d4a209ac6981db5c2d7dd8aa7392564cfbcca8bc66e19ee5543ab345d82f0529

Analysis

max time kernel
598s
max time network
604s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2023 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TelegCN4.12.msi
Size

56.3MB
MD5

990f66c0fd150ec9a1a807326f71dc5d
SHA1

56aeed18f7e9ac71cff0111231d2a32d465737bb
SHA256

d4a209ac6981db5c2d7dd8aa7392564cfbcca8bc66e19ee5543ab345d82f0529
SHA512

dacbf464731627f221aa40ba7bdb76b703a97910bad93583d20ac930b467f1f311f21512bede6096b0556e7075fd136bc0c3145fa392f6e2523527ed0f9632b0
SSDEEP

1572864:zii8ks/kE4Gbo3uZvS/FWhEjVIouVzJ2VT6CWJLrVWQTsm:zNc/+R+Z6/FfjVI3V92VTE5q

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

TelegInstall.exe

description pid process target process

PID 4868 created 3144 4868 TelegInstall.exe Explorer.EXE
Executes dropped EXE 3 IoCs

Processes:

TelegInstall.exeMonitoring.exeMonitoring.exe

pid process

4868 TelegInstall.exe
3284 Monitoring.exe
2236 Monitoring.exe

description	pid	process	target process
PID 4868 created 3144	4868	TelegInstall.exe	Explorer.EXE

pid	process
4868	TelegInstall.exe
3284	Monitoring.exe
2236	Monitoring.exe

Loads dropped DLL 17 IoCs

Processes:

MsiExec.exeMsiExec.exeTelegInstall.exeMonitoring.exeMonitoring.exe

pid	process
4244	MsiExec.exe
4244	MsiExec.exe
4244	MsiExec.exe
4244	MsiExec.exe
4244	MsiExec.exe
4244	MsiExec.exe
4244	MsiExec.exe
1780	MsiExec.exe
1780	MsiExec.exe
4244	MsiExec.exe
4868	TelegInstall.exe
4868	TelegInstall.exe
4868	TelegInstall.exe
3284	Monitoring.exe
3284	Monitoring.exe
2236	Monitoring.exe
2236	Monitoring.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

54 ifconfig.me
55 ifconfig.me
60 ifconfig.me

flow	ioc
54	ifconfig.me
55	ifconfig.me
60	ifconfig.me

Drops file in System32 directory 8 IoCs

Processes:

wuauclt.exewuauclt.exewuauclt.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Logs\windows-update-log-20230809.log	wuauclt.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Logs\windows-update-log-20230809.log_lock	wuauclt.exe
File opened for modification	C:\Windows\System32\ƀÀ	wuauclt.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Logs\windows-update-log-20230809.log	wuauclt.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Logs\windows-update-log-20230809.log_lock	wuauclt.exe
File opened for modification	C:\Windows\System32\⍀ À	wuauclt.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	wuauclt.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	wuauclt.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI5B37.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{ED3FB6C3-8BA3-4E66-B9BC-B677573B88DD}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5EE1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{ED3FB6C3-8BA3-4E66-B9BC-B677573B88DD}\Telegram.exe	msiexec.exe
File created	C:\Windows\Installer\e59583a.msi	msiexec.exe
File created	C:\Windows\Installer\e595838.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{ED3FB6C3-8BA3-4E66-B9BC-B677573B88DD}\Telegram.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\e595838.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5A1C.tmp	msiexec.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

wuauclt.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-152 = "Central America Standard Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time"	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time"	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time"	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time"	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time"	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-352 = "FLE Standard Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time"	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-392 = "Arab Standard Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time"	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-492 = "India Standard Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	wuauclt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time"	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	wuauclt.exe

Modifies registry class 25 IoCs

Processes:

msiexec.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C6BF3DE3AB866E49BCB6B7775B388DD\SourceList\PackageName = "TelegCN4.12.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C6BF3DE3AB866E49BCB6B7775B388DD\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C6BF3DE3AB866E49BCB6B7775B388DD\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C6BF3DE3AB866E49BCB6B7775B388DD\Version = "33554441"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C6BF3DE3AB866E49BCB6B7775B388DD\ProductIcon = "C:\\Windows\\Installer\\{ED3FB6C3-8BA3-4E66-B9BC-B677573B88DD}\\Telegram.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C6BF3DE3AB866E49BCB6B7775B388DD\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2A36A04B203AC1C489229461BC0DA33D\3C6BF3DE3AB866E49BCB6B7775B388DD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3C6BF3DE3AB866E49BCB6B7775B388DD\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C6BF3DE3AB866E49BCB6B7775B388DD	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C6BF3DE3AB866E49BCB6B7775B388DD\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C6BF3DE3AB866E49BCB6B7775B388DD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C6BF3DE3AB866E49BCB6B7775B388DD\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C6BF3DE3AB866E49BCB6B7775B388DD\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C6BF3DE3AB866E49BCB6B7775B388DD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C6BF3DE3AB866E49BCB6B7775B388DD\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C6BF3DE3AB866E49BCB6B7775B388DD\ProductName = "Telegram Desktop"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C6BF3DE3AB866E49BCB6B7775B388DD\PackageCode = "23CCAC809B05A1A448B567FC5B62EF3B"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C6BF3DE3AB866E49BCB6B7775B388DD\Language = "2052"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C6BF3DE3AB866E49BCB6B7775B388DD\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C6BF3DE3AB866E49BCB6B7775B388DD\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3C6BF3DE3AB866E49BCB6B7775B388DD	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2A36A04B203AC1C489229461BC0DA33D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C6BF3DE3AB866E49BCB6B7775B388DD\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C6BF3DE3AB866E49BCB6B7775B388DD\Clients = 3a0000000000	msiexec.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

msiexec.exeTelegInstall.exeMonitoring.exeMonitoring.exewuauclt.exewuauclt.exe

pid	process
1964	msiexec.exe
1964	msiexec.exe
4868	TelegInstall.exe
4868	TelegInstall.exe
3284	Monitoring.exe
3284	Monitoring.exe
2236	Monitoring.exe
2236	Monitoring.exe
668
668
1920	wuauclt.exe
1920	wuauclt.exe
4284	wuauclt.exe
4284	wuauclt.exe
668
668

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	4688	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4688	msiexec.exe
Token: SeSecurityPrivilege	1964	msiexec.exe
Token: SeCreateTokenPrivilege	4688	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4688	msiexec.exe
Token: SeLockMemoryPrivilege	4688	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4688	msiexec.exe
Token: SeMachineAccountPrivilege	4688	msiexec.exe
Token: SeTcbPrivilege	4688	msiexec.exe
Token: SeSecurityPrivilege	4688	msiexec.exe
Token: SeTakeOwnershipPrivilege	4688	msiexec.exe
Token: SeLoadDriverPrivilege	4688	msiexec.exe
Token: SeSystemProfilePrivilege	4688	msiexec.exe
Token: SeSystemtimePrivilege	4688	msiexec.exe
Token: SeProfSingleProcessPrivilege	4688	msiexec.exe
Token: SeIncBasePriorityPrivilege	4688	msiexec.exe
Token: SeCreatePagefilePrivilege	4688	msiexec.exe
Token: SeCreatePermanentPrivilege	4688	msiexec.exe
Token: SeBackupPrivilege	4688	msiexec.exe
Token: SeRestorePrivilege	4688	msiexec.exe
Token: SeShutdownPrivilege	4688	msiexec.exe
Token: SeDebugPrivilege	4688	msiexec.exe
Token: SeAuditPrivilege	4688	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4688	msiexec.exe
Token: SeChangeNotifyPrivilege	4688	msiexec.exe
Token: SeRemoteShutdownPrivilege	4688	msiexec.exe
Token: SeUndockPrivilege	4688	msiexec.exe
Token: SeSyncAgentPrivilege	4688	msiexec.exe
Token: SeEnableDelegationPrivilege	4688	msiexec.exe
Token: SeManageVolumePrivilege	4688	msiexec.exe
Token: SeImpersonatePrivilege	4688	msiexec.exe
Token: SeCreateGlobalPrivilege	4688	msiexec.exe
Token: SeCreateTokenPrivilege	4688	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4688	msiexec.exe
Token: SeLockMemoryPrivilege	4688	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4688	msiexec.exe
Token: SeMachineAccountPrivilege	4688	msiexec.exe
Token: SeTcbPrivilege	4688	msiexec.exe
Token: SeSecurityPrivilege	4688	msiexec.exe
Token: SeTakeOwnershipPrivilege	4688	msiexec.exe
Token: SeLoadDriverPrivilege	4688	msiexec.exe
Token: SeSystemProfilePrivilege	4688	msiexec.exe
Token: SeSystemtimePrivilege	4688	msiexec.exe
Token: SeProfSingleProcessPrivilege	4688	msiexec.exe
Token: SeIncBasePriorityPrivilege	4688	msiexec.exe
Token: SeCreatePagefilePrivilege	4688	msiexec.exe
Token: SeCreatePermanentPrivilege	4688	msiexec.exe
Token: SeBackupPrivilege	4688	msiexec.exe
Token: SeRestorePrivilege	4688	msiexec.exe
Token: SeShutdownPrivilege	4688	msiexec.exe
Token: SeDebugPrivilege	4688	msiexec.exe
Token: SeAuditPrivilege	4688	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4688	msiexec.exe
Token: SeChangeNotifyPrivilege	4688	msiexec.exe
Token: SeRemoteShutdownPrivilege	4688	msiexec.exe
Token: SeUndockPrivilege	4688	msiexec.exe
Token: SeSyncAgentPrivilege	4688	msiexec.exe
Token: SeEnableDelegationPrivilege	4688	msiexec.exe
Token: SeManageVolumePrivilege	4688	msiexec.exe
Token: SeImpersonatePrivilege	4688	msiexec.exe
Token: SeCreateGlobalPrivilege	4688	msiexec.exe
Token: SeCreateTokenPrivilege	4688	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4688	msiexec.exe
Token: SeLockMemoryPrivilege	4688	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4688 msiexec.exe
4688 msiexec.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

wuauclt.exewuauclt.exe

pid process

1920 wuauclt.exe
4284 wuauclt.exe

pid	process
4688	msiexec.exe
4688	msiexec.exe

pid	process
1920	wuauclt.exe
4284	wuauclt.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

msiexec.exeTelegInstall.exeMonitoring.exe

description	pid	process	target process
PID 1964 wrote to memory of 4244	1964	msiexec.exe	MsiExec.exe
PID 1964 wrote to memory of 4244	1964	msiexec.exe	MsiExec.exe
PID 1964 wrote to memory of 4244	1964	msiexec.exe	MsiExec.exe
PID 1964 wrote to memory of 4064	1964	msiexec.exe	srtasks.exe
PID 1964 wrote to memory of 4064	1964	msiexec.exe	srtasks.exe
PID 1964 wrote to memory of 1780	1964	msiexec.exe	MsiExec.exe
PID 1964 wrote to memory of 1780	1964	msiexec.exe	MsiExec.exe
PID 1964 wrote to memory of 1780	1964	msiexec.exe	MsiExec.exe
PID 4868 wrote to memory of 3284	4868	TelegInstall.exe	Monitoring.exe
PID 4868 wrote to memory of 3284	4868	TelegInstall.exe	Monitoring.exe
PID 4868 wrote to memory of 4160	4868	TelegInstall.exe	cmd.exe
PID 4868 wrote to memory of 4160	4868	TelegInstall.exe	cmd.exe
PID 3284 wrote to memory of 3976	3284	Monitoring.exe	explorer.exe
PID 3284 wrote to memory of 3976	3284	Monitoring.exe	explorer.exe
PID 3284 wrote to memory of 3976	3284	Monitoring.exe	explorer.exe
PID 3284 wrote to memory of 3976	3284	Monitoring.exe	explorer.exe
PID 3284 wrote to memory of 3976	3284	Monitoring.exe	explorer.exe
PID 668 wrote to memory of 2836	668		sysmon.exe
PID 668 wrote to memory of 1920	668		wuauclt.exe
PID 668 wrote to memory of 1920	668		wuauclt.exe
PID 668 wrote to memory of 1920	668		wuauclt.exe
PID 668 wrote to memory of 2836	668		sysmon.exe
PID 668 wrote to memory of 2932	668		wmiprvse.exe
PID 668 wrote to memory of 2932	668		wmiprvse.exe
PID 668 wrote to memory of 2932	668		wmiprvse.exe
PID 668 wrote to memory of 2932	668		wmiprvse.exe
PID 668 wrote to memory of 2932	668		wmiprvse.exe
PID 668 wrote to memory of 2932	668		wmiprvse.exe
PID 668 wrote to memory of 2932	668		wmiprvse.exe
PID 668 wrote to memory of 2932	668		wmiprvse.exe
PID 668 wrote to memory of 2932	668		wmiprvse.exe
PID 668 wrote to memory of 2932	668		wmiprvse.exe
PID 668 wrote to memory of 2932	668		wmiprvse.exe
PID 668 wrote to memory of 2932	668		wmiprvse.exe
PID 668 wrote to memory of 2248	668		svchost.exe
PID 668 wrote to memory of 2836	668		sysmon.exe
PID 668 wrote to memory of 4284	668		wuauclt.exe
PID 668 wrote to memory of 4284	668		wuauclt.exe
PID 668 wrote to memory of 4284	668		wuauclt.exe
PID 668 wrote to memory of 2932	668		wmiprvse.exe
PID 668 wrote to memory of 2248	668		svchost.exe
PID 668 wrote to memory of 1920	668		wuauclt.exe
PID 668 wrote to memory of 1920	668		wuauclt.exe
PID 668 wrote to memory of 1920	668		wuauclt.exe
PID 668 wrote to memory of 1920	668		wuauclt.exe
PID 668 wrote to memory of 1920	668		wuauclt.exe
PID 668 wrote to memory of 1920	668		wuauclt.exe
PID 668 wrote to memory of 1920	668		wuauclt.exe
PID 668 wrote to memory of 1920	668		wuauclt.exe
PID 668 wrote to memory of 1920	668		wuauclt.exe
PID 668 wrote to memory of 1920	668		wuauclt.exe
PID 668 wrote to memory of 1920	668		wuauclt.exe
PID 668 wrote to memory of 2228	668		wuauclt.exe
PID 668 wrote to memory of 2228	668		wuauclt.exe
PID 668 wrote to memory of 2228	668		wuauclt.exe
PID 668 wrote to memory of 2836	668		sysmon.exe
PID 668 wrote to memory of 2176	668		wuauclt.exe
PID 668 wrote to memory of 2176	668		wuauclt.exe
PID 668 wrote to memory of 2836	668		sysmon.exe
PID 668 wrote to memory of 2176	668		wuauclt.exe
PID 668 wrote to memory of 2836	668		sysmon.exe
PID 668 wrote to memory of 2836	668		sysmon.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3144

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\TelegCN4.12.msi
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4688

C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\TelegInstall.exe
"C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\TelegInstall.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\SYSTEM32\cmd.exe
cmd /k del "C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\TelegInstall.exe"& del "C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\x64bridge.dll"& del "C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\msvcr120.dll"& del "C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\msvcp120.dll"& exit
3⤵
PID:4160

C:\ProgramData\MonitorService\Monitoring.exe
C:\ProgramData\MonitorService\Monitoring.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
- Modifies registry class
PID:3976

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2248

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 92C359683B9C1D125088C910E8FA25DA C
2⤵
- Loads dropped DLL
PID:4244

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4064

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 821655D6F90F6A328B471A981FB8A69B
2⤵
- Loads dropped DLL
PID:1780

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3936

C:\ProgramData\MonitorService\Monitoring.exe
C:\ProgramData\MonitorService\Monitoring.exe -svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2236

C:\Windows\System32\wuauclt.exe
C:\Windows\System32\wuauclt.exe
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1920

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2932

C:\Windows\System32\wuauclt.exe
C:\Windows\System32\wuauclt.exe
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4284

C:\Windows\System32\wuauclt.exe
C:\Windows\System32\wuauclt.exe
1⤵
- Drops file in System32 directory
PID:2228

C:\Windows\System32\wuauclt.exe
C:\Windows\System32\wuauclt.exe
1⤵
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e595839.rbs

Filesize
9KB

MD5
51dd64a5b5311dc9f39b6e2e60fa900d

SHA1
592dd3a341121bb2215f5f6fb9f2d9df1693937d

SHA256
5b84995835aa08707f5a08fcb3482eff98aa97f15af8f42f1c89bb2e0581d6a8

SHA512
f89dd1c6d207c7fa08dd88c66268b7b070d79fb17ce0bacd7fa1218453908da868b4ee1cbebbdf27b1872a77559ca330bb3a53abe3e0575fab58c6db55b97a9a

Download Submit
C:\ProgramData\Microsoft\Windows\OneSettings\checkcfg.dat

Filesize
36B

MD5
e0115580fa0c8f54c1dee03cbb859797

SHA1
ac6316a6b17d35f93020629d3b3ab1366f873fd4

SHA256
304900d707569fe9f307de60c89487a4b4c4caf9dea93de281666523d3ec3c62

SHA512
23ccd19caedacba3e7e1b9e9d1a529c66bc51ad2804c98d653f93ab399d748af548bf5b299f61299a974b63082d07c10430fa12bf2d88ba04f15cf73944db9d4

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mapscache\2023-08-09

Filesize
208B

MD5
756b5be3ade60293e414dd6d8d197ce8

SHA1
66621291b4d89691f3ab9eaec24c3e8e5f087d2b

SHA256
454fb2d04f69a374ae1e5172572d18ea5f6ba26a7d299aaed671c4c8b2be65e9

SHA512
38b5f10e6cfbfd60985aafcd12a680cb362be2250fdbe239cc496146bf12166824c8784a63534670606ca42d06e9f733f0e70fd53a9e0ccf62e82a669d1fcd48

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mapscache\2023-08-09

Filesize
208B

MD5
b620c2a96756b37c2c1fccedc8dd1c91

SHA1
c3ce5159324c5d8667c5e49c7ce239b08576f39a

SHA256
9f3e0832e5195f3cfb883aa7a3349e6deaedf804e355a41406fdef62effb40cf

SHA512
4756d959e4d92fb1ea3153994a3c06edd8fae1f3572729b7a8eeed8a4fc50a53cd407bec62bcc1f7633541c807251e9a9bb622c8376cbeb48acdbaf6bdf41ae0

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mapscache\2023-08-09

Filesize
208B

MD5
16fb0b037f71f7103c484aa890ff44c9

SHA1
8a5e539489ec9c3b0dc5e3ea59cc27f51ded660c

SHA256
bafbc92927806289ebceb6927fc46c6738513a1e687993ef3f51485dd1f48e0b

SHA512
60ffb4944f295e9c039177ff0b2f34bd93988e1f391b15e3e61f1ee00b7e838971c72664f92e7be415095e08bce0ef0555c7a0e65d528ffce9df0ccf7d755d0c

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mapscache\2023-08-09

Filesize
208B

MD5
195ffafcb900f183f14b929a0b118514

SHA1
a7e9d4d800898ca91455b9ed5f3957f6c82f5a52

SHA256
0ce19b7cb0ba0dcc9abba512ed43f3c9ca2299eb88144ef21636abb616f56720

SHA512
105434f261bf3177c9c20ba992046ad64aadaecabc2831a6d4c6d668101888391ac4d5a7470ac2b6cafaed874866c7efebcb36f1ff413c88fb38e80dfd3c3f9c

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mapscache\2023-08-09

Filesize
208B

MD5
8de085f02a7ef300fce465c28ff68498

SHA1
a8158d090722f458e862eea670f6da401e6a9bc6

SHA256
609bbafffa3d2fdadea6c2d49ae1cd42a67a8bf1a05584f80f161d82ef5a79a0

SHA512
ca6d746364dca3e761435838f935556be907cdd5f6bebc1aa1dc2729760fccd0981503a374ed1206831a94c940240e4f29c37d31b887f1b3f245ff609b13d04e

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mapscache\2023-08-09

Filesize
208B

MD5
8de085f02a7ef300fce465c28ff68498

SHA1
a8158d090722f458e862eea670f6da401e6a9bc6

SHA256
609bbafffa3d2fdadea6c2d49ae1cd42a67a8bf1a05584f80f161d82ef5a79a0

SHA512
ca6d746364dca3e761435838f935556be907cdd5f6bebc1aa1dc2729760fccd0981503a374ed1206831a94c940240e4f29c37d31b887f1b3f245ff609b13d04e

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mapscache\2023-08-09

Filesize
208B

MD5
52ce83e3742c711b00ed82fcbcfd8694

SHA1
1edc24880673fb07a4c789704e01005da3f715d5

SHA256
303ca904b075f558183730b8703e75a1975c660c2920373a02b75ff6e26dae13

SHA512
c6921b334ae601495d0ac557e24d72d28eff9b19a540a04d9fbb0a1a0bdb08e5b28749b0afdc9f31650102d79568585e1d1f2925d8c9553c79a3e5d843e9a236

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mapscache\2023-08-09

Filesize
208B

MD5
52ce83e3742c711b00ed82fcbcfd8694

SHA1
1edc24880673fb07a4c789704e01005da3f715d5

SHA256
303ca904b075f558183730b8703e75a1975c660c2920373a02b75ff6e26dae13

SHA512
c6921b334ae601495d0ac557e24d72d28eff9b19a540a04d9fbb0a1a0bdb08e5b28749b0afdc9f31650102d79568585e1d1f2925d8c9553c79a3e5d843e9a236

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mapscache\2023-08-09

Filesize
208B

MD5
1b47d566af202bc790baea1962b43891

SHA1
b10a1ad5614090e6d824b3cc62ca26eefe1e02b3

SHA256
3d3a621caa65e3bc8a2174259c11319fa1902c16cfe490c7be59717fde9fa976

SHA512
97cd9b61148df2aee2e3d6edec00f2dc1d795068929f91e367b65301a5702ddc6bde21b3d8bcf6640d7c4e1a6f6c9e3fffa2afd94917739c3d1303919845eace

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mapscache\2023-08-09

Filesize
208B

MD5
1a910bc4a706f1fe0d68d2eb818c5fb8

SHA1
1139c408b96ec5c6d524e5aed38f7bbf3a422199

SHA256
250163ce77421a3ce91bce3430ad98900a12bc601415264f45ba33ebc0be12ee

SHA512
ec287d45098e130bccb57bcd2e10b632160001f7d479fa6b40c9688a7abf5bcb28c268f8f1e29ef62b51b298e1f1606922de67b2af4a1713ac34f954b9ddd393

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mapscache\2023-08-09

Filesize
208B

MD5
09ec65d12eec2022b2e4367135c0a252

SHA1
905c9b1463080f792f04fa7dc92aa0eda9427465

SHA256
06a44da9dc49f0b2af0dcf9ae5260e9dc37a067a6d9bcea108ddbaa4040974e3

SHA512
326014986b86edf7a14f725375629eada7238d943c6a1e54f63847277dda7bbb6db51883a9ab3bf45a03680811d43b3f49eff2d30bdf3d370b235d9798338a14

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mapscache\2023-08-09

Filesize
208B

MD5
f7947a29f1e403b9429fa90a4910b561

SHA1
bc09a1772e1471c6ac0f7c9b083c0d2fe71e7f7b

SHA256
5c7ad8904caf574aac901ca167e0890038d18d0ea19b44b09cc5d2d3b262801a

SHA512
0c612a961d773225d95b2109b19924677c3ddfca6def8a496da7a5e2472a9493499e9e75165b20cad3d251afe5c474fdd77f907f0ef5b466dcb0cd9790494970

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mapscache\2023-08-09

Filesize
208B

MD5
bc9857960ecdca45adf94a549cc16622

SHA1
9a3ab3ffc7eb65cb8c2a19a2c35a9f2c0a4f1c52

SHA256
62c6aa77cbcdb2a65c494cff813411b860835e1592ebfe25481e912a793935f9

SHA512
bd38e28b9843ca57b173ad2209cf1642d4f0d3ffdbdc7416ec43b2d8408fa62858764cc5bc38b67e02a746574bd8919c782d9601036827d2aaa80dd9d4bc9da8

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mapscache\2023-08-09

Filesize
208B

MD5
6fba0454c4ff06fcdff0efce3d90a48e

SHA1
33e9f7b6a972b3984ed1e3c4de6454e9badd9c4c

SHA256
4ae855469df248e5789341bdae86fdac905bb93d9db71c53a4df227db4bbe243

SHA512
e37778ebfabdd26b82c5e6614f6473206ecc29b47eebe51620aa065e7e6309d9d553235a5ab29a9d253e22de6f02f79c3e9f08c9b31d94df5d61c011551c2f55

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mapscache\2023-08-09

Filesize
208B

MD5
13b68f70baac20557b592fd9f151c9aa

SHA1
8f1dc5007bb831e993b888434aeba34c91a2a8e2

SHA256
42f05f3b2d732610fd4f42fb3b94752ad9c28a452d6dd58797f3886dad61eed2

SHA512
0863e6b04ea884c95f4b741232f1e81e72e69ec6b3ba2dcf88988ee379738b18b32287ec3f339260c61a9fe27016f62ae10d459afc40745eef91c403e49c3afa

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mapscache\2023-08-09

Filesize
208B

MD5
13b68f70baac20557b592fd9f151c9aa

SHA1
8f1dc5007bb831e993b888434aeba34c91a2a8e2

SHA256
42f05f3b2d732610fd4f42fb3b94752ad9c28a452d6dd58797f3886dad61eed2

SHA512
0863e6b04ea884c95f4b741232f1e81e72e69ec6b3ba2dcf88988ee379738b18b32287ec3f339260c61a9fe27016f62ae10d459afc40745eef91c403e49c3afa

Download Submit
C:\ProgramData\MonitorService\HealthServiceRuntime.dll

Filesize
122KB

MD5
aa718d76d924d35c3f0dda4649b6f9e1

SHA1
58d385b88250dd4b7db5709e99ecc841b63ce95f

SHA256
ec24962535617cf753acd339c0d66c06ce0d467dcf0abfcc863f5028557f3b8c

SHA512
684518c9c12c16ac7cb73f2c63c0d16c408b2dd9cf966b8d54a74d90c5ac544b8d18fab68f26383a5176d50c888ad831e1fcef229171b6bda263e9165723f84e

Download Submit
C:\ProgramData\MonitorService\HealthServiceRuntime.dll

Filesize
122KB

MD5
aa718d76d924d35c3f0dda4649b6f9e1

SHA1
58d385b88250dd4b7db5709e99ecc841b63ce95f

SHA256
ec24962535617cf753acd339c0d66c06ce0d467dcf0abfcc863f5028557f3b8c

SHA512
684518c9c12c16ac7cb73f2c63c0d16c408b2dd9cf966b8d54a74d90c5ac544b8d18fab68f26383a5176d50c888ad831e1fcef229171b6bda263e9165723f84e

Download Submit
C:\ProgramData\MonitorService\HealthServiceRuntime.dll

Filesize
122KB

MD5
aa718d76d924d35c3f0dda4649b6f9e1

SHA1
58d385b88250dd4b7db5709e99ecc841b63ce95f

SHA256
ec24962535617cf753acd339c0d66c06ce0d467dcf0abfcc863f5028557f3b8c

SHA512
684518c9c12c16ac7cb73f2c63c0d16c408b2dd9cf966b8d54a74d90c5ac544b8d18fab68f26383a5176d50c888ad831e1fcef229171b6bda263e9165723f84e

Download Submit
C:\ProgramData\MonitorService\MSVCR120.dll

Filesize
940KB

MD5
b70474fe249402e251a94753b742788c

SHA1
f53b3c21adf75dc84977067869253e207f1b9795

SHA256
753ac30c30aae62415cc225e3d057b8b6254afe280696e0a43f1a7c3132632a6

SHA512
7776e05fe58cb3c12a4a020def9596ecfb6dc1b1f8ca010ec27a8ae027eadf1eef901acbafe042e2f7b31d1920f62ce163342acf37f96802ec27d68ac7bf972e

Download Submit
C:\ProgramData\MonitorService\Monitoring.exe

Filesize
30KB

MD5
0bd5e02b3f1a21a37836b531163a03f5

SHA1
53e805edd93db58deea23b87eca8dd5cf8bec61f

SHA256
18a6bab96c2bac36f67a501a2c4e3e943b694fed8bcc759b6860708fb3732d93

SHA512
bbd019131ffe608ff5483328545e882218d4371f1ce73e13cb104b4542981d0a5e81c3f239ca82d6a4830d6740abe3946fc513ed6ce04d866fe77c3e1c3e0ef9

Download Submit
C:\ProgramData\MonitorService\Monitoring.exe

Filesize
30KB

MD5
0bd5e02b3f1a21a37836b531163a03f5

SHA1
53e805edd93db58deea23b87eca8dd5cf8bec61f

SHA256
18a6bab96c2bac36f67a501a2c4e3e943b694fed8bcc759b6860708fb3732d93

SHA512
bbd019131ffe608ff5483328545e882218d4371f1ce73e13cb104b4542981d0a5e81c3f239ca82d6a4830d6740abe3946fc513ed6ce04d866fe77c3e1c3e0ef9

Download Submit
C:\ProgramData\MonitorService\Monitoring.exe

Filesize
30KB

MD5
0bd5e02b3f1a21a37836b531163a03f5

SHA1
53e805edd93db58deea23b87eca8dd5cf8bec61f

SHA256
18a6bab96c2bac36f67a501a2c4e3e943b694fed8bcc759b6860708fb3732d93

SHA512
bbd019131ffe608ff5483328545e882218d4371f1ce73e13cb104b4542981d0a5e81c3f239ca82d6a4830d6740abe3946fc513ed6ce04d866fe77c3e1c3e0ef9

Download Submit
C:\ProgramData\MonitorService\Monitoring.log

Filesize
1.5MB

MD5
0e80d4803aba730d9170343463228e40

SHA1
8d4dd3631da269bb26cbbaf2a92b4aa1113f20bd

SHA256
9e8c87ec0d9662a9389e9ec55611bd38557daae368f81e1a2a99bd713dba6868

SHA512
f9355a51ee562f2e7a966f1b540115c02775fa64c50ef2edf7d2df00a05f157900f57c7a0a45be4ec0c05c5a50ff8cf5b15d7bad5651ccb9423ec1e285aa72a8

Download Submit
C:\ProgramData\MonitorService\MonitoringCore.log

Filesize
5.4MB

MD5
ff7990e4f27f6b063bc83a75fec1ee57

SHA1
6acb67980728debb5b69569420053ffaf823dad4

SHA256
d2235b6f971a4efca08e0a173ecf3ea9afbbd2ffb37b2bbdd90119e1628f124b

SHA512
c8de764c2884cc778a4f4126378ca3a82ac61c41c644182bd7d1243c98e2aafe14676ad6864d29fb05f0a34c0a445b0a14a35351ea85af27220e8730a90da94b

Download Submit
C:\ProgramData\MonitorService\MonitoringService.log

Filesize
303KB

MD5
7a585c4459a6c26f76abbca40679e568

SHA1
a24dece4d5a563ff4710b06c204363c6bef55568

SHA256
44d5698b1419a85db3263e307085b5e8836a337f33ba0d91625c8b84b500e518

SHA512
f24783d559d53545a7049ba79adcaad113fb0931303ca6badeb5aea174dbf0e68d4ecd8f2a31333da8009c3acdf193a686761ef9f9492d29b2d085bc0f034248

Download Submit
C:\ProgramData\MonitorService\msvcr120.dll

Filesize
940KB

MD5
b70474fe249402e251a94753b742788c

SHA1
f53b3c21adf75dc84977067869253e207f1b9795

SHA256
753ac30c30aae62415cc225e3d057b8b6254afe280696e0a43f1a7c3132632a6

SHA512
7776e05fe58cb3c12a4a020def9596ecfb6dc1b1f8ca010ec27a8ae027eadf1eef901acbafe042e2f7b31d1920f62ce163342acf37f96802ec27d68ac7bf972e

Download Submit
C:\ProgramData\MonitorService\msvcr120.dll

Filesize
940KB

MD5
b70474fe249402e251a94753b742788c

SHA1
f53b3c21adf75dc84977067869253e207f1b9795

SHA256
753ac30c30aae62415cc225e3d057b8b6254afe280696e0a43f1a7c3132632a6

SHA512
7776e05fe58cb3c12a4a020def9596ecfb6dc1b1f8ca010ec27a8ae027eadf1eef901acbafe042e2f7b31d1920f62ce163342acf37f96802ec27d68ac7bf972e

Download Submit
C:\ProgramData\MonitorService\temp.ini

Filesize
2KB

MD5
def4b19b890f22a7bd14af1f96d1e410

SHA1
1981f01b80220128d80f595ff2036493d98b885d

SHA256
30e45d001d19b6fa3e987dbee9d29ae05cd4f7c4435618936fc7bec5991751de

SHA512
4daef889e78ea3374e830ba5c31769bf7bc7cbee89bcc2cfdafc759c249c5d7fb174b52a3a39b94535030cd02d462bad455f3191eb3cd4a3da13802aa3848be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI408E.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI408E.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI531D.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI531D.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI535D.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI535D.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI535D.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI53FA.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI53FA.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI543A.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI543A.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI58CE.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI58CE.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI72B0.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI72B0.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8AC9.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8AC9.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Logs\windows-update-log-20230809.log

Filesize
1KB

MD5
9de55002b07c64dbc20918c7d1a9abc7

SHA1
c9c8695e0a8d1f5c08a4de30ae50d0df109091de

SHA256
7036af793c5a2c8f00c875cd9f5626822a7dd81101c4961653627751cb711b13

SHA512
fbf69e714f6d54508d79b74d9c9b32867953837c699e4b37b7d2dedb0a399bdde1d829924e5bc71cce91c0f7f66956b14cb40d256a13846cd460e0a94496eba2

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\MSVCP120.dll

Filesize
644KB

MD5
edef53778eaafe476ee523be5c2ab67f

SHA1
58c416508913045f99cdf559f31e71f88626f6de

SHA256
92faedd18a29e1bd2dd27a1d805ea5aa3e73b954a625af45a74f49d49506d20f

SHA512
7fc931c69aca6a09924c84f57a4a2bcf506859ab02f622d858e9e13d5917c5d3bdd475ba88f7a7e537bdae84ca3df9c3a7c56b2b0ca3c2d463bd7e9b905e2ef8

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\MSVCR120.dll

Filesize
940KB

MD5
aeb29ccc27e16c4fd223a00189b44524

SHA1
45a6671c64f353c79c0060bdafea0ceb5ad889be

SHA256
d28c7ab34842b6149609bd4e6b566ddab8b891f0d5062480a253ef20a6a2caaa

SHA512
2ec4d768a07cfa19d7a30cbd1a94d97ba4f296194b9c725cef8e50a2078e9e593a460e4296e033a05b191dc863acf6879d50c2242e82fe00054ca1952628e006

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\TelegInstall.exe

Filesize
59KB

MD5
7e7a1ca41c9bd33ce50483d575148235

SHA1
70e38b6d3c4885b0d08dc0868b733f76287ad0fd

SHA256
fee71869de9614ed3cec2a802a725e44e7f7f1ef81d6b71d28f74762b3ff7f39

SHA512
130919a4a7489e7c85965143b74fb9c9c04f1aa1c14d91339b60c38fa0bceecbc3e3299460ec7c44ef44a8d1c8414354cf9f7f128cdcb8acfbded24dc5607c23

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\TelegInstall.exe

Filesize
59KB

MD5
7e7a1ca41c9bd33ce50483d575148235

SHA1
70e38b6d3c4885b0d08dc0868b733f76287ad0fd

SHA256
fee71869de9614ed3cec2a802a725e44e7f7f1ef81d6b71d28f74762b3ff7f39

SHA512
130919a4a7489e7c85965143b74fb9c9c04f1aa1c14d91339b60c38fa0bceecbc3e3299460ec7c44ef44a8d1c8414354cf9f7f128cdcb8acfbded24dc5607c23

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\msvcp120.dll

Filesize
644KB

MD5
edef53778eaafe476ee523be5c2ab67f

SHA1
58c416508913045f99cdf559f31e71f88626f6de

SHA256
92faedd18a29e1bd2dd27a1d805ea5aa3e73b954a625af45a74f49d49506d20f

SHA512
7fc931c69aca6a09924c84f57a4a2bcf506859ab02f622d858e9e13d5917c5d3bdd475ba88f7a7e537bdae84ca3df9c3a7c56b2b0ca3c2d463bd7e9b905e2ef8

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\msvcr120.dll

Filesize
940KB

MD5
aeb29ccc27e16c4fd223a00189b44524

SHA1
45a6671c64f353c79c0060bdafea0ceb5ad889be

SHA256
d28c7ab34842b6149609bd4e6b566ddab8b891f0d5062480a253ef20a6a2caaa

SHA512
2ec4d768a07cfa19d7a30cbd1a94d97ba4f296194b9c725cef8e50a2078e9e593a460e4296e033a05b191dc863acf6879d50c2242e82fe00054ca1952628e006

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\x64bridge.dll

Filesize
9.7MB

MD5
1a332c2431936dbadb2256ffcb5517ca

SHA1
2d170095dff899704372a9ea433e8d9559e7d55a

SHA256
2cea8cb71c03c9d866b7332bda23dfbd5ec5909fb4cca9696374e11d9dc821b6

SHA512
c2256470a099ad7966ecbb508be79569dbe918a9ac7cbc6d01941b5ea3f8100a5e1889a28b0910b11716479069849e0297a86e630c0137a9fef2eff458de4ace

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\x64bridge.dll

Filesize
9.7MB

MD5
1a332c2431936dbadb2256ffcb5517ca

SHA1
2d170095dff899704372a9ea433e8d9559e7d55a

SHA256
2cea8cb71c03c9d866b7332bda23dfbd5ec5909fb4cca9696374e11d9dc821b6

SHA512
c2256470a099ad7966ecbb508be79569dbe918a9ac7cbc6d01941b5ea3f8100a5e1889a28b0910b11716479069849e0297a86e630c0137a9fef2eff458de4ace

Download Submit
C:\Users\Public\Documents\41C78525\edbtmp.log

Filesize
5KB

MD5
0221f62df912cc04604c6361d1286457

SHA1
a5efc8fb6e911a994ded0e6238abe561a9ab2881

SHA256
6946193b3236b8e6cde4a3d5dbc060a1e10eb82b1a0ccdb240031b9f094bc33a

SHA512
ba851f50b588bd1df43e3e29e910ab525932642301f25569c682e682a767845492b175562dd6c45f2ce0af2bddc7376e0e8dcd6be22aed653fa01c9a8e1f6849

Download Submit
C:\Windows\Installer\MSI5A1C.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Windows\Installer\MSI5A1C.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Windows\Installer\MSI5B37.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Windows\Installer\MSI5B37.tmp

Filesize
349KB

MD5
8752c01d76bc7b3a38b6acaf5b9c387b

SHA1
8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

SHA256
344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

SHA512
5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

Download Submit
C:\Windows\Installer\e595838.msi

Filesize
56.3MB

MD5
990f66c0fd150ec9a1a807326f71dc5d

SHA1
56aeed18f7e9ac71cff0111231d2a32d465737bb

SHA256
d4a209ac6981db5c2d7dd8aa7392564cfbcca8bc66e19ee5543ab345d82f0529

SHA512
dacbf464731627f221aa40ba7bdb76b703a97910bad93583d20ac930b467f1f311f21512bede6096b0556e7075fd136bc0c3145fa392f6e2523527ed0f9632b0

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Logs\windows-update-log-20230809.log

Filesize
2KB

MD5
f7aeb8267f5f790a885ed683b53e3180

SHA1
ec59b914e03d714d2e7fbc07cba0426c8aae8abb

SHA256
9723f75af81b022d35702a6def341e794ffdb0670f821d18e5ee895cdbe39070

SHA512
906934f4f841632c7ac9bdea2326cffe547819c616e246d3bda45529e6c1703a0509c20877340d96a415a4d95d31873588c761e56920dbcd64e04e29c04d858f

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
e0d83332879c86b56ff319a4fa9f2940

SHA1
78b70d86c5eac4e3e73436793b574f0684916240

SHA256
18b80d122f94ffdfed21bfd669029124f33190c9ff7022d8307efa0a395c7c79

SHA512
9d9cbefbab93cba6805d162313c1eb9070ceb101cc27c84ef109860127224e3f55e280369f6c16686b577ece10f75ed1a987991e40d0ee5b3cd9a6df62ea07bf

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\Volume{e5d54008-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d04b4b07-c8f0-4c6a-a5a5-070f155a6b02}_OnDiskSnapshotProp

Filesize
5KB

MD5
4ec23b2fcc90eca1c3c823ea4df546a2

SHA1
c993e90ea8e819aa10d7948cb508939074d374a9

SHA256
8b075132f0f407fd1ffceb3ec3c261a40ea10c6943dedf9c8593097375785b13

SHA512
664a4ee30a37af8ac5d37e6d0b48626de79d5a6b5ea842cf0b7b73614f328216a264363610bdef7e798d197fe0eb200eb413612a602fd1a44cab077088bee942

Download Submit
memory/668-266-0x00000274CE4A0000-0x00000274CE4A2000-memory.dmp

Filesize
8KB

Download
memory/1920-273-0x0000000000400000-0x0000000000DD6000-memory.dmp

Filesize
9.8MB

Download
memory/1920-271-0x000001D5609B0000-0x000001D5609B1000-memory.dmp

Filesize
4KB

Download
memory/1920-283-0x0000000000400000-0x0000000000DD6000-memory.dmp

Filesize
9.8MB

Download
memory/2176-286-0x0000000000400000-0x0000000000DD6000-memory.dmp

Filesize
9.8MB

Download
memory/2176-284-0x0000000000400000-0x0000000000DD6000-memory.dmp

Filesize
9.8MB

Download
memory/2228-280-0x0000000000400000-0x0000000000DD6000-memory.dmp

Filesize
9.8MB

Download
memory/2228-282-0x0000000000400000-0x0000000000DD6000-memory.dmp

Filesize
9.8MB

Download
memory/2236-268-0x0000000140000000-0x00000001402FA000-memory.dmp

Filesize
3.0MB

Download
memory/2236-263-0x00007FFCD17E0000-0x00007FFCD189E000-memory.dmp

Filesize
760KB

Download
memory/2236-264-0x0000000140000000-0x00000001402FA000-memory.dmp

Filesize
3.0MB

Download
memory/2236-267-0x00007FFCD17E0000-0x00007FFCD189E000-memory.dmp

Filesize
760KB

Download
memory/3284-254-0x00007FFCD17E0000-0x00007FFCD189E000-memory.dmp

Filesize
760KB

Download
memory/3284-255-0x0000000140000000-0x00000001402FA000-memory.dmp

Filesize
3.0MB

Download
memory/3284-247-0x0000000140000000-0x00000001402FA000-memory.dmp

Filesize
3.0MB

Download
memory/3284-243-0x000001BD751F0000-0x000001BD751F1000-memory.dmp

Filesize
4KB

Download
memory/3284-244-0x00007FFCD17E0000-0x00007FFCD189E000-memory.dmp

Filesize
760KB

Download
memory/3976-269-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3976-270-0x00007FFCD2BD0000-0x00007FFCD2DC5000-memory.dmp

Filesize
2.0MB

Download
memory/3976-261-0x00007FFCD2BD0000-0x00007FFCD2DC5000-memory.dmp

Filesize
2.0MB

Download
memory/3976-257-0x0000000140000000-0x00000001400A8000-memory.dmp

Filesize
672KB

Download
memory/3976-253-0x00007FFCD2BD0000-0x00007FFCD2DC5000-memory.dmp

Filesize
2.0MB

Download
memory/3976-252-0x00007FFC62C60000-0x00007FFC62C62000-memory.dmp

Filesize
8KB

Download
memory/4284-275-0x0000000000400000-0x0000000000DD6000-memory.dmp

Filesize
9.8MB

Download
memory/4284-288-0x0000000000400000-0x0000000000DD6000-memory.dmp

Filesize
9.8MB

Download