcafb7346e |
| SHA1 | 56cffe9303f55b95353cf4957f2c061d076b515d |
| SHA256 | 39673b4f582611c2e7477c82beb580045a8c3e2bbdd3122b66b62fda02909d07 |
| SHA512 | 91bfc5de181690fc49a97beaacfe0474b8a1f6d93fe1534527331ad075b46ad560a18d30ebb9d5b5fd2de7e84f56a31aee7c6b142113af08684ae6f479f3067d |
memory/1616-195-0x00000000002F0000-0x00000000003EF000-memory.dmp
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.udv
| MD5 | 1120ff6713728ff084f9885af6ed628b |
| SHA1 | f608ce6972776bdba091300e9db7b7dd881f5417 |
| SHA256 | efd99ac7ade1fc59c033c400e15aeaf5530a59ec3e4198878b00eb5c982986f3 |
| SHA512 | 6cdeca85ecc7163a19a84823ba025207c5f4389017610a986f72f2eeb2e787e1fdab5115bfa978b9fd6617a3165f4a81ccbc71fe7ff05e711963ca6638aebb31 |
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.txt
| MD5 | 18f43ce321930cb8a58cdaa097cb3fba |
| SHA1 | 21ffabcf2d85388cc6a228ee79ec418306b3b00e |
| SHA256 | 6f2de64ea421f0b7b63471706524f34b2880079b15b747bc0437a94e3ddee43e |
| SHA512 | e98bcd5a81e683b21799de5b05a9b83758dd590f8965c61fe4702525766723112e97cd9fdee13661732781fc9f26113b90622ccce7b1a68b437926867ec866ad |
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe
| MD5 | 3771c9a1eeee342b5d6d556f974176c3 |
| SHA1 | 30c39a1611e7efe5f1ce626b5be77f0aaa255662 |
| SHA256 | d7a1bd68f0c241b86b40a0e8b37149e940d1c069a42ec6053f756d22c86f66db |
| SHA512 | 5b703ed1af09c7e4ee5b4154613183a5f5c2ddb51b86e99ab15a7119401f2bd2153501bceec8cc2ac1aff8333f942c4116863e01eaf08ef9e06620ba2404e81f |
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe
| MD5 | 3771c9a1eeee342b5d6d556f974176c3 |
| SHA1 | 30c39a1611e7efe5f1ce626b5be77f0aaa255662 |
| SHA256 | d7a1bd68f0c241b86b40a0e8b37149e940d1c069a42ec6053f756d22c86f66db |
| SHA512 | 5b703ed1af09c7e4ee5b4154613183a5f5c2ddb51b86e99ab15a7119401f2bd2153501bceec8cc2ac1aff8333f942c4116863e01eaf08ef9e06620ba2404e81f |
\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe
| MD5 | 3771c9a1eeee342b5d6d556f974176c3 |
| SHA1 | 30c39a1611e7efe5f1ce626b5be77f0aaa255662 |
| SHA256 | d7a1bd68f0c241b86b40a0e8b37149e940d1c069a42ec6053f756d22c86f66db |
| SHA512 | 5b703ed1af09c7e4ee5b4154613183a5f5c2ddb51b86e99ab15a7119401f2bd2153501bceec8cc2ac1aff8333f942c4116863e01eaf08ef9e06620ba2404e81f |
memory/1616-202-0x0000000000230000-0x0000000000231000-memory.dmp
memory/604-204-0x0000000000090000-0x00000000000A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\usertag
| MD5 | 0c17897d0c1fcc4554485537c3ba97f3 |
| SHA1 | 89d0b8c7afff99f35650ee56ee2e21bec3e47aca |
| SHA256 | 85468845a3be98d410eb0cc1b0b193f822af6eb2457b2eb84a061f8ea6cd0a9f |
| SHA512 | 2ff0f7f389b8bcf2b35b58be2c8f45f7123c94c4dc07793ab809df699eddbea858e094564fe7819e61381643a6fed8fea50aa0ed37a9a9771c215e0932cb7350 |
memory/1616-206-0x0000000003350000-0x000000000361E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\log.txt
| MD5 | cfdb70e3cc2d1987fce8051c745bce0c |
| SHA1 | 1f8e683788a351e45b498681cf074bd149e1be5b |
| SHA256 | e46d0af620421491328b731cd8c7f673624ad8093a5d5912b6cb8963a6da2132 |
| SHA512 | b1eb011c955ce32f4bcbee6800a95570ea5f00cb7d43ea40b30d959f913f4c1dc53a2d456eefbe5ef506119ef4642736b73222c4b6bd195642578ea9eafa69f2 |
\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe
| MD5 | 2f5c5f2acdd98034e5320a6eeb1700b7 |
| SHA1 | ac6420e723c58e473c0924a25b1bc0d8e0d94640 |
| SHA256 | 8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9 |
| SHA512 | 4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96 |
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe
| MD5 | 2f5c5f2acdd98034e5320a6eeb1700b7 |
| SHA1 | ac6420e723c58e473c0924a25b1bc0d8e0d94640 |
| SHA256 | 8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9 |
| SHA512 | 4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96 |
memory/1964-223-0x00000000002D0000-0x00000000003CF000-memory.dmp
\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\commonbase.dll
| MD5 | bfb7fef65587cea79c37ecdcafb7346e |
| SHA1 | 56cffe9303f55b95353cf4957f2c061d076b515d |
| SHA256 | 39673b4f582611c2e7477c82beb580045a8c3e2bbdd3122b66b62fda02909d07 |
| SHA512 | 91bfc5de181690fc49a97beaacfe0474b8a1f6d93fe1534527331ad075b46ad560a18d30ebb9d5b5fd2de7e84f56a31aee7c6b142113af08684ae6f479f3067d |
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe
| MD5 | 2f5c5f2acdd98034e5320a6eeb1700b7 |
| SHA1 | ac6420e723c58e473c0924a25b1bc0d8e0d94640 |
| SHA256 | 8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9 |
| SHA512 | 4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96 |
memory/1616-220-0x00000000022E0000-0x00000000022E1000-memory.dmp
memory/1964-227-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1964-228-0x0000000002F90000-0x000000000325E000-memory.dmp
memory/1616-229-0x0000000000400000-0x00000000004D7000-memory.dmp
memory/1964-231-0x0000000000400000-0x00000000004D7000-memory.dmp
memory/1616-230-0x00000000002F0000-0x00000000003EF000-memory.dmp
memory/1964-233-0x0000000002F90000-0x000000000325E000-memory.dmp
memory/1964-232-0x00000000002D0000-0x00000000003CF000-memory.dmp
memory/1616-234-0x0000000003350000-0x000000000361E000-memory.dmp
memory/1616-247-0x00000000002F0000-0x00000000003EF000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-06-30 00:17
Reported
2023-06-30 00:26
Platform
win10v2004-20230621-en
Max time kernel
294s
Max time network
307s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UIAutomationCore = "C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop 6.28\\jlfdbgj\\UIAutomationCore.exe" | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg\URL Protocol | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg\shell | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg\shell\open | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg\shell\open\command | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop 6.28\\Telegram.exe\" -- \"%1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tdesktop.tg\DefaultIcon | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tdesktop.tg\shell\open\command | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg\DefaultIcon | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tdesktop.tg\shell | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tdesktop.tg\shell\open | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop 6.28\\Telegram.exe\" -- \"%1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg\ = "URL:Telegram Link" | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop 6.28\\Telegram.exe,1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tdesktop.tg | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tdesktop.tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop 6.28\\Telegram.exe,1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe
"C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe"
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1865762 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-2890635272-812199704-3564780063-1000"
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe
"C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe" ghkh
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe"
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe
"C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe"
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe
"C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| NL | 23.73.0.144:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 144.0.73.23.in-addr.arpa | udp |
| US | 20.189.173.15:443 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.112.50.184.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | bakchilou.com | udp |
| US | 107.148.190.229:1516 | bakchilou.com | tcp |
| US | 8.8.8.8:53 | 229.190.148.107.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| GB | 96.16.110.41:443 | tcp | |
| NL | 149.154.167.51:443 | tcp | |
| NL | 149.154.167.51:80 | 149.154.167.51 | tcp |
| US | 8.8.8.8:53 | 51.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | updates.tdesktop.com | udp |
| NL | 149.154.167.80:443 | updates.tdesktop.com | tcp |
| NL | 149.154.167.91:443 | tcp | |
| NL | 149.154.167.51:443 | tcp | |
| NL | 149.154.167.91:80 | 149.154.167.91 | tcp |
| NL | 149.154.167.51:80 | 149.154.167.51 | tcp |
| US | 8.8.8.8:53 | 80.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.167.154.149.in-addr.arpa | udp |
| SG | 91.108.56.185:443 | tcp | |
| US | 8.8.8.8:53 | dns.google.com | udp |
| SG | 91.108.56.185:80 | 91.108.56.185 | tcp |
| US | 8.8.4.4:443 | dns.google.com | tcp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 172.64.41.4:443 | mozilla.cloudflare-dns.com | tcp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| DE | 172.217.23.202:443 | firebaseremoteconfig.googleapis.com | tcp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| NL | 142.251.36.35:443 | www.google.ru | tcp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| NL | 149.154.167.91:443 | tcp | |
| NL | 149.154.167.91:80 | 149.154.167.91 | tcp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.8.8:53 | dns.google.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 1aa6a97c13b30c8cace9526aad50e3fa |
| SHA1 | 9b659ec30a97c4862690eb500f994de0acaf83aa |
| SHA256 | a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00 |
| SHA512 | 9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 1aa6a97c13b30c8cace9526aad50e3fa |
| SHA1 | 9b659ec30a97c4862690eb500f994de0acaf83aa |
| SHA256 | a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00 |
| SHA512 | 9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0 |
memory/2684-144-0x0000000000A10000-0x0000000000DF8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
| MD5 | 80d93d38badecdd2b134fe4699721223 |
| SHA1 | e829e58091bae93bc64e0c6f9f0bac999cfda23d |
| SHA256 | c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59 |
| SHA512 | 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
| MD5 | 80d93d38badecdd2b134fe4699721223 |
| SHA1 | e829e58091bae93bc64e0c6f9f0bac999cfda23d |
| SHA256 | c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59 |
| SHA512 | 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 1aa6a97c13b30c8cace9526aad50e3fa |
| SHA1 | 9b659ec30a97c4862690eb500f994de0acaf83aa |
| SHA256 | a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00 |
| SHA512 | 9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Ico.ico
| MD5 | bbb9d3f02a53d5c497735cbfb15daa80 |
| SHA1 | 807f2bbe8e197d473de5f0b904366bf3c1c14009 |
| SHA256 | ed1d7d9a65646ae96c0874fec5a93d85a71628f26924f709459af121cc52f7c7 |
| SHA512 | c86154ea9a8a9e4d1a86326cdbf39755d93ae48367c78079c3a4f89686e328aa5d177042a27c444b76f5d8847e3bd27553d7e020e550f2135d4252349d093e64 |
memory/2684-162-0x0000000000A10000-0x0000000000DF8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG
| MD5 | d1b051718019662c277bab1e4103c9ad |
| SHA1 | ede02518fbeaf10d23ee3a6d1f609132da95d5d7 |
| SHA256 | 727b9b7061ce4222ffa60b71ec559ff84a8998b6d5d6a3c77073167e56da17b2 |
| SHA512 | a9ad33225eb9baaf95e6c00890a8eb92e12665113b343dda933609e526b276e92408d94f58edd0ddb64159abfc8ebb10b24bef18ac7bac73791837ea8b6fe7f8 |
memory/2684-170-0x0000000000A10000-0x0000000000DF8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe
| MD5 | 2f5c5f2acdd98034e5320a6eeb1700b7 |
| SHA1 | ac6420e723c58e473c0924a25b1bc0d8e0d94640 |
| SHA256 | 8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9 |
| SHA512 | 4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.JPG
| MD5 | 0028d88c77614bd1bb9c75c3ec8b23b2 |
| SHA1 | ddf237e383d35fd6b0c5edffcef582ec92738b00 |
| SHA256 | 312bcd1f10bac3f8a0bd9bed46bb8e8a42ed0224ff0e1be3a5f748401b47cdbc |
| SHA512 | bbe62015d6fb2846354f4a208300493ad8e3206e3e790c443f2043e26f7b94fe435a825fee157067b0c9f907d2d25b67e1d7a712470397912ca58cccd3971f03 |
memory/2684-234-0x0000000000A10000-0x0000000000DF8000-memory.dmp
memory/2684-240-0x0000000000A10000-0x0000000000DF8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe
| MD5 | 2f5c5f2acdd98034e5320a6eeb1700b7 |
| SHA1 | ac6420e723c58e473c0924a25b1bc0d8e0d94640 |
| SHA256 | 8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9 |
| SHA512 | 4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96 |
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe
| MD5 | 2f5c5f2acdd98034e5320a6eeb1700b7 |
| SHA1 | ac6420e723c58e473c0924a25b1bc0d8e0d94640 |
| SHA256 | 8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9 |
| SHA512 | 4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96 |
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\commonbase.dll
| MD5 | bfb7fef65587cea79c37ecdcafb7346e |
| SHA1 | 56cffe9303f55b95353cf4957f2c061d076b515d |
| SHA256 | 39673b4f582611c2e7477c82beb580045a8c3e2bbdd3122b66b62fda02909d07 |
| SHA512 | 91bfc5de181690fc49a97beaacfe0474b8a1f6d93fe1534527331ad075b46ad560a18d30ebb9d5b5fd2de7e84f56a31aee7c6b142113af08684ae6f479f3067d |
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\commonbase.dll
| MD5 | bfb7fef65587cea79c37ecdcafb7346e |
| SHA1 | 56cffe9303f55b95353cf4957f2c061d076b515d |
| SHA256 | 39673b4f582611c2e7477c82beb580045a8c3e2bbdd3122b66b62fda02909d07 |
| SHA512 | 91bfc5de181690fc49a97beaacfe0474b8a1f6d93fe1534527331ad075b46ad560a18d30ebb9d5b5fd2de7e84f56a31aee7c6b142113af08684ae6f479f3067d |
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\commonbase.dll
| MD5 | bfb7fef65587cea79c37ecdcafb7346e |
| SHA1 | 56cffe9303f55b95353cf4957f2c061d076b515d |
| SHA256 | 39673b4f582611c2e7477c82beb580045a8c3e2bbdd3122b66b62fda02909d07 |
| SHA512 | 91bfc5de181690fc49a97beaacfe0474b8a1f6d93fe1534527331ad075b46ad560a18d30ebb9d5b5fd2de7e84f56a31aee7c6b142113af08684ae6f479f3067d |
memory/1344-246-0x0000000000AF0000-0x0000000000BEF000-memory.dmp
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.udv
| MD5 | 1120ff6713728ff084f9885af6ed628b |
| SHA1 | f608ce6972776bdba091300e9db7b7dd881f5417 |
| SHA256 | efd99ac7ade1fc59c033c400e15aeaf5530a59ec3e4198878b00eb5c982986f3 |
| SHA512 | 6cdeca85ecc7163a19a84823ba025207c5f4389017610a986f72f2eeb2e787e1fdab5115bfa978b9fd6617a3165f4a81ccbc71fe7ff05e711963ca6638aebb31 |
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.txt
| MD5 | 18f43ce321930cb8a58cdaa097cb3fba |
| SHA1 | 21ffabcf2d85388cc6a228ee79ec418306b3b00e |
| SHA256 | 6f2de64ea421f0b7b63471706524f34b2880079b15b747bc0437a94e3ddee43e |
| SHA512 | e98bcd5a81e683b21799de5b05a9b83758dd590f8965c61fe4702525766723112e97cd9fdee13661732781fc9f26113b90622ccce7b1a68b437926867ec866ad |
memory/1344-249-0x00000000006D0000-0x00000000006D1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe
| MD5 | 2f5c5f2acdd98034e5320a6eeb1700b7 |
| SHA1 | ac6420e723c58e473c0924a25b1bc0d8e0d94640 |
| SHA256 | 8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9 |
| SHA512 | 4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96 |
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\commonbase.dll
| MD5 | bfb7fef65587cea79c37ecdcafb7346e |
| SHA1 | 56cffe9303f55b95353cf4957f2c061d076b515d |
| SHA256 | 39673b4f582611c2e7477c82beb580045a8c3e2bbdd3122b66b62fda02909d07 |
| SHA512 | 91bfc5de181690fc49a97beaacfe0474b8a1f6d93fe1534527331ad075b46ad560a18d30ebb9d5b5fd2de7e84f56a31aee7c6b142113af08684ae6f479f3067d |
memory/2484-262-0x0000000000870000-0x000000000096F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\commonbase.dll
| MD5 | bfb7fef65587cea79c37ecdcafb7346e |
| SHA1 | 56cffe9303f55b95353cf4957f2c061d076b515d |
| SHA256 | 39673b4f582611c2e7477c82beb580045a8c3e2bbdd3122b66b62fda02909d07 |
| SHA512 | 91bfc5de181690fc49a97beaacfe0474b8a1f6d93fe1534527331ad075b46ad560a18d30ebb9d5b5fd2de7e84f56a31aee7c6b142113af08684ae6f479f3067d |
memory/1344-264-0x00000000033B0000-0x000000000367E000-memory.dmp
memory/1344-265-0x00000000037F0000-0x00000000037F1000-memory.dmp
memory/2484-266-0x0000000002370000-0x0000000002371000-memory.dmp
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe
| MD5 | 3771c9a1eeee342b5d6d556f974176c3 |
| SHA1 | 30c39a1611e7efe5f1ce626b5be77f0aaa255662 |
| SHA256 | d7a1bd68f0c241b86b40a0e8b37149e940d1c069a42ec6053f756d22c86f66db |
| SHA512 | 5b703ed1af09c7e4ee5b4154613183a5f5c2ddb51b86e99ab15a7119401f2bd2153501bceec8cc2ac1aff8333f942c4116863e01eaf08ef9e06620ba2404e81f |
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\usertag
| MD5 | 0c17897d0c1fcc4554485537c3ba97f3 |
| SHA1 | 89d0b8c7afff99f35650ee56ee2e21bec3e47aca |
| SHA256 | 85468845a3be98d410eb0cc1b0b193f822af6eb2457b2eb84a061f8ea6cd0a9f |
| SHA512 | 2ff0f7f389b8bcf2b35b58be2c8f45f7123c94c4dc07793ab809df699eddbea858e094564fe7819e61381643a6fed8fea50aa0ed37a9a9771c215e0932cb7350 |
memory/2484-273-0x0000000000400000-0x00000000004D7000-memory.dmp
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\log.txt
| MD5 | cfdb70e3cc2d1987fce8051c745bce0c |
| SHA1 | 1f8e683788a351e45b498681cf074bd149e1be5b |
| SHA256 | e46d0af620421491328b731cd8c7f673624ad8093a5d5912b6cb8963a6da2132 |
| SHA512 | b1eb011c955ce32f4bcbee6800a95570ea5f00cb7d43ea40b30d959f913f4c1dc53a2d456eefbe5ef506119ef4642736b73222c4b6bd195642578ea9eafa69f2 |
memory/2484-281-0x0000000000870000-0x000000000096F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe
| MD5 | 3771c9a1eeee342b5d6d556f974176c3 |
| SHA1 | 30c39a1611e7efe5f1ce626b5be77f0aaa255662 |
| SHA256 | d7a1bd68f0c241b86b40a0e8b37149e940d1c069a42ec6053f756d22c86f66db |
| SHA512 | 5b703ed1af09c7e4ee5b4154613183a5f5c2ddb51b86e99ab15a7119401f2bd2153501bceec8cc2ac1aff8333f942c4116863e01eaf08ef9e06620ba2404e81f |
memory/2484-283-0x00000000029E1000-0x0000000002C45000-memory.dmp
memory/4136-284-0x00000000076B0000-0x00000000076C0000-memory.dmp
memory/1344-285-0x0000000000400000-0x00000000004D7000-memory.dmp
memory/1344-286-0x0000000000AF0000-0x0000000000BEF000-memory.dmp
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\3BAA486BE9BF1618s
| MD5 | ead9b55575c1b95f89b5a880323d1efb |
| SHA1 | f4e56cd384c697d5c22967ecf3e184156bdd475d |
| SHA256 | 267f45ad8807c739e75466b17b324807724ad0a518f1cb7f07f6a4c88557085a |
| SHA512 | 37e10e7d07081ff595b7641fb555f713901892c621fa7a827e650393eeaa17f396a978c93c21fe9005982edce52ec99719267b1757e90ffc50ef3862b5f64b96 |
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\settingss
| MD5 | 3380a7e9f7721ec42c0651f434b56c70 |
| SHA1 | 48568b2c3a21ff296a2a2b85f04e2e2f6105469e |
| SHA256 | d334dba0b423cf74358b794bf9e7c1289333cd86fdef68bac8c45c8f6714653d |
| SHA512 | 6b758286625113aa919760d72b61b8bf06b127cfcf3b4baf8e80993fb17b8ad167659c6779ddcda30fabdcfc82e5e4622cbf7ff30b6269cc92930106fb7959b6 |
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\shortcuts-default.json
| MD5 | cc850fd9abce3912c944d77d8955ebc9 |
| SHA1 | 71e699b4b680aad0bc339a6511afc75ebb898064 |
| SHA256 | e98e0cc330528886e469d795e74a240693968d6a88f3de214878d8f5b08d4bad |
| SHA512 | a8d5aad5fe365d9ea261636956952f705353833456a6cf9dbb4b88d87bbdb2fd52823dad9e77932af8615f2a3e7a1c1c1bacdb5cb00e65affb2644ee3f2def80 |
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\shortcuts-custom.json
| MD5 | 874b930b4c2fddc8043f59113c044a14 |
| SHA1 | 75b14a96fe1194f27913a096e484283b172b1749 |
| SHA256 | f4f666f4b831e84710983b0e9e905e87342b669f61109fd693688d89c12309d8 |
| SHA512 | f4b0337fba5c5f4d7e7a02aa5d4538334edd38f5df179e4f1701fa2f1c4d3d856a074fa55ea724c4e2a6c5a1ac1dbfc7e9966c814475c7cd2c65cd44fca14621 |
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\key_datas
| MD5 | c688421cae8171e58612890c99bf42d2 |
| SHA1 | 9e28a7195e26dc8f57db099e8957dbfea8b3d5d6 |
| SHA256 | 8fd0684a695ea21c877d634017f499f1cdafeb9cdb877b598212b36a625c27b1 |
| SHA512 | f637d3bc7a67486a34f665db73563dbd11b0c63b62df35afbb280a601deaae46e77083597c44082cb9fc1d9e222c170b642cd85d83ba00e9585634969fcc9ef7 |
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\DA331D8985149F7Fs
| MD5 | e47df1fab5207e9f89eb9530f559e8de |
| SHA1 | 83f016b848b7e1e287532c2ff4c87f0daba7f66f |
| SHA256 | cf10c439da8a3a5a304081c95484a17e31b10dc63c54e2e4e8ead5aa016706a1 |
| SHA512 | 1edf803b40d70ae584fc4f650d25016326b19696c37797788948acf26a83ec7c905c95cadf54006f82462273e41d248937c06b73de4f52f1f5c8547c14a657da |
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\prefix
| MD5 | 47cd49108a29b5b5024ce744ed2169b4 |
| SHA1 | 8a3a7c67f1d66173132c8f52e1e1233658f653f2 |
| SHA256 | cf1832f2ffce3c99e046bf48c0f5184da7dcbcafe2c0c64ee7d4ab86ec7aa47b |
| SHA512 | cfc9a98f737969aa52b33a2d04ff03fe81fbd0e85bba34503df9b34b671120dc3b73d2fc4529d3dc87559ef799e7e4bdfc4c4a807ecf43c53f842ee84800c60e |
memory/1344-341-0x00000000033B0000-0x000000000367E000-memory.dmp
memory/4136-342-0x00000000076B0000-0x00000000076C0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\6E0F31C32448EA2Bs
| MD5 | dd100daf08b20f17f9aa763c3e4e399c |
| SHA1 | f67830b32210064a4f9c40f0b9ee4f9f5c00651e |
| SHA256 | 727dff58c9efbd608932dec51bf99438ffa9876962f6176b782e0d9b799a6d7c |
| SHA512 | fae7500da218788e6bf508ea47da483cf3dcb738483e1d5d346788eb53f90ca86522dca5c9d05920ab3c52399831c701d5a78369e73c6ec5ce74f99a4159cba2 |
memory/1344-360-0x0000000000AF0000-0x0000000000BEF000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2023-06-30 00:17
Reported
2023-06-30 00:26
Platform
win7-20230621-en
Max time kernel
299s
Max time network
274s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tg | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tg\URL Protocol | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tdesktop.tg | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tdesktop.tg\shell\open | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tg\DefaultIcon | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tg\shell | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tdesktop.tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tdesktop.tg\shell | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tdesktop.tg\shell\open\command | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tg\ = "URL:Telegram Link" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tg\shell\open\command | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tdesktop.tg\DefaultIcon | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tg\shell\open | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe
"C:\Users\Admin\AppData\Local\Temp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe"
C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp" /SL5="$70126,39573139,814592,C:\Users\Admin\AppData\Local\Temp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe"
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 149.154.167.51:443 | tcp | |
| NL | 95.161.76.100:443 | tcp | |
| NL | 149.154.167.51:80 | 149.154.167.51 | tcp |
| NL | 95.161.76.100:80 | 95.161.76.100 | tcp |
| NL | 149.154.167.51:443 | tcp | |
| NL | 95.161.76.100:443 | tcp | |
| NL | 149.154.167.51:80 | 149.154.167.51 | tcp |
| NL | 95.161.76.100:80 | 95.161.76.100 | tcp |
| US | 149.154.175.100:443 | tcp | |
| US | 149.154.175.100:80 | 149.154.175.100 | tcp |
| US | 8.8.8.8:53 | mozilla.cloudflare-dns.com | udp |
| US | 162.159.61.4:443 | mozilla.cloudflare-dns.com | tcp |
| NL | 149.154.167.91:443 | tcp | |
| NL | 149.154.167.41:443 | tcp | |
| NL | 149.154.167.41:80 | 149.154.167.41 | tcp |
| NL | 149.154.167.91:80 | 149.154.167.91 | tcp |
Files
memory/1348-54-0x0000000000400000-0x00000000004D4000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp
| MD5 | ce3b2ef0b07d1770ddd8fa09a34138de |
| SHA1 | d07d12411d4a95cd26701fe83eb6d90d81103eee |
| SHA256 | 22e0e4420698350d18a6c02244c5fa1ff2c772eacb9e7019a8f212b479934386 |
| SHA512 | 02edc78f9b7c8ad01a79243bbc7b51d2b86fb650535d134cc06360519b49ed30241de5cb916ab0624098e2b2b4c94b246e0fcf19e513b4e526100d46db652442 |
C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp
| MD5 | ce3b2ef0b07d1770ddd8fa09a34138de |
| SHA1 | d07d12411d4a95cd26701fe83eb6d90d81103eee |
| SHA256 | 22e0e4420698350d18a6c02244c5fa1ff2c772eacb9e7019a8f212b479934386 |
| SHA512 | 02edc78f9b7c8ad01a79243bbc7b51d2b86fb650535d134cc06360519b49ed30241de5cb916ab0624098e2b2b4c94b246e0fcf19e513b4e526100d46db652442 |
memory/1064-61-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1348-63-0x0000000000400000-0x00000000004D4000-memory.dmp
memory/1064-64-0x0000000000400000-0x000000000070F000-memory.dmp
memory/1064-65-0x0000000000240000-0x0000000000241000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp
| MD5 | ce3b2ef0b07d1770ddd8fa09a34138de |
| SHA1 | d07d12411d4a95cd26701fe83eb6d90d81103eee |
| SHA256 | 22e0e4420698350d18a6c02244c5fa1ff2c772eacb9e7019a8f212b479934386 |
| SHA512 | 02edc78f9b7c8ad01a79243bbc7b51d2b86fb650535d134cc06360519b49ed30241de5cb916ab0624098e2b2b4c94b246e0fcf19e513b4e526100d46db652442 |
\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
| MD5 | fd8304d231ca5513640145cabf30a301 |
| SHA1 | 67ad3eaca6099311f4ca0f7d0faee89a94916107 |
| SHA256 | 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e |
| SHA512 | 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253 |
\Users\Admin\AppData\Roaming\Telegram Desktop\unins000.exe
| MD5 | 3d03b7877523f08e2d5ce6f9ddbe92ff |
| SHA1 | 54fc61352598442e867a31c9654949a9248d5ac7 |
| SHA256 | b9400b7cc340fa6494d00d8947b2b185b6c168e485dd584ab82d55edf484e932 |
| SHA512 | 8ee5a37a06e95ea5a5f3fe7c8d0cffbb4835286b689f4e10c942c4581a7ae5922284a4519424b93dc69830ae5bd7ebf7ae023d3ee3a4b2182c592817144077b8 |
\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
| MD5 | fd8304d231ca5513640145cabf30a301 |
| SHA1 | 67ad3eaca6099311f4ca0f7d0faee89a94916107 |
| SHA256 | 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e |
| SHA512 | 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253 |
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
| MD5 | fd8304d231ca5513640145cabf30a301 |
| SHA1 | 67ad3eaca6099311f4ca0f7d0faee89a94916107 |
| SHA256 | 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e |
| SHA512 | 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253 |
memory/1064-86-0x0000000000400000-0x000000000070F000-memory.dmp
\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
| MD5 | fd8304d231ca5513640145cabf30a301 |
| SHA1 | 67ad3eaca6099311f4ca0f7d0faee89a94916107 |
| SHA256 | 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e |
| SHA512 | 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253 |
\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
| MD5 | fd8304d231ca5513640145cabf30a301 |
| SHA1 | 67ad3eaca6099311f4ca0f7d0faee89a94916107 |
| SHA256 | 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e |
| SHA512 | 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253 |
\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
| MD5 | fd8304d231ca5513640145cabf30a301 |
| SHA1 | 67ad3eaca6099311f4ca0f7d0faee89a94916107 |
| SHA256 | 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e |
| SHA512 | 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253 |
\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
| MD5 | fd8304d231ca5513640145cabf30a301 |
| SHA1 | 67ad3eaca6099311f4ca0f7d0faee89a94916107 |
| SHA256 | 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e |
| SHA512 | 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253 |
memory/1064-97-0x0000000000400000-0x000000000070F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
| MD5 | fd8304d231ca5513640145cabf30a301 |
| SHA1 | 67ad3eaca6099311f4ca0f7d0faee89a94916107 |
| SHA256 | 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e |
| SHA512 | 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253 |
memory/1064-105-0x0000000000400000-0x000000000070F000-memory.dmp
memory/1064-112-0x0000000000400000-0x000000000070F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll
| MD5 | 62a89e7867d853fee9ad07b7c9d64379 |
| SHA1 | 944a53602492187308352103d80ff27af1093abf |
| SHA256 | d412909f1b597045b856caecedfc677eb4708af00e5b70788a01fa6af49c09d9 |
| SHA512 | 7f66bf278222bf1079a3695ad55086ccc7d8b05d7db4f9a5bcbfe4ac8d82bc1a618b1c6dc675da61d47f48fce2b0670ce6f66db63e79e232604304cfc629d6d0 |
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
| MD5 | fd8304d231ca5513640145cabf30a301 |
| SHA1 | 67ad3eaca6099311f4ca0f7d0faee89a94916107 |
| SHA256 | 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e |
| SHA512 | 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253 |
\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll
| MD5 | 62a89e7867d853fee9ad07b7c9d64379 |
| SHA1 | 944a53602492187308352103d80ff27af1093abf |
| SHA256 | d412909f1b597045b856caecedfc677eb4708af00e5b70788a01fa6af49c09d9 |
| SHA512 | 7f66bf278222bf1079a3695ad55086ccc7d8b05d7db4f9a5bcbfe4ac8d82bc1a618b1c6dc675da61d47f48fce2b0670ce6f66db63e79e232604304cfc629d6d0 |
memory/1348-117-0x0000000000400000-0x00000000004D4000-memory.dmp
memory/324-122-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/324-123-0x0000000000730000-0x000000000073A000-memory.dmp
memory/324-124-0x0000000000730000-0x000000000073A000-memory.dmp
memory/324-126-0x0000000000730000-0x000000000073A000-memory.dmp
memory/324-125-0x0000000000730000-0x000000000073A000-memory.dmp
memory/324-140-0x0000000002130000-0x000000000213A000-memory.dmp
memory/324-141-0x0000000002130000-0x000000000213A000-memory.dmp
\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
| MD5 | fd8304d231ca5513640145cabf30a301 |
| SHA1 | 67ad3eaca6099311f4ca0f7d0faee89a94916107 |
| SHA256 | 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e |
| SHA512 | 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253 |
memory/324-177-0x0000000002130000-0x000000000213A000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2023-06-30 00:17
Reported
2023-06-30 00:26
Platform
win10v2004-20230621-en
Max time kernel
300s
Max time network
303s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3O50F.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{97509A40-DCD6-4F83-9500-9B8FF39CF3A6}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{06D1F97C-8C90-48F4-AE5C-6E3E4607E77E}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{A06DA7A3-F34B-445E-8D2E-87C6AB15B49F}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{CBAA4597-0059-4D8B-A41B-EF3360D98CBB}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{87F0F882-3AFD-4088-96A8-DDECC74B2757}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{CBBF3439-62E8-4B35-9591-9370B4A2BE90}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{D1A8C578-8652-4C7B-9876-FADBCDF54A96}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{456E627B-B858-49D2-ADEB-003EB72E8A4F}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tdesktop.tg | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tdesktop.tg\DefaultIcon | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tdesktop.tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tdesktop.tg\shell | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tdesktop.tg\shell\open | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tdesktop.tg\shell\open\command | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg\shell | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg\URL Protocol | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg\ = "URL:Telegram Link" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg\DefaultIcon | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg\shell\open | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg\shell\open\command | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3O50F.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3O50F.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3O50F.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe
"C:\Users\Admin\AppData\Local\Temp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe"
C:\Users\Admin\AppData\Local\Temp\is-3O50F.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3O50F.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp" /SL5="$9016E,39573139,814592,C:\Users\Admin\AppData\Local\Temp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.112.50.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| GB | 2.22.249.210:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 210.249.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| NL | 149.154.167.51:443 | tcp | |
| NL | 95.161.76.100:443 | tcp | |
| NL | 149.154.167.51:80 | 149.154.167.51 | tcp |
| NL | 95.161.76.100:80 | 95.161.76.100 | tcp |
| US | 8.8.8.8:53 | 51.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.76.161.95.in-addr.arpa | udp |
| NL | 149.154.167.91:443 | tcp | |
| NL | 149.154.167.51:443 | tcp | |
| NL | 95.161.76.100:443 | tcp | |
| NL | 149.154.167.91:80 | 149.154.167.91 | tcp |
| NL | 149.154.167.51:80 | 149.154.167.51 | tcp |
| NL | 95.161.76.100:80 | 95.161.76.100 | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.167.154.149.in-addr.arpa | udp |
| SG | 149.154.171.5:443 | tcp | |
| SG | 149.154.171.5:80 | 149.154.171.5 | tcp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.4.4:443 | dns.google.com | tcp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| NL | 2.19.195.233:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.8.8:53 | dns.google.com | udp |
Files
memory/4384-133-0x0000000000400000-0x00000000004D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-3O50F.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp
| MD5 | ce3b2ef0b07d1770ddd8fa09a34138de |
| SHA1 | d07d12411d4a95cd26701fe83eb6d90d81103eee |
| SHA256 | 22e0e4420698350d18a6c02244c5fa1ff2c772eacb9e7019a8f212b479934386 |
| SHA512 | 02edc78f9b7c8ad01a79243bbc7b51d2b86fb650535d134cc06360519b49ed30241de5cb916ab0624098e2b2b4c94b246e0fcf19e513b4e526100d46db652442 |
memory/4908-138-0x00000000026F0000-0x00000000026F1000-memory.dmp
memory/4384-140-0x0000000000400000-0x00000000004D4000-memory.dmp
memory/4908-141-0x0000000000400000-0x000000000070F000-memory.dmp
memory/4908-142-0x00000000026F0000-0x00000000026F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-3O50F.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp
| MD5 | ce3b2ef0b07d1770ddd8fa09a34138de |
| SHA1 | d07d12411d4a95cd26701fe83eb6d90d81103eee |
| SHA256 | 22e0e4420698350d18a6c02244c5fa1ff2c772eacb9e7019a8f212b479934386 |
| SHA512 | 02edc78f9b7c8ad01a79243bbc7b51d2b86fb650535d134cc06360519b49ed30241de5cb916ab0624098e2b2b4c94b246e0fcf19e513b4e526100d46db652442 |
memory/4908-154-0x0000000000400000-0x000000000070F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
| MD5 | fd8304d231ca5513640145cabf30a301 |
| SHA1 | 67ad3eaca6099311f4ca0f7d0faee89a94916107 |
| SHA256 | 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e |
| SHA512 | 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253 |
memory/4908-165-0x0000000000400000-0x000000000070F000-memory.dmp
memory/4908-180-0x0000000000400000-0x000000000070F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
| MD5 | fd8304d231ca5513640145cabf30a301 |
| SHA1 | 67ad3eaca6099311f4ca0f7d0faee89a94916107 |
| SHA256 | 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e |
| SHA512 | 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253 |
memory/4908-191-0x0000000000400000-0x000000000070F000-memory.dmp
memory/3456-192-0x00000165A0160000-0x00000165A0170000-memory.dmp
memory/4384-193-0x0000000000400000-0x00000000004D4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll
| MD5 | 62a89e7867d853fee9ad07b7c9d64379 |
| SHA1 | 944a53602492187308352103d80ff27af1093abf |
| SHA256 | d412909f1b597045b856caecedfc677eb4708af00e5b70788a01fa6af49c09d9 |
| SHA512 | 7f66bf278222bf1079a3695ad55086ccc7d8b05d7db4f9a5bcbfe4ac8d82bc1a618b1c6dc675da61d47f48fce2b0670ce6f66db63e79e232604304cfc629d6d0 |
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
| MD5 | fd8304d231ca5513640145cabf30a301 |
| SHA1 | 67ad3eaca6099311f4ca0f7d0faee89a94916107 |
| SHA256 | 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e |
| SHA512 | 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253 |
C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll
| MD5 | 62a89e7867d853fee9ad07b7c9d64379 |
| SHA1 | 944a53602492187308352103d80ff27af1093abf |
| SHA256 | d412909f1b597045b856caecedfc677eb4708af00e5b70788a01fa6af49c09d9 |
| SHA512 | 7f66bf278222bf1079a3695ad55086ccc7d8b05d7db4f9a5bcbfe4ac8d82bc1a618b1c6dc675da61d47f48fce2b0670ce6f66db63e79e232604304cfc629d6d0 |