Malware Analysis Report

2025-03-15 03:55

Sample ID 230630-alfansge61
Target kousaka.7z
SHA256 aa3f58f228d9d0ef44417c33aa03e3d3c7b3cfde67c0db70a9d21fb8b5cb981c
Tags
persistence fatalrat infostealer rat upx discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa3f58f228d9d0ef44417c33aa03e3d3c7b3cfde67c0db70a9d21fb8b5cb981c

Threat Level: Known bad

The file kousaka.7z was found to be: Known bad.

Malicious Activity Summary

persistence fatalrat infostealer rat upx discovery

FatalRat

Fatal Rat payload

Checks computer location settings

UPX packed file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops desktop.ini file(s)

Enumerates connected drives

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Modifies registry class

Uses Volume Shadow Copy service COM API

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-30 00:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-30 00:17

Reported

2023-06-30 00:26

Platform

win7-20230621-en

Max time kernel

300s

Max time network

308s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Therecontinuous = "C:\\WINDOWS\\DNomb\\FTvrst.exe" C:\Users\Public\tg\FTvrst.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Public\tg\FTvrst.exe N/A
N/A N/A C:\Users\Public\tg\FTvrst.exe N/A
N/A N/A C:\Users\Public\tg\FTvrst.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1460 set thread context of 1700 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.TxlWoh C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\countries C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\shortcuts-custom.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\key_datas.NxMXCc C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.HIPlXJ C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.KgahCI C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.emGpRD C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.oOiCno C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.TxlWoh C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\key_datas C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_1 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.OsBEij C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.OsBEij C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.KgahCI C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_5 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\90AB52E6EF1558C8s.PqGjBQ C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.GiaiXR C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.NxssNW C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\7B7D9BF38A42FD50s C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\shortcuts-default.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\opengl_crash_check C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\key_datas.NxMXCc C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\Updater.exe C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\log.txt C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_1 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\7B7D9BF38A42FD50s.soEPvA C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.oOiCno C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.SUDSjL C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.dIyGLU C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8C\configs.ekqrct C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.wUeEYm C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_0 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_6 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.SUDSjL C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.jUaeoY C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8C\configs.OQdWwc C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\Telegram.exe C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\A7FDF864FBC10B77s C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_0 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_4 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.jUaeoY C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\log_start0.txt C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_4 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\90AB52E6EF1558C8s.PqGjBQ C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\90AB52E6EF1558C8s C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\spoiler\text C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_3 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_5 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\prefix C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\shortcuts-default.json C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.HIPlXJ C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_2 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\countries C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\tupdate4008003 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\F8806DD0C461824Fs C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\usertag C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.emGpRD C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_6 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\modules\x86\d3d\d3dcompiler_47.dll C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\ C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\working C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\tdata\version C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIADCD.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB6B6.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DNomb\spolsvt.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DNomb\FTvrst.exe C:\Windows\system32\msiexec.exe N/A
File created C:\WINDOWS\DNombaudidog.exe C:\WINDOWS\DNomb\audidog.exe N/A
File created C:\Windows\Installer\6cad42.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\6cad42.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB0EA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB3E7.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DNomb\Mpec.mbt C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DNomb\audidog.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBD8A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\6cad41.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\6cad41.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tdesktop.tg\DefaultIcon\ = "\"C:\\Program Files (x86)\\Telegram X\\Telegram中文版\\Telegram.exe,1\"" C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg\ = "URL:Telegram Link" C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg\shell\open C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tdesktop.tg\DefaultIcon C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg\URL Protocol C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg\DefaultIcon C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg\DefaultIcon\ = "\"C:\\Program Files (x86)\\Telegram X\\Telegram中文版\\Telegram.exe,1\"" C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg\shell\open\command\ = "\"C:\\Program Files (x86)\\Telegram X\\Telegram中文版\\Telegram.exe\" -- \"%1\"" C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tdesktop.tg\shell\open C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tdesktop.tg\shell C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg\shell C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tdesktop.tg C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tdesktop.tg\shell\open\command\ = "\"C:\\Program Files (x86)\\Telegram X\\Telegram中文版\\Telegram.exe\" -- \"%1\"" C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tg\shell\open\command C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\tdesktop.tg\shell\open\command C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Public\tg\FTvrst.exe N/A
N/A N/A C:\Users\Public\tg\FTvrst.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 360 wrote to memory of 1032 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 360 wrote to memory of 1032 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 360 wrote to memory of 1032 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 360 wrote to memory of 1032 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 360 wrote to memory of 1032 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 360 wrote to memory of 1032 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 360 wrote to memory of 1032 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1524 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe C:\Windows\SysWOW64\msiexec.exe
PID 1524 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe C:\Windows\SysWOW64\msiexec.exe
PID 1524 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe C:\Windows\SysWOW64\msiexec.exe
PID 1524 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe C:\Windows\SysWOW64\msiexec.exe
PID 1524 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe C:\Windows\SysWOW64\msiexec.exe
PID 1524 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe C:\Windows\SysWOW64\msiexec.exe
PID 1524 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe C:\Windows\SysWOW64\msiexec.exe
PID 360 wrote to memory of 1472 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 360 wrote to memory of 1472 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 360 wrote to memory of 1472 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 360 wrote to memory of 1472 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 360 wrote to memory of 1472 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 360 wrote to memory of 1472 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 360 wrote to memory of 1472 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1472 wrote to memory of 1536 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
PID 1472 wrote to memory of 1536 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
PID 1472 wrote to memory of 1536 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
PID 1472 wrote to memory of 1536 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
PID 1472 wrote to memory of 1536 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
PID 1472 wrote to memory of 1536 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
PID 1472 wrote to memory of 1536 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
PID 360 wrote to memory of 636 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 360 wrote to memory of 636 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 360 wrote to memory of 636 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 360 wrote to memory of 636 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 360 wrote to memory of 636 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 360 wrote to memory of 636 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 360 wrote to memory of 636 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1472 wrote to memory of 1460 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\tg\FTvrst.exe
PID 1472 wrote to memory of 1460 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\tg\FTvrst.exe
PID 1472 wrote to memory of 1460 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\tg\FTvrst.exe
PID 1472 wrote to memory of 1460 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\tg\FTvrst.exe
PID 1460 wrote to memory of 1700 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1460 wrote to memory of 1700 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1460 wrote to memory of 1700 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1460 wrote to memory of 1700 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1460 wrote to memory of 1700 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1460 wrote to memory of 1700 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1460 wrote to memory of 1700 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1460 wrote to memory of 1700 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1460 wrote to memory of 1700 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1460 wrote to memory of 1788 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\audidog.exe
PID 1460 wrote to memory of 1788 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\audidog.exe
PID 1460 wrote to memory of 1788 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\audidog.exe
PID 1460 wrote to memory of 1788 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\audidog.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe

"C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 51D7AA03420024851281B65254BBDC71 C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\飞机.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1688077399 "

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding F1C099BAFCC4498191245C899F31E9CE C

C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe

"C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe" /groupsextract:100; /out:"C:\Users\Public" /callbackid:1472

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003DC" "00000000000004AC"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding FC5E5EF5B1C0A405D00E29A15F59DD02

C:\Users\Public\tg\FTvrst.exe

"C:\Users\Public\tg\FTvrst.exe"

C:\WINDOWS\DNomb\spolsvt.exe

C:\WINDOWS\DNomb\spolsvt.exe

C:\WINDOWS\DNomb\audidog.exe

C:\WINDOWS\DNomb\audidog.exe

C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe

"C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nn.wccabc.com udp
HK 47.242.146.124:3927 nn.wccabc.com tcp
HK 47.242.146.124:3927 nn.wccabc.com tcp
HK 47.242.146.124:3927 nn.wccabc.com tcp
NL 149.154.167.51:443 tcp
NL 149.154.167.51:443 tcp
NL 149.154.167.51:80 149.154.167.51 tcp
HK 47.242.146.124:3927 nn.wccabc.com tcp
US 149.154.175.100:443 tcp
US 149.154.175.100:80 149.154.175.100 tcp
NL 149.154.167.91:443 tcp
NL 149.154.167.51:443 tcp
NL 149.154.167.51:80 149.154.167.51 tcp
NL 149.154.167.91:80 149.154.167.91 tcp
US 8.8.8.8:53 dns.google.com udp
US 8.8.4.4:443 dns.google.com tcp
US 8.8.8.8:53 dns.google.com udp
US 162.159.61.4:443 mozilla.cloudflare-dns.com tcp
US 8.8.8.8:53 dns.google.com udp
NL 149.154.167.99:443 td.telegram.org tcp
US 8.8.8.8:53 dns.google.com udp
NL 149.154.167.99:443 td.telegram.org tcp
NL 149.154.167.91:443 tcp
NL 149.154.167.91:80 149.154.167.91 tcp
HK 47.242.146.124:3927 nn.wccabc.com tcp
HK 47.242.146.124:3927 nn.wccabc.com tcp
HK 47.242.146.124:3927 nn.wccabc.com tcp
HK 47.242.146.124:3927 nn.wccabc.com tcp
HK 47.242.146.124:3927 nn.wccabc.com tcp
HK 47.242.146.124:3927 nn.wccabc.com tcp
HK 47.242.146.124:3927 nn.wccabc.com tcp

Files

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\飞机.msi

MD5 f4adbf929ac90c4a9fff6142b5daa670
SHA1 9d0c56596957d04bb9582a2e0e556dbe7977e9c1
SHA256 e79ef9535612ba30be0b07a9666d0fe26466eca698a1dbf5a014b176def2df7a
SHA512 ffed2c3da71bb4c6f66c04152df70a2756cc49c7c3eeb4940c08d43bf6e58b7c1656a4915b96f5e87f561ed715c47c68419d4ae89082b221f5e8e0a147aa3a38

memory/1524-61-0x0000000000760000-0x0000000000761000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSI2434.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI2434.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\飞机.msi

MD5 f4adbf929ac90c4a9fff6142b5daa670
SHA1 9d0c56596957d04bb9582a2e0e556dbe7977e9c1
SHA256 e79ef9535612ba30be0b07a9666d0fe26466eca698a1dbf5a014b176def2df7a
SHA512 ffed2c3da71bb4c6f66c04152df70a2756cc49c7c3eeb4940c08d43bf6e58b7c1656a4915b96f5e87f561ed715c47c68419d4ae89082b221f5e8e0a147aa3a38

C:\Users\Admin\AppData\Local\Temp\MSI281B.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI281B.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI2925.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI2925.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI2925.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI2C22.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI2C22.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI2F6E.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI2F6E.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI302A.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI302A.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI30B7.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI30B7.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI44D4.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI44D4.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI4590.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI4590.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI4590.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI48FB.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI48FB.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSIADCD.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Windows\Installer\MSIADCD.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSIB0EA.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Windows\Installer\MSIB0EA.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSIB3E7.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Windows\Installer\MSIB3E7.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSIB6B6.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Windows\Installer\MSIB6B6.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\0469A94410170880s

MD5 237b2bc4ba380664d0e69d95bfbdca62
SHA1 42fb204f0fb1b5a1e7d7152070accee988747198
SHA256 bfb3af061014f48924f4412402ee99f566725932e80f8a27c5bc429544b0dad6
SHA512 15bd8b90b1508e40e5e20b4630cf69f3ff597cb11768d78528a0db4a9ef3fd6f20aa1e93cf0b945bff3d6864d4182e1ac4cb33f0d3c83462d6db7c3d53bc2741

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\7B7D9BF38A42FD50s

MD5 4d28d8121c1365d8b66048804cf85431
SHA1 e19b061f138c52b1a67c123fd8cff8d2f6f3e7ce
SHA256 f620154eb8472755c58e631803e45e08279e5f70b381aa71bfc256a4f06fe6eb
SHA512 4ef49fb867af0894fa42537832bfd567a0fc6e1f9fbd6966cac6215b30d91617f43acfb3b20b62a6f43163162a0f2123dc8e2ad36f493b5c3b9202689c54a482

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\90AB52E6EF1558C8s

MD5 0aa0727f6230692e520295abca999a94
SHA1 2dca6accd906adf49bfd4cfa93b2d862a9c29651
SHA256 9676ed8e4497fab0d92b1e2c8c63dec8b9f309db8e379ffbbff919d3c6762e10
SHA512 8d0633ef21107c7e5ca4f4ba50ba762bf62956c5bcd3ccfc3ab9b7845bb2a5388b5bacd7c9ddff0b2c7d0b4ed761c15ebb437deb912cf4a573a1fab5e328093d

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\A7FDF864FBC10B77s

MD5 72339e5b4ca4743c2c1313c90fa38b27
SHA1 8123ac4d35080c0c397478845b2ab16944636bae
SHA256 6a8a6995f4f87336681017417d6ae78223cd725e1118c4e336c93e203c17a9e4
SHA512 3eb657959bdfc0b30124a7e087d44b33aa7814ee9a18a20205b5debc1b290754024d8529174f3e17646fae77339d28a02312584bd6bda7021ad5b59c67d6fa0d

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\countries

MD5 5d1f2b862acb26f8353cb1d178a2116f
SHA1 e3989f717bb652b4ee3fd18e4dc3f2e0193c75bd
SHA256 3d6d4e33dcaeff17425ea9451d37bb9c866d711d6ece51ef5c09d2fbd296e85e
SHA512 adb1ef7675a0292b236aafdd923be94705eb7ea7baf25a0d3c001fba2014b8f90473375e96739d8af43a7bd9a123f1ce38c532516da3d1a46db50bf66a0c1a73

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\D877F783D5D3EF8Cs

MD5 e58b4c34a563191cfee1d6d617a78216
SHA1 83ff6975bacf2f4e5ff44dbf5f8de38f7dd7f437
SHA256 729c64f4ee746214839002d6e79bd82baebc2eba5e38e47307e65fcf25a83cf1
SHA512 3d875550e6f0f43cc1306f3eb2f83d2b5a06ddc211dcd03c31abc0cce0350481b19015adde62ed8632b8a902138c345e6f7c533be50a55343566903e8d593eeb

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\F8806DD0C461824Fs

MD5 fb9a1cbbd1b3531943eecfefa15df5de
SHA1 0295ac1bdc3a668a5f488e6c98a34ad71a53c67b
SHA256 438c768ac7851e93d1081c4291c2b14c250b7cc847050d7716626ab3948760d8
SHA512 abc104efdbf46c9ff9621e9d3c7e3be2d803208e62b63658a1a7f94c8deb823302896b0878c8d9f4962045a7d257afe51047b1ff73f64c2f8e440680a3ef1e60

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\key_datas

MD5 eb7e5e1d7636232186c42fe52b7611b6
SHA1 ae235dcf06db5931e082155da14936ed7c7db2fb
SHA256 66d374699b23bd425bb68f5480785ae70f0f87f2e5948d0bd51ce7838fdb706a
SHA512 813d9318d6937ba6a6def9bd676a26999cb97e0f0b744c0a99174d4fd6163414cff9f5195d420fdd7cdc86442cceb7a7130ad0fe2f93ab5d961381b90df859e5

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\prefix

MD5 3fb9de9c3edf4abc3a42deaf14dfa8d6
SHA1 d02d2382706bffb38831acfcce62e720a6d55733
SHA256 84af1d24b024a1e1670302510fc140e55eb009ed5ab8b8e89bb42fb7f184be28
SHA512 7e60951c5c5cff7f623808e1afa098faff020f000ee4a8fc9af5f848204b8c54fe13f9a32e10bfbc618e41b1be437bb08a775b4b2e10a19122c336b55d093692

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\settingss

MD5 d149ddf991c084294f019fc76161fb15
SHA1 d42777f18ed62c3f4c8ff5d326f63fccfe06d454
SHA256 9afef05acbb201afd6007584482f01c93628484d9d80858f8cb67ef9f0c18875
SHA512 f45c7fc6ba1e192b41fcb267572a81342eb2657f9025181b5be660095c19e7d39c50190fe62ee400d7d1cf8132fb757cbd90222f8ba6aad91d3458bd82de6da6

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\shortcuts-custom.json

MD5 874b930b4c2fddc8043f59113c044a14
SHA1 75b14a96fe1194f27913a096e484283b172b1749
SHA256 f4f666f4b831e84710983b0e9e905e87342b669f61109fd693688d89c12309d8
SHA512 f4b0337fba5c5f4d7e7a02aa5d4538334edd38f5df179e4f1701fa2f1c4d3d856a074fa55ea724c4e2a6c5a1ac1dbfc7e9966c814475c7cd2c65cd44fca14621

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\shortcuts-default.json

MD5 a56b95951d30537236b8a4b5792abbe4
SHA1 ca418e143fa5bf6930cea986f2f02914ba2b34c8
SHA256 422a4c74d98877f87f5d3eb6f70a903782d00e362e9fca75f06a1f84be387808
SHA512 20f2fa66f02ff3da80ec67ff89a232bd6642051702a6ddd94fb382980b46502ca0bda8ba09793fae2f068b4dc18c80ab0186e6426af9760670e8a328ef3c1e95

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\usertag

MD5 87ccdff6d764416c75d4aa695f9be3e4
SHA1 d4c197cb78f5e5f62aef16af3840d3be0509020a
SHA256 e02453e232a9fdc9446885a629109231c07b35f8d2adf886e010cdf07685fdec
SHA512 0224a43341ad897613a233b9b170d4ed523ac45d8d13ab8ae023c6c0b266cb7b68abf3e365f3474045d103f6ce7682d009719592578b601edfceab31d678dca5

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\Telegram.exe

MD5 5a6de14a436de1c22e6f328fa40c4835
SHA1 454f68ad0a02cb29d3f11a0f4f187b6b384994d9
SHA256 663726ede77de2960f7b53c85b1eb19af394e1710d43ef7718ae832067d0a2ce
SHA512 1a4406b6b6fdccd9ec105932b790c0a0599dd0b74cd7c0afe17b3c655c595230cb753bfc2c1a6b7e1577ca5d825e5c3a2e827a9f8b3acf51bb41ffaddde3c552

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\WindowsFolder\DNomb\Mpec.mbt

MD5 e3c9c776015c5b25b99ae3913988548d
SHA1 8b00bc9e7d0e24e56da14bfd7f41aa482cdae8a9
SHA256 04e8a2953aa566fb433eab669cf35bfa3240353ab8cec1457b3a75263178c96e
SHA512 4995cf0660485aa615ac3c54bfc554ca4d6fbc54019133cb51046c3badadc28591783d185345ef889ab731c9dc853f74ee025843e0221ea08f7c3ac700f8cc10

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\WindowsFolder\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\WindowsFolder\DNomb\audidog.exe

MD5 3a9c682b077bc044b21131216bdf6304
SHA1 afdd419f084b56838c7eb07ff2b28ff9b960e27e
SHA256 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8
SHA512 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\WindowsFolder\DNomb\FTvrst.exe

MD5 3a9c682b077bc044b21131216bdf6304
SHA1 afdd419f084b56838c7eb07ff2b28ff9b960e27e
SHA256 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8
SHA512 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

C:\Windows\DNomb\FTvrst.exe

MD5 3a9c682b077bc044b21131216bdf6304
SHA1 afdd419f084b56838c7eb07ff2b28ff9b960e27e
SHA256 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8
SHA512 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

C:\Config.Msi\6cad43.rbs

MD5 5f0ac849a811141194f6828d362eaf13
SHA1 b8b750cc7b5e7b81a68b065f8f5c180c84533228
SHA256 a29db1fbae78abde4c9fb851b4a8c57c2b500f1ee7504f45d429a192b90e4c23
SHA512 f5d81894101899467c4df82fefc3b43ae45dcacfb874ffc92aa8f4a96b3642aed2ff36acbaefcc09075acae8d8059926805728378685bd9c08d09a462bcff9f8

\Users\Admin\AppData\Local\Temp\MSID0B1.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Public\tg\FTvrst.exe

MD5 3a9c682b077bc044b21131216bdf6304
SHA1 afdd419f084b56838c7eb07ff2b28ff9b960e27e
SHA256 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8
SHA512 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

C:\Users\Public\tg\FTvrst.exe

MD5 3a9c682b077bc044b21131216bdf6304
SHA1 afdd419f084b56838c7eb07ff2b28ff9b960e27e
SHA256 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8
SHA512 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

\Users\Public\tg\FTvrst.exe

MD5 3a9c682b077bc044b21131216bdf6304
SHA1 afdd419f084b56838c7eb07ff2b28ff9b960e27e
SHA256 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8
SHA512 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

\Users\Public\tg\FTvrst.exe

MD5 3a9c682b077bc044b21131216bdf6304
SHA1 afdd419f084b56838c7eb07ff2b28ff9b960e27e
SHA256 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8
SHA512 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

C:\Users\Admin\AppData\Local\Temp\MSID0B1.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

memory/1472-208-0x0000000002990000-0x00000000031F4000-memory.dmp

memory/1472-210-0x0000000002990000-0x00000000031F4000-memory.dmp

memory/1460-212-0x0000000000400000-0x0000000000C64000-memory.dmp

memory/1460-209-0x00000000757F0000-0x0000000075837000-memory.dmp

memory/1460-618-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-619-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-617-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-620-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-621-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-622-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-625-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-623-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-624-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-626-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-627-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-628-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-629-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-630-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-631-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-632-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-633-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-634-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-635-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-636-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-637-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-640-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-638-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-639-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-641-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-642-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-643-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-644-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-645-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-646-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-647-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-649-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-648-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-651-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-652-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-650-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-653-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-654-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-655-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-656-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-657-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-658-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-659-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-660-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-662-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-661-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-663-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-666-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-664-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-665-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-667-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-669-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-668-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-670-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-672-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-673-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-671-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-674-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-675-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-676-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-678-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-677-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-679-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1472-1488-0x0000000002990000-0x00000000031F4000-memory.dmp

memory/1472-1489-0x0000000002990000-0x00000000031F4000-memory.dmp

memory/1460-1491-0x00000000024A0000-0x00000000025A0000-memory.dmp

memory/1460-1493-0x0000000002640000-0x00000000027C1000-memory.dmp

memory/1460-4971-0x00000000024A0000-0x00000000025A0000-memory.dmp

memory/1460-4972-0x0000000002A50000-0x0000000002B61000-memory.dmp

memory/1460-4973-0x0000000002930000-0x0000000002A31000-memory.dmp

memory/1460-4974-0x0000000002B70000-0x0000000002C11000-memory.dmp

C:\WINDOWS\DNomb\Mpec.mbt

MD5 e3c9c776015c5b25b99ae3913988548d
SHA1 8b00bc9e7d0e24e56da14bfd7f41aa482cdae8a9
SHA256 04e8a2953aa566fb433eab669cf35bfa3240353ab8cec1457b3a75263178c96e
SHA512 4995cf0660485aa615ac3c54bfc554ca4d6fbc54019133cb51046c3badadc28591783d185345ef889ab731c9dc853f74ee025843e0221ea08f7c3ac700f8cc10

\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

C:\WINDOWS\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

C:\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

C:\WINDOWS\DNomb\audidog.exe

MD5 3a9c682b077bc044b21131216bdf6304
SHA1 afdd419f084b56838c7eb07ff2b28ff9b960e27e
SHA256 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8
SHA512 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

\Windows\DNomb\audidog.exe

MD5 3a9c682b077bc044b21131216bdf6304
SHA1 afdd419f084b56838c7eb07ff2b28ff9b960e27e
SHA256 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8
SHA512 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

\Windows\DNomb\audidog.exe

MD5 3a9c682b077bc044b21131216bdf6304
SHA1 afdd419f084b56838c7eb07ff2b28ff9b960e27e
SHA256 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8
SHA512 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

C:\Windows\DNomb\audidog.exe

MD5 3a9c682b077bc044b21131216bdf6304
SHA1 afdd419f084b56838c7eb07ff2b28ff9b960e27e
SHA256 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8
SHA512 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

memory/1460-5184-0x0000000003360000-0x0000000003BC4000-memory.dmp

memory/1788-5188-0x0000000000400000-0x0000000000C64000-memory.dmp

memory/1460-6204-0x0000000000400000-0x0000000000C64000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSI7C0E.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI7C0E.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

memory/1788-6348-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/1788-6350-0x0000000002930000-0x0000000002AB1000-memory.dmp

memory/1500-8362-0x0000000000090000-0x00000000000A0000-memory.dmp

memory/1788-8609-0x0000000000400000-0x0000000000C64000-memory.dmp

memory/1500-8744-0x0000000000270000-0x000000000027A000-memory.dmp

memory/1788-9174-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/1500-9176-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

memory/1500-9178-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

memory/1788-9791-0x00000000027A0000-0x00000000028B1000-memory.dmp

memory/1788-9797-0x0000000002650000-0x0000000002751000-memory.dmp

memory/1788-9798-0x0000000002AC0000-0x0000000002B61000-memory.dmp

memory/1500-9800-0x0000000000270000-0x000000000027A000-memory.dmp

memory/1500-9831-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

memory/1500-9832-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab232D.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-30 00:17

Reported

2023-06-30 00:26

Platform

win10v2004-20230621-en

Max time kernel

302s

Max time network

307s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe"

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Therecontinuous = "C:\\WINDOWS\\DNomb\\FTvrst.exe" C:\Users\Public\tg\FTvrst.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Public\tg\FTvrst.exe N/A
N/A N/A C:\Users\Public\tg\FTvrst.exe N/A
N/A N/A C:\Users\Public\tg\FTvrst.exe N/A
N/A N/A C:\Users\Public\tg\FTvrst.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2448 set thread context of 3844 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_6 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\ C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\log.txt C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.yRbCbR C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.iwkLCx C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\7B7D9BF38A42FD50s.uvGMyi C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8C\configs.ccTITP C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\log_start0.txt C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\key_datas.CMfeMj C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\key_datas.CMfeMj C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8C0 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\countries C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.dRVMPN C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\log.txt C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\shortcuts-default.json C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\7B7D9BF38A42FD50s.ivljfr C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\tupdate4008003 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.mdrssw C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\spoiler\text C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.iwkLCx C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.XxdYAP C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\opengl_crash_check C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.dRVMPN C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_0 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.yRbCbR C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_6 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.YIQeuh C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\Telegram.exe C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\modules\x86\d3d\d3dcompiler_47.dll C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\A7FDF864FBC10B77s C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_3 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.nQVxah C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_4 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_2 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_4 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\shortcuts-custom.json C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\tdata\version C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\usertag C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A944101708800 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\90AB52E6EF1558C8s.OrATKG C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\ready C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_2 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_5 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.CWNxDs C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\7B7D9BF38A42FD50s.uvGMyi C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\7B7D9BF38A42FD50s.ivljfr C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.nQVxah C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\shortcuts-default.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\working C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.IUHLUh C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.IUHLUh C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\countries C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_5 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.YIQeuh C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.AKxZre C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_1 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_1 C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.CWNxDs C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File opened for modification C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\Updater.exe C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\90AB52E6EF1558C8s C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\key_datas C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8C\configs.oAHEFe C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\e58877b.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DNomb\Mpec.mbt C:\Windows\system32\msiexec.exe N/A
File created C:\WINDOWS\DNombaudidog.exe C:\WINDOWS\DNomb\audidog.exe N/A
File opened for modification C:\Windows\Installer\MSI8930.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8A3B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8A99.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8CDE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DNomb\FTvrst.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DNomb\spolsvt.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DNomb\audidog.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58877b.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8C02.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{463B1E3F-726C-45AE-BA5B-6DD11BC72C1C} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9DB7.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000081ef621b6f8a8ae20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000081ef621b0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff00000000070001000068090081ef621b000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff00000000070001000068091981ef621b000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000081ef621b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\DefaultIcon\ = "\"C:\\Program Files (x86)\\Telegram X\\Telegram中文版\\Telegram.exe,1\"" C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\shell\open C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\shell\open\command\ = "\"C:\\Program Files (x86)\\Telegram X\\Telegram中文版\\Telegram.exe\" -- \"%1\"" C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg\DefaultIcon C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Program Files (x86)\\Telegram X\\Telegram中文版\\Telegram.exe\" -- \"%1\"" C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\DefaultIcon C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg\shell\open C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\ = "URL:Telegram Link" C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\shell C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg\shell C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg\shell\open\command C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\shell\open\command C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg\DefaultIcon\ = "\"C:\\Program Files (x86)\\Telegram X\\Telegram中文版\\Telegram.exe,1\"" C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\URL Protocol C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Public\tg\FTvrst.exe N/A
N/A N/A C:\Users\Public\tg\FTvrst.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\WINDOWS\DNomb\audidog.exe N/A
N/A N/A C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3184 wrote to memory of 1356 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3184 wrote to memory of 1356 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3184 wrote to memory of 1356 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 376 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe C:\Windows\SysWOW64\msiexec.exe
PID 376 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe C:\Windows\SysWOW64\msiexec.exe
PID 376 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe C:\Windows\SysWOW64\msiexec.exe
PID 3184 wrote to memory of 2724 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3184 wrote to memory of 2724 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3184 wrote to memory of 2724 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2724 wrote to memory of 2704 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
PID 2724 wrote to memory of 2704 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
PID 2724 wrote to memory of 2704 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
PID 3184 wrote to memory of 2176 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3184 wrote to memory of 2176 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3184 wrote to memory of 3452 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3184 wrote to memory of 3452 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3184 wrote to memory of 3452 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2724 wrote to memory of 2448 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\tg\FTvrst.exe
PID 2724 wrote to memory of 2448 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\tg\FTvrst.exe
PID 2724 wrote to memory of 2448 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\tg\FTvrst.exe
PID 2448 wrote to memory of 3844 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 2448 wrote to memory of 3844 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 2448 wrote to memory of 3844 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 2448 wrote to memory of 3844 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 2448 wrote to memory of 3844 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 2448 wrote to memory of 3844 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 2448 wrote to memory of 3844 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 2448 wrote to memory of 3844 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 2448 wrote to memory of 4144 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\audidog.exe
PID 2448 wrote to memory of 4144 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\audidog.exe
PID 2448 wrote to memory of 4144 N/A C:\Users\Public\tg\FTvrst.exe C:\WINDOWS\DNomb\audidog.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe

"C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 38484FF2BED28525FBB7B671FB537640 C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\飞机.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1687843898 "

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 09C4BAA69F83110CCD53A4A65C4F0C9F C

C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe

"C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe" /groupsextract:100; /out:"C:\Users\Public" /callbackid:2724

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 7FD4C073B37BF23A6C16226E80CC0715

C:\Users\Public\tg\FTvrst.exe

"C:\Users\Public\tg\FTvrst.exe"

C:\WINDOWS\DNomb\spolsvt.exe

C:\WINDOWS\DNomb\spolsvt.exe

C:\WINDOWS\DNomb\audidog.exe

C:\WINDOWS\DNomb\audidog.exe

C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe

"C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 20.189.173.14:443 tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
GB 96.16.110.41:443 tcp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
NL 2.19.195.233:443 assets.msn.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 233.195.19.2.in-addr.arpa udp
US 8.248.1.254:80 tcp
US 8.248.1.254:80 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 248.112.50.184.in-addr.arpa udp
US 8.8.8.8:53 182.100.206.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 nn.wccabc.com udp
HK 47.242.146.124:3927 nn.wccabc.com tcp
HK 47.242.146.124:3927 nn.wccabc.com tcp
NL 149.154.167.51:443 tcp
NL 149.154.167.51:80 tcp
US 8.8.8.8:53 td.telegram.org udp
US 8.8.8.8:53 51.167.154.149.in-addr.arpa udp
NL 149.154.167.99:443 td.telegram.org tcp
NL 149.154.167.91:443 tcp
NL 149.154.167.41:443 tcp
NL 149.154.167.99:443 td.telegram.org tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 91.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 41.167.154.149.in-addr.arpa udp
HK 47.242.146.124:3927 nn.wccabc.com tcp
HK 47.242.146.124:3927 nn.wccabc.com tcp
NL 149.154.167.91:443 tcp
NL 149.154.167.91:80 149.154.167.91 tcp
HK 47.242.146.124:3927 nn.wccabc.com tcp
HK 47.242.146.124:3927 nn.wccabc.com tcp
HK 47.242.146.124:3927 nn.wccabc.com tcp
HK 47.242.146.124:3927 nn.wccabc.com tcp
US 8.8.8.8:53 50.192.11.51.in-addr.arpa udp
HK 47.242.146.124:3927 nn.wccabc.com tcp

Files

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\飞机.msi

MD5 f4adbf929ac90c4a9fff6142b5daa670
SHA1 9d0c56596957d04bb9582a2e0e556dbe7977e9c1
SHA256 e79ef9535612ba30be0b07a9666d0fe26466eca698a1dbf5a014b176def2df7a
SHA512 ffed2c3da71bb4c6f66c04152df70a2756cc49c7c3eeb4940c08d43bf6e58b7c1656a4915b96f5e87f561ed715c47c68419d4ae89082b221f5e8e0a147aa3a38

C:\Users\Admin\AppData\Local\Temp\MSI346F.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI346F.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\飞机.msi

MD5 f4adbf929ac90c4a9fff6142b5daa670
SHA1 9d0c56596957d04bb9582a2e0e556dbe7977e9c1
SHA256 e79ef9535612ba30be0b07a9666d0fe26466eca698a1dbf5a014b176def2df7a
SHA512 ffed2c3da71bb4c6f66c04152df70a2756cc49c7c3eeb4940c08d43bf6e58b7c1656a4915b96f5e87f561ed715c47c68419d4ae89082b221f5e8e0a147aa3a38

C:\Users\Admin\AppData\Local\Temp\MSI3865.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI3865.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI39AE.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI39AE.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI39AE.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI3A4C.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI3A4C.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI3ACA.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI3ACA.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI3DF7.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI3DF7.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI3F31.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI3F31.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI3FDE.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI3FDE.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIA9D4.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIA9D4.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIAA90.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIAA90.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIAA90.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIB09C.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIB09C.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSI8930.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSI8930.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSI8A3B.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSI8A3B.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSI8A99.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSI8A99.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSI8C02.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSI8C02.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSI8CDE.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSI8CDE.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\0469A94410170880s

MD5 237b2bc4ba380664d0e69d95bfbdca62
SHA1 42fb204f0fb1b5a1e7d7152070accee988747198
SHA256 bfb3af061014f48924f4412402ee99f566725932e80f8a27c5bc429544b0dad6
SHA512 15bd8b90b1508e40e5e20b4630cf69f3ff597cb11768d78528a0db4a9ef3fd6f20aa1e93cf0b945bff3d6864d4182e1ac4cb33f0d3c83462d6db7c3d53bc2741

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\Telegram.exe

MD5 5a6de14a436de1c22e6f328fa40c4835
SHA1 454f68ad0a02cb29d3f11a0f4f187b6b384994d9
SHA256 663726ede77de2960f7b53c85b1eb19af394e1710d43ef7718ae832067d0a2ce
SHA512 1a4406b6b6fdccd9ec105932b790c0a0599dd0b74cd7c0afe17b3c655c595230cb753bfc2c1a6b7e1577ca5d825e5c3a2e827a9f8b3acf51bb41ffaddde3c552

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\WindowsFolder\DNomb\Mpec.mbt

MD5 e3c9c776015c5b25b99ae3913988548d
SHA1 8b00bc9e7d0e24e56da14bfd7f41aa482cdae8a9
SHA256 04e8a2953aa566fb433eab669cf35bfa3240353ab8cec1457b3a75263178c96e
SHA512 4995cf0660485aa615ac3c54bfc554ca4d6fbc54019133cb51046c3badadc28591783d185345ef889ab731c9dc853f74ee025843e0221ea08f7c3ac700f8cc10

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\WindowsFolder\DNomb\audidog.exe

MD5 3a9c682b077bc044b21131216bdf6304
SHA1 afdd419f084b56838c7eb07ff2b28ff9b960e27e
SHA256 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8
SHA512 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\WindowsFolder\DNomb\FTvrst.exe

MD5 3a9c682b077bc044b21131216bdf6304
SHA1 afdd419f084b56838c7eb07ff2b28ff9b960e27e
SHA256 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8
SHA512 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\shortcuts-default.json

MD5 a56b95951d30537236b8a4b5792abbe4
SHA1 ca418e143fa5bf6930cea986f2f02914ba2b34c8
SHA256 422a4c74d98877f87f5d3eb6f70a903782d00e362e9fca75f06a1f84be387808
SHA512 20f2fa66f02ff3da80ec67ff89a232bd6642051702a6ddd94fb382980b46502ca0bda8ba09793fae2f068b4dc18c80ab0186e6426af9760670e8a328ef3c1e95

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\settingss

MD5 d149ddf991c084294f019fc76161fb15
SHA1 d42777f18ed62c3f4c8ff5d326f63fccfe06d454
SHA256 9afef05acbb201afd6007584482f01c93628484d9d80858f8cb67ef9f0c18875
SHA512 f45c7fc6ba1e192b41fcb267572a81342eb2657f9025181b5be660095c19e7d39c50190fe62ee400d7d1cf8132fb757cbd90222f8ba6aad91d3458bd82de6da6

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\shortcuts-custom.json

MD5 874b930b4c2fddc8043f59113c044a14
SHA1 75b14a96fe1194f27913a096e484283b172b1749
SHA256 f4f666f4b831e84710983b0e9e905e87342b669f61109fd693688d89c12309d8
SHA512 f4b0337fba5c5f4d7e7a02aa5d4538334edd38f5df179e4f1701fa2f1c4d3d856a074fa55ea724c4e2a6c5a1ac1dbfc7e9966c814475c7cd2c65cd44fca14621

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\prefix

MD5 3fb9de9c3edf4abc3a42deaf14dfa8d6
SHA1 d02d2382706bffb38831acfcce62e720a6d55733
SHA256 84af1d24b024a1e1670302510fc140e55eb009ed5ab8b8e89bb42fb7f184be28
SHA512 7e60951c5c5cff7f623808e1afa098faff020f000ee4a8fc9af5f848204b8c54fe13f9a32e10bfbc618e41b1be437bb08a775b4b2e10a19122c336b55d093692

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\D877F783D5D3EF8Cs

MD5 e58b4c34a563191cfee1d6d617a78216
SHA1 83ff6975bacf2f4e5ff44dbf5f8de38f7dd7f437
SHA256 729c64f4ee746214839002d6e79bd82baebc2eba5e38e47307e65fcf25a83cf1
SHA512 3d875550e6f0f43cc1306f3eb2f83d2b5a06ddc211dcd03c31abc0cce0350481b19015adde62ed8632b8a902138c345e6f7c533be50a55343566903e8d593eeb

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\F8806DD0C461824Fs

MD5 fb9a1cbbd1b3531943eecfefa15df5de
SHA1 0295ac1bdc3a668a5f488e6c98a34ad71a53c67b
SHA256 438c768ac7851e93d1081c4291c2b14c250b7cc847050d7716626ab3948760d8
SHA512 abc104efdbf46c9ff9621e9d3c7e3be2d803208e62b63658a1a7f94c8deb823302896b0878c8d9f4962045a7d257afe51047b1ff73f64c2f8e440680a3ef1e60

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\usertag

MD5 87ccdff6d764416c75d4aa695f9be3e4
SHA1 d4c197cb78f5e5f62aef16af3840d3be0509020a
SHA256 e02453e232a9fdc9446885a629109231c07b35f8d2adf886e010cdf07685fdec
SHA512 0224a43341ad897613a233b9b170d4ed523ac45d8d13ab8ae023c6c0b266cb7b68abf3e365f3474045d103f6ce7682d009719592578b601edfceab31d678dca5

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\key_datas

MD5 eb7e5e1d7636232186c42fe52b7611b6
SHA1 ae235dcf06db5931e082155da14936ed7c7db2fb
SHA256 66d374699b23bd425bb68f5480785ae70f0f87f2e5948d0bd51ce7838fdb706a
SHA512 813d9318d6937ba6a6def9bd676a26999cb97e0f0b744c0a99174d4fd6163414cff9f5195d420fdd7cdc86442cceb7a7130ad0fe2f93ab5d961381b90df859e5

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\countries

MD5 5d1f2b862acb26f8353cb1d178a2116f
SHA1 e3989f717bb652b4ee3fd18e4dc3f2e0193c75bd
SHA256 3d6d4e33dcaeff17425ea9451d37bb9c866d711d6ece51ef5c09d2fbd296e85e
SHA512 adb1ef7675a0292b236aafdd923be94705eb7ea7baf25a0d3c001fba2014b8f90473375e96739d8af43a7bd9a123f1ce38c532516da3d1a46db50bf66a0c1a73

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\A7FDF864FBC10B77s

MD5 72339e5b4ca4743c2c1313c90fa38b27
SHA1 8123ac4d35080c0c397478845b2ab16944636bae
SHA256 6a8a6995f4f87336681017417d6ae78223cd725e1118c4e336c93e203c17a9e4
SHA512 3eb657959bdfc0b30124a7e087d44b33aa7814ee9a18a20205b5debc1b290754024d8529174f3e17646fae77339d28a02312584bd6bda7021ad5b59c67d6fa0d

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\90AB52E6EF1558C8s

MD5 0aa0727f6230692e520295abca999a94
SHA1 2dca6accd906adf49bfd4cfa93b2d862a9c29651
SHA256 9676ed8e4497fab0d92b1e2c8c63dec8b9f309db8e379ffbbff919d3c6762e10
SHA512 8d0633ef21107c7e5ca4f4ba50ba762bf62956c5bcd3ccfc3ab9b7845bb2a5388b5bacd7c9ddff0b2c7d0b4ed761c15ebb437deb912cf4a573a1fab5e328093d

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\7B7D9BF38A42FD50s

MD5 4d28d8121c1365d8b66048804cf85431
SHA1 e19b061f138c52b1a67c123fd8cff8d2f6f3e7ce
SHA256 f620154eb8472755c58e631803e45e08279e5f70b381aa71bfc256a4f06fe6eb
SHA512 4ef49fb867af0894fa42537832bfd567a0fc6e1f9fbd6966cac6215b30d91617f43acfb3b20b62a6f43163162a0f2123dc8e2ad36f493b5c3b9202689c54a482

C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\WindowsFolder\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

C:\Windows\DNomb\FTvrst.exe

MD5 3a9c682b077bc044b21131216bdf6304
SHA1 afdd419f084b56838c7eb07ff2b28ff9b960e27e
SHA256 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8
SHA512 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

C:\Config.Msi\e58877c.rbs

MD5 7c23184b471060f50caee8f669f5f0d6
SHA1 3a77fd5ef4e8aea87cb519aaaf575c2a6d59f541
SHA256 43a9325c0a0a8a6032609768d568062bab771e48283e165519f52e89d332c80c
SHA512 f6cdd55d884802e557664b860ecfe9f770766fed998d82d3b29da2559f6ff1bc95ae36f9050ae1c1d0f1a17651714f437231b646bb51163d5452d6ef1bf34977

C:\Users\Admin\AppData\Local\Temp\MSIAADB.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIAADB.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Public\tg\FTvrst.exe

MD5 3a9c682b077bc044b21131216bdf6304
SHA1 afdd419f084b56838c7eb07ff2b28ff9b960e27e
SHA256 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8
SHA512 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

C:\Users\Public\tg\FTvrst.exe

MD5 3a9c682b077bc044b21131216bdf6304
SHA1 afdd419f084b56838c7eb07ff2b28ff9b960e27e
SHA256 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8
SHA512 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

memory/2448-298-0x0000000000400000-0x0000000000C64000-memory.dmp

\??\Volume{1b62ef81-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f55d956f-4091-439a-8c45-734e49c0dda8}_OnDiskSnapshotProp

MD5 86d616502ed4bd6d2e806e238c7bc98a
SHA1 ddefde442420a6b872bc1dd3bcce5f728a622276
SHA256 9cd7ffdde6dbda7bab25a2c841ef7a365bb367aa40f31d17a62e5c016843f54c
SHA512 223d14480ed620969f76bac4b02d3d1394d2367545e7dd0a70b83d12cec919c757d4f41265615190f8c4140b72df792aa8eaf762b56cf43b636504304594d6f4

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 1f29e3557c40597e3a0cb92cc80b312d
SHA1 95b496b43ccc3e18d40b99ed66d7984125d285ac
SHA256 69f9ce856fe79d411d97c4b7251b3698cc59d3e7ae2b13222d22143cf816e35a
SHA512 6fdcf1bdb9f3ba65eef28a8a1ba0f44af0fa502210ecb7ab2974b9416c1e7b0db22025b431ccc68f37f4fb4004ad8f70c84e272c32665d2caf29fd9923cc8a1c

memory/2448-301-0x0000000075BE0000-0x0000000075DF5000-memory.dmp

memory/2448-2239-0x00000000765F0000-0x0000000076790000-memory.dmp

memory/2448-3244-0x0000000075790000-0x000000007580A000-memory.dmp

memory/2448-3387-0x0000000000400000-0x0000000000C64000-memory.dmp

memory/2448-6838-0x0000000000400000-0x0000000000C64000-memory.dmp

memory/2448-6839-0x0000000000400000-0x0000000000C64000-memory.dmp

memory/2448-6840-0x0000000000400000-0x0000000000C64000-memory.dmp

memory/2448-6841-0x0000000000400000-0x0000000000C64000-memory.dmp

C:\WINDOWS\DNomb\Mpec.mbt

MD5 e3c9c776015c5b25b99ae3913988548d
SHA1 8b00bc9e7d0e24e56da14bfd7f41aa482cdae8a9
SHA256 04e8a2953aa566fb433eab669cf35bfa3240353ab8cec1457b3a75263178c96e
SHA512 4995cf0660485aa615ac3c54bfc554ca4d6fbc54019133cb51046c3badadc28591783d185345ef889ab731c9dc853f74ee025843e0221ea08f7c3ac700f8cc10

memory/3844-6844-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3844-6845-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3844-6846-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

memory/3844-6850-0x0000000000400000-0x0000000000430000-memory.dmp

C:\WINDOWS\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

C:\Windows\DNomb\audidog.exe

MD5 3a9c682b077bc044b21131216bdf6304
SHA1 afdd419f084b56838c7eb07ff2b28ff9b960e27e
SHA256 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8
SHA512 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

C:\WINDOWS\DNomb\audidog.exe

MD5 3a9c682b077bc044b21131216bdf6304
SHA1 afdd419f084b56838c7eb07ff2b28ff9b960e27e
SHA256 8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8
SHA512 99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

memory/3844-6854-0x0000000010000000-0x000000001002A000-memory.dmp

memory/2448-6859-0x0000000000400000-0x0000000000C64000-memory.dmp

memory/2448-6860-0x0000000002C50000-0x0000000002D50000-memory.dmp

memory/4144-6861-0x0000000000400000-0x0000000000C64000-memory.dmp

memory/4144-6862-0x0000000075BE0000-0x0000000075DF5000-memory.dmp

memory/4144-8800-0x00000000765F0000-0x0000000076790000-memory.dmp

memory/4144-9805-0x0000000075790000-0x000000007580A000-memory.dmp

memory/2448-10405-0x0000000000400000-0x0000000000C64000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSI1791.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI1791.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

memory/4144-12492-0x0000000000400000-0x0000000000C64000-memory.dmp

memory/4144-13404-0x0000000000400000-0x0000000000C64000-memory.dmp

memory/4144-13405-0x0000000000400000-0x0000000000C64000-memory.dmp

memory/4144-13406-0x0000000000400000-0x0000000000C64000-memory.dmp

memory/4144-13407-0x0000000000400000-0x0000000000C64000-memory.dmp

memory/4144-13410-0x0000000002D30000-0x0000000002E30000-memory.dmp

memory/2316-13417-0x0000000008EA0000-0x0000000008EB0000-memory.dmp

memory/4144-13418-0x0000000000400000-0x0000000000C64000-memory.dmp

memory/4144-13469-0x0000000002D30000-0x0000000002E30000-memory.dmp

memory/2316-13474-0x0000000008EA0000-0x0000000008EB0000-memory.dmp

memory/4144-13488-0x0000000000400000-0x0000000000C64000-memory.dmp

memory/4144-13499-0x0000000000400000-0x0000000000C64000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-06-30 00:17

Reported

2023-06-30 00:26

Platform

win7-20230621-en

Max time kernel

298s

Max time network

283s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Windows\CurrentVersion\Run\UIAutomationCore = "C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop 6.28\\jlfdbgj\\UIAutomationCore.exe" C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1636 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1636 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1636 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1636 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1636 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1636 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1616 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe C:\Windows\SysWOW64\cmd.exe
PID 584 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe
PID 584 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe
PID 584 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe
PID 584 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe
PID 1900 wrote to memory of 1964 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe
PID 1900 wrote to memory of 1964 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe
PID 1900 wrote to memory of 1964 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe
PID 1900 wrote to memory of 1964 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe

"C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1865762 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-3518257231-2980324860-1431329550-1000"

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe

"C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe" ghkh

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe"

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe

"C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {E8894ABF-7412-4937-A413-50E21F5C476A} S-1-5-21-3518257231-2980324860-1431329550-1000:VWMLZJGN\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe

"C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bakchilou.com udp
US 107.148.190.229:1516 bakchilou.com tcp

Files

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 1aa6a97c13b30c8cace9526aad50e3fa
SHA1 9b659ec30a97c4862690eb500f994de0acaf83aa
SHA256 a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00
SHA512 9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 1aa6a97c13b30c8cace9526aad50e3fa
SHA1 9b659ec30a97c4862690eb500f994de0acaf83aa
SHA256 a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00
SHA512 9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 1aa6a97c13b30c8cace9526aad50e3fa
SHA1 9b659ec30a97c4862690eb500f994de0acaf83aa
SHA256 a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00
SHA512 9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 1aa6a97c13b30c8cace9526aad50e3fa
SHA1 9b659ec30a97c4862690eb500f994de0acaf83aa
SHA256 a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00
SHA512 9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 1aa6a97c13b30c8cace9526aad50e3fa
SHA1 9b659ec30a97c4862690eb500f994de0acaf83aa
SHA256 a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00
SHA512 9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 1aa6a97c13b30c8cace9526aad50e3fa
SHA1 9b659ec30a97c4862690eb500f994de0acaf83aa
SHA256 a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00
SHA512 9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 80d93d38badecdd2b134fe4699721223
SHA1 e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256 c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA512 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 80d93d38badecdd2b134fe4699721223
SHA1 e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256 c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA512 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 1aa6a97c13b30c8cace9526aad50e3fa
SHA1 9b659ec30a97c4862690eb500f994de0acaf83aa
SHA256 a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00
SHA512 9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0

memory/1636-72-0x0000000002E90000-0x0000000003278000-memory.dmp

memory/668-73-0x0000000000020000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Ico.ico

MD5 bbb9d3f02a53d5c497735cbfb15daa80
SHA1 807f2bbe8e197d473de5f0b904366bf3c1c14009
SHA256 ed1d7d9a65646ae96c0874fec5a93d85a71628f26924f709459af121cc52f7c7
SHA512 c86154ea9a8a9e4d1a86326cdbf39755d93ae48367c78079c3a4f89686e328aa5d177042a27c444b76f5d8847e3bd27553d7e020e550f2135d4252349d093e64

memory/668-87-0x0000000000020000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

MD5 d1b051718019662c277bab1e4103c9ad
SHA1 ede02518fbeaf10d23ee3a6d1f609132da95d5d7
SHA256 727b9b7061ce4222ffa60b71ec559ff84a8998b6d5d6a3c77073167e56da17b2
SHA512 a9ad33225eb9baaf95e6c00890a8eb92e12665113b343dda933609e526b276e92408d94f58edd0ddb64159abfc8ebb10b24bef18ac7bac73791837ea8b6fe7f8

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe

MD5 2f5c5f2acdd98034e5320a6eeb1700b7
SHA1 ac6420e723c58e473c0924a25b1bc0d8e0d94640
SHA256 8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9
SHA512 4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96

memory/668-178-0x0000000000020000-0x0000000000408000-memory.dmp

\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe

MD5 2f5c5f2acdd98034e5320a6eeb1700b7
SHA1 ac6420e723c58e473c0924a25b1bc0d8e0d94640
SHA256 8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9
SHA512 4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.JPG

MD5 0028d88c77614bd1bb9c75c3ec8b23b2
SHA1 ddf237e383d35fd6b0c5edffcef582ec92738b00
SHA256 312bcd1f10bac3f8a0bd9bed46bb8e8a42ed0224ff0e1be3a5f748401b47cdbc
SHA512 bbe62015d6fb2846354f4a208300493ad8e3206e3e790c443f2043e26f7b94fe435a825fee157067b0c9f907d2d25b67e1d7a712470397912ca58cccd3971f03

memory/668-184-0x0000000000020000-0x0000000000408000-memory.dmp

memory/668-191-0x0000000000020000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe

MD5 2f5c5f2acdd98034e5320a6eeb1700b7
SHA1 ac6420e723c58e473c0924a25b1bc0d8e0d94640
SHA256 8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9
SHA512 4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\commonbase.dll

MD5 bfb7fef65587cea79c37ecdcafb7346e
SHA1 56cffe9303f55b95353cf4957f2c061d076b515d
SHA256 39673b4f582611c2e7477c82beb580045a8c3e2bbdd3122b66b62fda02909d07
SHA512 91bfc5de181690fc49a97beaacfe0474b8a1f6d93fe1534527331ad075b46ad560a18d30ebb9d5b5fd2de7e84f56a31aee7c6b142113af08684ae6f479f3067d

\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\commonbase.dll

MD5 bfb7fef65587cea79c37ecdcafb7346e
SHA1 56cffe9303f55b95353cf4957f2c061d076b515d
SHA256 39673b4f582611c2e7477c82beb580045a8c3e2bbdd3122b66b62fda02909d07
SHA512 91bfc5de181690fc49a97beaacfe0474b8a1f6d93fe1534527331ad075b46ad560a18d30ebb9d5b5fd2de7e84f56a31aee7c6b142113af08684ae6f479f3067d

memory/1616-195-0x00000000002F0000-0x00000000003EF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.udv

MD5 1120ff6713728ff084f9885af6ed628b
SHA1 f608ce6972776bdba091300e9db7b7dd881f5417
SHA256 efd99ac7ade1fc59c033c400e15aeaf5530a59ec3e4198878b00eb5c982986f3
SHA512 6cdeca85ecc7163a19a84823ba025207c5f4389017610a986f72f2eeb2e787e1fdab5115bfa978b9fd6617a3165f4a81ccbc71fe7ff05e711963ca6638aebb31

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.txt

MD5 18f43ce321930cb8a58cdaa097cb3fba
SHA1 21ffabcf2d85388cc6a228ee79ec418306b3b00e
SHA256 6f2de64ea421f0b7b63471706524f34b2880079b15b747bc0437a94e3ddee43e
SHA512 e98bcd5a81e683b21799de5b05a9b83758dd590f8965c61fe4702525766723112e97cd9fdee13661732781fc9f26113b90622ccce7b1a68b437926867ec866ad

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe

MD5 3771c9a1eeee342b5d6d556f974176c3
SHA1 30c39a1611e7efe5f1ce626b5be77f0aaa255662
SHA256 d7a1bd68f0c241b86b40a0e8b37149e940d1c069a42ec6053f756d22c86f66db
SHA512 5b703ed1af09c7e4ee5b4154613183a5f5c2ddb51b86e99ab15a7119401f2bd2153501bceec8cc2ac1aff8333f942c4116863e01eaf08ef9e06620ba2404e81f

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe

MD5 3771c9a1eeee342b5d6d556f974176c3
SHA1 30c39a1611e7efe5f1ce626b5be77f0aaa255662
SHA256 d7a1bd68f0c241b86b40a0e8b37149e940d1c069a42ec6053f756d22c86f66db
SHA512 5b703ed1af09c7e4ee5b4154613183a5f5c2ddb51b86e99ab15a7119401f2bd2153501bceec8cc2ac1aff8333f942c4116863e01eaf08ef9e06620ba2404e81f

\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe

MD5 3771c9a1eeee342b5d6d556f974176c3
SHA1 30c39a1611e7efe5f1ce626b5be77f0aaa255662
SHA256 d7a1bd68f0c241b86b40a0e8b37149e940d1c069a42ec6053f756d22c86f66db
SHA512 5b703ed1af09c7e4ee5b4154613183a5f5c2ddb51b86e99ab15a7119401f2bd2153501bceec8cc2ac1aff8333f942c4116863e01eaf08ef9e06620ba2404e81f

memory/1616-202-0x0000000000230000-0x0000000000231000-memory.dmp

memory/604-204-0x0000000000090000-0x00000000000A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\usertag

MD5 0c17897d0c1fcc4554485537c3ba97f3
SHA1 89d0b8c7afff99f35650ee56ee2e21bec3e47aca
SHA256 85468845a3be98d410eb0cc1b0b193f822af6eb2457b2eb84a061f8ea6cd0a9f
SHA512 2ff0f7f389b8bcf2b35b58be2c8f45f7123c94c4dc07793ab809df699eddbea858e094564fe7819e61381643a6fed8fea50aa0ed37a9a9771c215e0932cb7350

memory/1616-206-0x0000000003350000-0x000000000361E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\log.txt

MD5 cfdb70e3cc2d1987fce8051c745bce0c
SHA1 1f8e683788a351e45b498681cf074bd149e1be5b
SHA256 e46d0af620421491328b731cd8c7f673624ad8093a5d5912b6cb8963a6da2132
SHA512 b1eb011c955ce32f4bcbee6800a95570ea5f00cb7d43ea40b30d959f913f4c1dc53a2d456eefbe5ef506119ef4642736b73222c4b6bd195642578ea9eafa69f2

\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe

MD5 2f5c5f2acdd98034e5320a6eeb1700b7
SHA1 ac6420e723c58e473c0924a25b1bc0d8e0d94640
SHA256 8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9
SHA512 4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe

MD5 2f5c5f2acdd98034e5320a6eeb1700b7
SHA1 ac6420e723c58e473c0924a25b1bc0d8e0d94640
SHA256 8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9
SHA512 4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96

memory/1964-223-0x00000000002D0000-0x00000000003CF000-memory.dmp

\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\commonbase.dll

MD5 bfb7fef65587cea79c37ecdcafb7346e
SHA1 56cffe9303f55b95353cf4957f2c061d076b515d
SHA256 39673b4f582611c2e7477c82beb580045a8c3e2bbdd3122b66b62fda02909d07
SHA512 91bfc5de181690fc49a97beaacfe0474b8a1f6d93fe1534527331ad075b46ad560a18d30ebb9d5b5fd2de7e84f56a31aee7c6b142113af08684ae6f479f3067d

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe

MD5 2f5c5f2acdd98034e5320a6eeb1700b7
SHA1 ac6420e723c58e473c0924a25b1bc0d8e0d94640
SHA256 8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9
SHA512 4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96

memory/1616-220-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/1964-227-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1964-228-0x0000000002F90000-0x000000000325E000-memory.dmp

memory/1616-229-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/1964-231-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/1616-230-0x00000000002F0000-0x00000000003EF000-memory.dmp

memory/1964-233-0x0000000002F90000-0x000000000325E000-memory.dmp

memory/1964-232-0x00000000002D0000-0x00000000003CF000-memory.dmp

memory/1616-234-0x0000000003350000-0x000000000361E000-memory.dmp

memory/1616-247-0x00000000002F0000-0x00000000003EF000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2023-06-30 00:17

Reported

2023-06-30 00:26

Platform

win10v2004-20230621-en

Max time kernel

294s

Max time network

307s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UIAutomationCore = "C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop 6.28\\jlfdbgj\\UIAutomationCore.exe" C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg\URL Protocol C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg\shell C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg\shell\open C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg\shell\open\command C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop 6.28\\Telegram.exe\" -- \"%1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tdesktop.tg\DefaultIcon C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tdesktop.tg\shell\open\command C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg\DefaultIcon C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tdesktop.tg\shell C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tdesktop.tg\shell\open C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop 6.28\\Telegram.exe\" -- \"%1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg\ = "URL:Telegram Link" C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop 6.28\\Telegram.exe,1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tdesktop.tg C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\tdesktop.tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop 6.28\\Telegram.exe,1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2348 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2348 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1344 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe C:\Windows\SysWOW64\cmd.exe
PID 3128 wrote to memory of 4136 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe
PID 3128 wrote to memory of 4136 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe
PID 3128 wrote to memory of 4136 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe

"C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1865762 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\2e4156dba629ad427a47c2f09af2447231511ca74cd911c2311e15a698d38aa6.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-2890635272-812199704-3564780063-1000"

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe

"C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe" ghkh

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe"

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe

"C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe"

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe

"C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
NL 23.73.0.144:443 assets.msn.com tcp
US 8.8.8.8:53 144.0.73.23.in-addr.arpa udp
US 20.189.173.15:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 233.112.50.184.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 bakchilou.com udp
US 107.148.190.229:1516 bakchilou.com tcp
US 8.8.8.8:53 229.190.148.107.in-addr.arpa udp
US 209.197.3.8:80 tcp
GB 96.16.110.41:443 tcp
NL 149.154.167.51:443 tcp
NL 149.154.167.51:80 149.154.167.51 tcp
US 8.8.8.8:53 51.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 updates.tdesktop.com udp
NL 149.154.167.80:443 updates.tdesktop.com tcp
NL 149.154.167.91:443 tcp
NL 149.154.167.51:443 tcp
NL 149.154.167.91:80 149.154.167.91 tcp
NL 149.154.167.51:80 149.154.167.51 tcp
US 8.8.8.8:53 80.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 91.167.154.149.in-addr.arpa udp
SG 91.108.56.185:443 tcp
US 8.8.8.8:53 dns.google.com udp
SG 91.108.56.185:80 91.108.56.185 tcp
US 8.8.4.4:443 dns.google.com tcp
US 8.8.8.8:53 dns.google.com udp
US 172.64.41.4:443 mozilla.cloudflare-dns.com tcp
US 8.8.8.8:53 dns.google.com udp
US 8.8.8.8:53 dns.google.com udp
US 8.8.8.8:53 dns.google.com udp
DE 172.217.23.202:443 firebaseremoteconfig.googleapis.com tcp
US 8.8.8.8:53 dns.google.com udp
US 8.8.8.8:53 dns.google.com udp
NL 142.251.36.35:443 www.google.ru tcp
US 8.8.8.8:53 dns.google.com udp
US 8.8.8.8:53 dns.google.com udp
US 8.8.8.8:53 dns.google.com udp
US 8.8.8.8:53 dns.google.com udp
NL 149.154.167.91:443 tcp
NL 149.154.167.91:80 149.154.167.91 tcp
US 8.8.8.8:53 dns.google.com udp
US 8.8.8.8:53 dns.google.com udp
US 8.8.8.8:53 dns.google.com udp

Files

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 1aa6a97c13b30c8cace9526aad50e3fa
SHA1 9b659ec30a97c4862690eb500f994de0acaf83aa
SHA256 a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00
SHA512 9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 1aa6a97c13b30c8cace9526aad50e3fa
SHA1 9b659ec30a97c4862690eb500f994de0acaf83aa
SHA256 a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00
SHA512 9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0

memory/2684-144-0x0000000000A10000-0x0000000000DF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 80d93d38badecdd2b134fe4699721223
SHA1 e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256 c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA512 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 80d93d38badecdd2b134fe4699721223
SHA1 e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256 c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA512 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 1aa6a97c13b30c8cace9526aad50e3fa
SHA1 9b659ec30a97c4862690eb500f994de0acaf83aa
SHA256 a8982e3b803e719aff9f5f852182980dd268a7bf2fa04a21d35e25cdd18fce00
SHA512 9e32491c3e5c63aa9367a4a7537bdf8c82646d8fffaedda1de1a7237a0f798e27768ff6b618ce87a40c19a2678aff928643c1f0eb897b9ce99244d237d1890c0

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Ico.ico

MD5 bbb9d3f02a53d5c497735cbfb15daa80
SHA1 807f2bbe8e197d473de5f0b904366bf3c1c14009
SHA256 ed1d7d9a65646ae96c0874fec5a93d85a71628f26924f709459af121cc52f7c7
SHA512 c86154ea9a8a9e4d1a86326cdbf39755d93ae48367c78079c3a4f89686e328aa5d177042a27c444b76f5d8847e3bd27553d7e020e550f2135d4252349d093e64

memory/2684-162-0x0000000000A10000-0x0000000000DF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

MD5 d1b051718019662c277bab1e4103c9ad
SHA1 ede02518fbeaf10d23ee3a6d1f609132da95d5d7
SHA256 727b9b7061ce4222ffa60b71ec559ff84a8998b6d5d6a3c77073167e56da17b2
SHA512 a9ad33225eb9baaf95e6c00890a8eb92e12665113b343dda933609e526b276e92408d94f58edd0ddb64159abfc8ebb10b24bef18ac7bac73791837ea8b6fe7f8

memory/2684-170-0x0000000000A10000-0x0000000000DF8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe

MD5 2f5c5f2acdd98034e5320a6eeb1700b7
SHA1 ac6420e723c58e473c0924a25b1bc0d8e0d94640
SHA256 8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9
SHA512 4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.JPG

MD5 0028d88c77614bd1bb9c75c3ec8b23b2
SHA1 ddf237e383d35fd6b0c5edffcef582ec92738b00
SHA256 312bcd1f10bac3f8a0bd9bed46bb8e8a42ed0224ff0e1be3a5f748401b47cdbc
SHA512 bbe62015d6fb2846354f4a208300493ad8e3206e3e790c443f2043e26f7b94fe435a825fee157067b0c9f907d2d25b67e1d7a712470397912ca58cccd3971f03

memory/2684-234-0x0000000000A10000-0x0000000000DF8000-memory.dmp

memory/2684-240-0x0000000000A10000-0x0000000000DF8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe

MD5 2f5c5f2acdd98034e5320a6eeb1700b7
SHA1 ac6420e723c58e473c0924a25b1bc0d8e0d94640
SHA256 8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9
SHA512 4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe

MD5 2f5c5f2acdd98034e5320a6eeb1700b7
SHA1 ac6420e723c58e473c0924a25b1bc0d8e0d94640
SHA256 8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9
SHA512 4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\commonbase.dll

MD5 bfb7fef65587cea79c37ecdcafb7346e
SHA1 56cffe9303f55b95353cf4957f2c061d076b515d
SHA256 39673b4f582611c2e7477c82beb580045a8c3e2bbdd3122b66b62fda02909d07
SHA512 91bfc5de181690fc49a97beaacfe0474b8a1f6d93fe1534527331ad075b46ad560a18d30ebb9d5b5fd2de7e84f56a31aee7c6b142113af08684ae6f479f3067d

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\commonbase.dll

MD5 bfb7fef65587cea79c37ecdcafb7346e
SHA1 56cffe9303f55b95353cf4957f2c061d076b515d
SHA256 39673b4f582611c2e7477c82beb580045a8c3e2bbdd3122b66b62fda02909d07
SHA512 91bfc5de181690fc49a97beaacfe0474b8a1f6d93fe1534527331ad075b46ad560a18d30ebb9d5b5fd2de7e84f56a31aee7c6b142113af08684ae6f479f3067d

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\commonbase.dll

MD5 bfb7fef65587cea79c37ecdcafb7346e
SHA1 56cffe9303f55b95353cf4957f2c061d076b515d
SHA256 39673b4f582611c2e7477c82beb580045a8c3e2bbdd3122b66b62fda02909d07
SHA512 91bfc5de181690fc49a97beaacfe0474b8a1f6d93fe1534527331ad075b46ad560a18d30ebb9d5b5fd2de7e84f56a31aee7c6b142113af08684ae6f479f3067d

memory/1344-246-0x0000000000AF0000-0x0000000000BEF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.udv

MD5 1120ff6713728ff084f9885af6ed628b
SHA1 f608ce6972776bdba091300e9db7b7dd881f5417
SHA256 efd99ac7ade1fc59c033c400e15aeaf5530a59ec3e4198878b00eb5c982986f3
SHA512 6cdeca85ecc7163a19a84823ba025207c5f4389017610a986f72f2eeb2e787e1fdab5115bfa978b9fd6617a3165f4a81ccbc71fe7ff05e711963ca6638aebb31

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.txt

MD5 18f43ce321930cb8a58cdaa097cb3fba
SHA1 21ffabcf2d85388cc6a228ee79ec418306b3b00e
SHA256 6f2de64ea421f0b7b63471706524f34b2880079b15b747bc0437a94e3ddee43e
SHA512 e98bcd5a81e683b21799de5b05a9b83758dd590f8965c61fe4702525766723112e97cd9fdee13661732781fc9f26113b90622ccce7b1a68b437926867ec866ad

memory/1344-249-0x00000000006D0000-0x00000000006D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\UIAutomationCore.exe

MD5 2f5c5f2acdd98034e5320a6eeb1700b7
SHA1 ac6420e723c58e473c0924a25b1bc0d8e0d94640
SHA256 8f1f4ce09c9205bcc56e0a9e3304b62231cbca32f3d2c4b29fc0c913dab510d9
SHA512 4bc19221db6b722e1d572898ada90d84a120776493afc3f602e0839fc7cff1168a680054693d8fab398cf7f04caceadb9e80c1b525b856acbc7267e03195ee96

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\commonbase.dll

MD5 bfb7fef65587cea79c37ecdcafb7346e
SHA1 56cffe9303f55b95353cf4957f2c061d076b515d
SHA256 39673b4f582611c2e7477c82beb580045a8c3e2bbdd3122b66b62fda02909d07
SHA512 91bfc5de181690fc49a97beaacfe0474b8a1f6d93fe1534527331ad075b46ad560a18d30ebb9d5b5fd2de7e84f56a31aee7c6b142113af08684ae6f479f3067d

memory/2484-262-0x0000000000870000-0x000000000096F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\jlfdbgj\commonbase.dll

MD5 bfb7fef65587cea79c37ecdcafb7346e
SHA1 56cffe9303f55b95353cf4957f2c061d076b515d
SHA256 39673b4f582611c2e7477c82beb580045a8c3e2bbdd3122b66b62fda02909d07
SHA512 91bfc5de181690fc49a97beaacfe0474b8a1f6d93fe1534527331ad075b46ad560a18d30ebb9d5b5fd2de7e84f56a31aee7c6b142113af08684ae6f479f3067d

memory/1344-264-0x00000000033B0000-0x000000000367E000-memory.dmp

memory/1344-265-0x00000000037F0000-0x00000000037F1000-memory.dmp

memory/2484-266-0x0000000002370000-0x0000000002371000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe

MD5 3771c9a1eeee342b5d6d556f974176c3
SHA1 30c39a1611e7efe5f1ce626b5be77f0aaa255662
SHA256 d7a1bd68f0c241b86b40a0e8b37149e940d1c069a42ec6053f756d22c86f66db
SHA512 5b703ed1af09c7e4ee5b4154613183a5f5c2ddb51b86e99ab15a7119401f2bd2153501bceec8cc2ac1aff8333f942c4116863e01eaf08ef9e06620ba2404e81f

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\usertag

MD5 0c17897d0c1fcc4554485537c3ba97f3
SHA1 89d0b8c7afff99f35650ee56ee2e21bec3e47aca
SHA256 85468845a3be98d410eb0cc1b0b193f822af6eb2457b2eb84a061f8ea6cd0a9f
SHA512 2ff0f7f389b8bcf2b35b58be2c8f45f7123c94c4dc07793ab809df699eddbea858e094564fe7819e61381643a6fed8fea50aa0ed37a9a9771c215e0932cb7350

memory/2484-273-0x0000000000400000-0x00000000004D7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\log.txt

MD5 cfdb70e3cc2d1987fce8051c745bce0c
SHA1 1f8e683788a351e45b498681cf074bd149e1be5b
SHA256 e46d0af620421491328b731cd8c7f673624ad8093a5d5912b6cb8963a6da2132
SHA512 b1eb011c955ce32f4bcbee6800a95570ea5f00cb7d43ea40b30d959f913f4c1dc53a2d456eefbe5ef506119ef4642736b73222c4b6bd195642578ea9eafa69f2

memory/2484-281-0x0000000000870000-0x000000000096F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\Telegram.exe

MD5 3771c9a1eeee342b5d6d556f974176c3
SHA1 30c39a1611e7efe5f1ce626b5be77f0aaa255662
SHA256 d7a1bd68f0c241b86b40a0e8b37149e940d1c069a42ec6053f756d22c86f66db
SHA512 5b703ed1af09c7e4ee5b4154613183a5f5c2ddb51b86e99ab15a7119401f2bd2153501bceec8cc2ac1aff8333f942c4116863e01eaf08ef9e06620ba2404e81f

memory/2484-283-0x00000000029E1000-0x0000000002C45000-memory.dmp

memory/4136-284-0x00000000076B0000-0x00000000076C0000-memory.dmp

memory/1344-285-0x0000000000400000-0x00000000004D7000-memory.dmp

memory/1344-286-0x0000000000AF0000-0x0000000000BEF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\3BAA486BE9BF1618s

MD5 ead9b55575c1b95f89b5a880323d1efb
SHA1 f4e56cd384c697d5c22967ecf3e184156bdd475d
SHA256 267f45ad8807c739e75466b17b324807724ad0a518f1cb7f07f6a4c88557085a
SHA512 37e10e7d07081ff595b7641fb555f713901892c621fa7a827e650393eeaa17f396a978c93c21fe9005982edce52ec99719267b1757e90ffc50ef3862b5f64b96

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\settingss

MD5 3380a7e9f7721ec42c0651f434b56c70
SHA1 48568b2c3a21ff296a2a2b85f04e2e2f6105469e
SHA256 d334dba0b423cf74358b794bf9e7c1289333cd86fdef68bac8c45c8f6714653d
SHA512 6b758286625113aa919760d72b61b8bf06b127cfcf3b4baf8e80993fb17b8ad167659c6779ddcda30fabdcfc82e5e4622cbf7ff30b6269cc92930106fb7959b6

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\shortcuts-default.json

MD5 cc850fd9abce3912c944d77d8955ebc9
SHA1 71e699b4b680aad0bc339a6511afc75ebb898064
SHA256 e98e0cc330528886e469d795e74a240693968d6a88f3de214878d8f5b08d4bad
SHA512 a8d5aad5fe365d9ea261636956952f705353833456a6cf9dbb4b88d87bbdb2fd52823dad9e77932af8615f2a3e7a1c1c1bacdb5cb00e65affb2644ee3f2def80

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\shortcuts-custom.json

MD5 874b930b4c2fddc8043f59113c044a14
SHA1 75b14a96fe1194f27913a096e484283b172b1749
SHA256 f4f666f4b831e84710983b0e9e905e87342b669f61109fd693688d89c12309d8
SHA512 f4b0337fba5c5f4d7e7a02aa5d4538334edd38f5df179e4f1701fa2f1c4d3d856a074fa55ea724c4e2a6c5a1ac1dbfc7e9966c814475c7cd2c65cd44fca14621

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\key_datas

MD5 c688421cae8171e58612890c99bf42d2
SHA1 9e28a7195e26dc8f57db099e8957dbfea8b3d5d6
SHA256 8fd0684a695ea21c877d634017f499f1cdafeb9cdb877b598212b36a625c27b1
SHA512 f637d3bc7a67486a34f665db73563dbd11b0c63b62df35afbb280a601deaae46e77083597c44082cb9fc1d9e222c170b642cd85d83ba00e9585634969fcc9ef7

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\DA331D8985149F7Fs

MD5 e47df1fab5207e9f89eb9530f559e8de
SHA1 83f016b848b7e1e287532c2ff4c87f0daba7f66f
SHA256 cf10c439da8a3a5a304081c95484a17e31b10dc63c54e2e4e8ead5aa016706a1
SHA512 1edf803b40d70ae584fc4f650d25016326b19696c37797788948acf26a83ec7c905c95cadf54006f82462273e41d248937c06b73de4f52f1f5c8547c14a657da

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\prefix

MD5 47cd49108a29b5b5024ce744ed2169b4
SHA1 8a3a7c67f1d66173132c8f52e1e1233658f653f2
SHA256 cf1832f2ffce3c99e046bf48c0f5184da7dcbcafe2c0c64ee7d4ab86ec7aa47b
SHA512 cfc9a98f737969aa52b33a2d04ff03fe81fbd0e85bba34503df9b34b671120dc3b73d2fc4529d3dc87559ef799e7e4bdfc4c4a807ecf43c53f842ee84800c60e

memory/1344-341-0x00000000033B0000-0x000000000367E000-memory.dmp

memory/4136-342-0x00000000076B0000-0x00000000076C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram Desktop 6.28\tdata\6E0F31C32448EA2Bs

MD5 dd100daf08b20f17f9aa763c3e4e399c
SHA1 f67830b32210064a4f9c40f0b9ee4f9f5c00651e
SHA256 727dff58c9efbd608932dec51bf99438ffa9876962f6176b782e0d9b799a6d7c
SHA512 fae7500da218788e6bf508ea47da483cf3dcb738483e1d5d346788eb53f90ca86522dca5c9d05920ab3c52399831c701d5a78369e73c6ec5ce74f99a4159cba2

memory/1344-360-0x0000000000AF0000-0x0000000000BEF000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2023-06-30 00:17

Reported

2023-06-30 00:26

Platform

win7-20230621-en

Max time kernel

299s

Max time network

274s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe"

Signatures

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tg C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tg\URL Protocol C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tdesktop.tg C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tdesktop.tg\shell\open C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tg\DefaultIcon C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tg\shell C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tdesktop.tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tdesktop.tg\shell C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tdesktop.tg\shell\open\command C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tg\ = "URL:Telegram Link" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tg\shell\open\command C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tdesktop.tg\DefaultIcon C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000_CLASSES\tg\shell\open C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1348 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp
PID 1348 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp
PID 1348 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp
PID 1348 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp
PID 1348 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp
PID 1348 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp
PID 1348 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp
PID 1064 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
PID 1064 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
PID 1064 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
PID 1064 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe

"C:\Users\Admin\AppData\Local\Temp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe"

C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp

"C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp" /SL5="$70126,39573139,814592,C:\Users\Admin\AppData\Local\Temp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe"

C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"

Network

Country Destination Domain Proto
NL 149.154.167.51:443 tcp
NL 95.161.76.100:443 tcp
NL 149.154.167.51:80 149.154.167.51 tcp
NL 95.161.76.100:80 95.161.76.100 tcp
NL 149.154.167.51:443 tcp
NL 95.161.76.100:443 tcp
NL 149.154.167.51:80 149.154.167.51 tcp
NL 95.161.76.100:80 95.161.76.100 tcp
US 149.154.175.100:443 tcp
US 149.154.175.100:80 149.154.175.100 tcp
US 8.8.8.8:53 mozilla.cloudflare-dns.com udp
US 162.159.61.4:443 mozilla.cloudflare-dns.com tcp
NL 149.154.167.91:443 tcp
NL 149.154.167.41:443 tcp
NL 149.154.167.41:80 149.154.167.41 tcp
NL 149.154.167.91:80 149.154.167.91 tcp

Files

memory/1348-54-0x0000000000400000-0x00000000004D4000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp

MD5 ce3b2ef0b07d1770ddd8fa09a34138de
SHA1 d07d12411d4a95cd26701fe83eb6d90d81103eee
SHA256 22e0e4420698350d18a6c02244c5fa1ff2c772eacb9e7019a8f212b479934386
SHA512 02edc78f9b7c8ad01a79243bbc7b51d2b86fb650535d134cc06360519b49ed30241de5cb916ab0624098e2b2b4c94b246e0fcf19e513b4e526100d46db652442

C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp

MD5 ce3b2ef0b07d1770ddd8fa09a34138de
SHA1 d07d12411d4a95cd26701fe83eb6d90d81103eee
SHA256 22e0e4420698350d18a6c02244c5fa1ff2c772eacb9e7019a8f212b479934386
SHA512 02edc78f9b7c8ad01a79243bbc7b51d2b86fb650535d134cc06360519b49ed30241de5cb916ab0624098e2b2b4c94b246e0fcf19e513b4e526100d46db652442

memory/1064-61-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1348-63-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/1064-64-0x0000000000400000-0x000000000070F000-memory.dmp

memory/1064-65-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-AJL66.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp

MD5 ce3b2ef0b07d1770ddd8fa09a34138de
SHA1 d07d12411d4a95cd26701fe83eb6d90d81103eee
SHA256 22e0e4420698350d18a6c02244c5fa1ff2c772eacb9e7019a8f212b479934386
SHA512 02edc78f9b7c8ad01a79243bbc7b51d2b86fb650535d134cc06360519b49ed30241de5cb916ab0624098e2b2b4c94b246e0fcf19e513b4e526100d46db652442

\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

MD5 fd8304d231ca5513640145cabf30a301
SHA1 67ad3eaca6099311f4ca0f7d0faee89a94916107
SHA256 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e
SHA512 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253

\Users\Admin\AppData\Roaming\Telegram Desktop\unins000.exe

MD5 3d03b7877523f08e2d5ce6f9ddbe92ff
SHA1 54fc61352598442e867a31c9654949a9248d5ac7
SHA256 b9400b7cc340fa6494d00d8947b2b185b6c168e485dd584ab82d55edf484e932
SHA512 8ee5a37a06e95ea5a5f3fe7c8d0cffbb4835286b689f4e10c942c4581a7ae5922284a4519424b93dc69830ae5bd7ebf7ae023d3ee3a4b2182c592817144077b8

\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

MD5 fd8304d231ca5513640145cabf30a301
SHA1 67ad3eaca6099311f4ca0f7d0faee89a94916107
SHA256 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e
SHA512 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253

C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

MD5 fd8304d231ca5513640145cabf30a301
SHA1 67ad3eaca6099311f4ca0f7d0faee89a94916107
SHA256 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e
SHA512 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253

memory/1064-86-0x0000000000400000-0x000000000070F000-memory.dmp

\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

MD5 fd8304d231ca5513640145cabf30a301
SHA1 67ad3eaca6099311f4ca0f7d0faee89a94916107
SHA256 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e
SHA512 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253

\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

MD5 fd8304d231ca5513640145cabf30a301
SHA1 67ad3eaca6099311f4ca0f7d0faee89a94916107
SHA256 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e
SHA512 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253

\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

MD5 fd8304d231ca5513640145cabf30a301
SHA1 67ad3eaca6099311f4ca0f7d0faee89a94916107
SHA256 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e
SHA512 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253

\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

MD5 fd8304d231ca5513640145cabf30a301
SHA1 67ad3eaca6099311f4ca0f7d0faee89a94916107
SHA256 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e
SHA512 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253

memory/1064-97-0x0000000000400000-0x000000000070F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

MD5 fd8304d231ca5513640145cabf30a301
SHA1 67ad3eaca6099311f4ca0f7d0faee89a94916107
SHA256 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e
SHA512 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253

memory/1064-105-0x0000000000400000-0x000000000070F000-memory.dmp

memory/1064-112-0x0000000000400000-0x000000000070F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll

MD5 62a89e7867d853fee9ad07b7c9d64379
SHA1 944a53602492187308352103d80ff27af1093abf
SHA256 d412909f1b597045b856caecedfc677eb4708af00e5b70788a01fa6af49c09d9
SHA512 7f66bf278222bf1079a3695ad55086ccc7d8b05d7db4f9a5bcbfe4ac8d82bc1a618b1c6dc675da61d47f48fce2b0670ce6f66db63e79e232604304cfc629d6d0

C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

MD5 fd8304d231ca5513640145cabf30a301
SHA1 67ad3eaca6099311f4ca0f7d0faee89a94916107
SHA256 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e
SHA512 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253

\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll

MD5 62a89e7867d853fee9ad07b7c9d64379
SHA1 944a53602492187308352103d80ff27af1093abf
SHA256 d412909f1b597045b856caecedfc677eb4708af00e5b70788a01fa6af49c09d9
SHA512 7f66bf278222bf1079a3695ad55086ccc7d8b05d7db4f9a5bcbfe4ac8d82bc1a618b1c6dc675da61d47f48fce2b0670ce6f66db63e79e232604304cfc629d6d0

memory/1348-117-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/324-122-0x00000000003B0000-0x00000000003C0000-memory.dmp

memory/324-123-0x0000000000730000-0x000000000073A000-memory.dmp

memory/324-124-0x0000000000730000-0x000000000073A000-memory.dmp

memory/324-126-0x0000000000730000-0x000000000073A000-memory.dmp

memory/324-125-0x0000000000730000-0x000000000073A000-memory.dmp

memory/324-140-0x0000000002130000-0x000000000213A000-memory.dmp

memory/324-141-0x0000000002130000-0x000000000213A000-memory.dmp

\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

MD5 fd8304d231ca5513640145cabf30a301
SHA1 67ad3eaca6099311f4ca0f7d0faee89a94916107
SHA256 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e
SHA512 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253

memory/324-177-0x0000000002130000-0x000000000213A000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2023-06-30 00:17

Reported

2023-06-30 00:26

Platform

win10v2004-20230621-en

Max time kernel

300s

Max time network

303s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{97509A40-DCD6-4F83-9500-9B8FF39CF3A6}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{06D1F97C-8C90-48F4-AE5C-6E3E4607E77E}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{A06DA7A3-F34B-445E-8D2E-87C6AB15B49F}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{CBAA4597-0059-4D8B-A41B-EF3360D98CBB}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{87F0F882-3AFD-4088-96A8-DDECC74B2757}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{CBBF3439-62E8-4B35-9591-9370B4A2BE90}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{D1A8C578-8652-4C7B-9876-FADBCDF54A96}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{456E627B-B858-49D2-ADEB-003EB72E8A4F}.catalogItem C:\Windows\System32\svchost.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tdesktop.tg C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tdesktop.tg\DefaultIcon C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tdesktop.tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tdesktop.tg\shell C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tdesktop.tg\shell\open C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tdesktop.tg\shell\open\command C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg\shell C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg\URL Protocol C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg\ = "URL:Telegram Link" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg\DefaultIcon C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg\shell\open C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg\shell\open\command C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe

"C:\Users\Admin\AppData\Local\Temp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe"

C:\Users\Admin\AppData\Local\Temp\is-3O50F.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3O50F.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp" /SL5="$9016E,39573139,814592,C:\Users\Admin\AppData\Local\Temp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 248.112.50.184.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
GB 2.22.249.210:443 assets.msn.com tcp
US 8.8.8.8:53 210.249.22.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
NL 149.154.167.51:443 tcp
NL 95.161.76.100:443 tcp
NL 149.154.167.51:80 149.154.167.51 tcp
NL 95.161.76.100:80 95.161.76.100 tcp
US 8.8.8.8:53 51.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 100.76.161.95.in-addr.arpa udp
NL 149.154.167.91:443 tcp
NL 149.154.167.51:443 tcp
NL 95.161.76.100:443 tcp
NL 149.154.167.91:80 149.154.167.91 tcp
NL 149.154.167.51:80 149.154.167.51 tcp
NL 95.161.76.100:80 95.161.76.100 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 91.167.154.149.in-addr.arpa udp
SG 149.154.171.5:443 tcp
SG 149.154.171.5:80 149.154.171.5 tcp
US 8.8.8.8:53 dns.google.com udp
US 8.8.4.4:443 dns.google.com tcp
US 8.8.8.8:53 dns.google.com udp
US 8.8.8.8:53 dns.google.com udp
US 8.8.8.8:53 dns.google.com udp
US 8.8.8.8:53 dns.google.com udp
US 8.8.8.8:53 dns.google.com udp
US 8.8.8.8:53 dns.google.com udp
US 8.8.8.8:53 dns.google.com udp
US 8.8.8.8:53 dns.google.com udp
NL 2.19.195.233:443 assets.msn.com tcp
US 8.8.8.8:53 dns.google.com udp
US 8.8.8.8:53 dns.google.com udp
US 8.8.8.8:53 dns.google.com udp
US 8.8.8.8:53 dns.google.com udp

Files

memory/4384-133-0x0000000000400000-0x00000000004D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-3O50F.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp

MD5 ce3b2ef0b07d1770ddd8fa09a34138de
SHA1 d07d12411d4a95cd26701fe83eb6d90d81103eee
SHA256 22e0e4420698350d18a6c02244c5fa1ff2c772eacb9e7019a8f212b479934386
SHA512 02edc78f9b7c8ad01a79243bbc7b51d2b86fb650535d134cc06360519b49ed30241de5cb916ab0624098e2b2b4c94b246e0fcf19e513b4e526100d46db652442

memory/4908-138-0x00000000026F0000-0x00000000026F1000-memory.dmp

memory/4384-140-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/4908-141-0x0000000000400000-0x000000000070F000-memory.dmp

memory/4908-142-0x00000000026F0000-0x00000000026F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-3O50F.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp

MD5 ce3b2ef0b07d1770ddd8fa09a34138de
SHA1 d07d12411d4a95cd26701fe83eb6d90d81103eee
SHA256 22e0e4420698350d18a6c02244c5fa1ff2c772eacb9e7019a8f212b479934386
SHA512 02edc78f9b7c8ad01a79243bbc7b51d2b86fb650535d134cc06360519b49ed30241de5cb916ab0624098e2b2b4c94b246e0fcf19e513b4e526100d46db652442

memory/4908-154-0x0000000000400000-0x000000000070F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

MD5 fd8304d231ca5513640145cabf30a301
SHA1 67ad3eaca6099311f4ca0f7d0faee89a94916107
SHA256 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e
SHA512 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253

memory/4908-165-0x0000000000400000-0x000000000070F000-memory.dmp

memory/4908-180-0x0000000000400000-0x000000000070F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

MD5 fd8304d231ca5513640145cabf30a301
SHA1 67ad3eaca6099311f4ca0f7d0faee89a94916107
SHA256 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e
SHA512 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253

memory/4908-191-0x0000000000400000-0x000000000070F000-memory.dmp

memory/3456-192-0x00000165A0160000-0x00000165A0170000-memory.dmp

memory/4384-193-0x0000000000400000-0x00000000004D4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll

MD5 62a89e7867d853fee9ad07b7c9d64379
SHA1 944a53602492187308352103d80ff27af1093abf
SHA256 d412909f1b597045b856caecedfc677eb4708af00e5b70788a01fa6af49c09d9
SHA512 7f66bf278222bf1079a3695ad55086ccc7d8b05d7db4f9a5bcbfe4ac8d82bc1a618b1c6dc675da61d47f48fce2b0670ce6f66db63e79e232604304cfc629d6d0

C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

MD5 fd8304d231ca5513640145cabf30a301
SHA1 67ad3eaca6099311f4ca0f7d0faee89a94916107
SHA256 4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e
SHA512 7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253

C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll

MD5 62a89e7867d853fee9ad07b7c9d64379
SHA1 944a53602492187308352103d80ff27af1093abf
SHA256 d412909f1b597045b856caecedfc677eb4708af00e5b70788a01fa6af49c09d9
SHA512 7f66bf278222bf1079a3695ad55086ccc7d8b05d7db4f9a5bcbfe4ac8d82bc1a618b1c6dc675da61d47f48fce2b0670ce6f66db63e79e232604304cfc629d6d0