gh0strat | a896be695060cae32a70973ebba049139b27ae837e870e5faf728392b32854dd

Analysis

max time kernel
302s
max time network
309s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
23-08-2023 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New_4.8.10.exe
Size

124.3MB
MD5

f89701701ace82ef08972d55b68e232f
SHA1

084888e907329c480518220990fc4a8dcd108463
SHA256

a896be695060cae32a70973ebba049139b27ae837e870e5faf728392b32854dd
SHA512

f5f9e7b1f6ae0e5983a58c91be5558feb10bb07ffa10a289580759cc1abba8c829d7f9752873c62fbb0f552119e5fc9ebe3a02cdb649919d1743ee933bc49bf1
SSDEEP

3145728:dRrHJ5u0UJ140kRRGtBOPMx332CVB4JeMz9MrI/:dRrHb/UJSrR8hbxPrI/

Score

10^/10

gh0strat rat upx

Malware Config

Extracted

Family

gh0strat

zhodaji.com

Signatures

Gh0st RAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1104-122-0x0000000007100000-0x000000000711D000-memory.dmp	family_gh0strat
behavioral1/memory/572-133-0x0000000005C90000-0x0000000005CAD000-memory.dmp	family_gh0strat
behavioral1/memory/2324-142-0x0000000006F00000-0x0000000006F1D000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1920-0-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/1920-56-0x0000000000400000-0x00000000004C6000-memory.dmp	upx

Drops desktop.ini file(s) 1 IoCs

Processes:

Telegram.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Telegram.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

handinput.exe

description	ioc	process
File opened (read-only)	\??\M:	handinput.exe
File opened (read-only)	\??\N:	handinput.exe
File opened (read-only)	\??\B:	handinput.exe
File opened (read-only)	\??\G:	handinput.exe
File opened (read-only)	\??\H:	handinput.exe
File opened (read-only)	\??\W:	handinput.exe
File opened (read-only)	\??\Y:	handinput.exe
File opened (read-only)	\??\K:	handinput.exe
File opened (read-only)	\??\L:	handinput.exe
File opened (read-only)	\??\R:	handinput.exe
File opened (read-only)	\??\P:	handinput.exe
File opened (read-only)	\??\Q:	handinput.exe
File opened (read-only)	\??\S:	handinput.exe
File opened (read-only)	\??\T:	handinput.exe
File opened (read-only)	\??\U:	handinput.exe
File opened (read-only)	\??\E:	handinput.exe
File opened (read-only)	\??\I:	handinput.exe
File opened (read-only)	\??\J:	handinput.exe
File opened (read-only)	\??\V:	handinput.exe
File opened (read-only)	\??\Z:	handinput.exe
File opened (read-only)	\??\O:	handinput.exe
File opened (read-only)	\??\X:	handinput.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1920-56-0x0000000000400000-0x00000000004C6000-memory.dmp	autoit_exe

Drops file in Program Files directory 1 IoCs

Processes:

handinput.exe

description ioc process

File opened for modification C:\PROGRA~3\HANDIN~1.EXE handinput.exe
Executes dropped EXE 6 IoCs

Processes:

tsetup-x64.4.9.2.exetsetup-x64.4.9.2.tmpTelegram.exehandinput.exeAqiyq.exeAqiyq.exe

pid process

2892 tsetup-x64.4.9.2.exe
2868 tsetup-x64.4.9.2.tmp
2136 Telegram.exe
1104 handinput.exe
572 Aqiyq.exe
2324 Aqiyq.exe

description	ioc	process
File opened for modification	C:\PROGRA~3\HANDIN~1.EXE	handinput.exe

pid	process
2892	tsetup-x64.4.9.2.exe
2868	tsetup-x64.4.9.2.tmp
2136	Telegram.exe
1104	handinput.exe
572	Aqiyq.exe
2324	Aqiyq.exe

Loads dropped DLL 18 IoCs

Processes:

New_4.8.10.exetsetup-x64.4.9.2.exetsetup-x64.4.9.2.tmpTelegram.exehandinput.exeAqiyq.exeAqiyq.exe

pid	process
1920	New_4.8.10.exe
2892	tsetup-x64.4.9.2.exe
2868	tsetup-x64.4.9.2.tmp
2868	tsetup-x64.4.9.2.tmp
2868	tsetup-x64.4.9.2.tmp
1340
1340
1340
1340
2136	Telegram.exe
1920	New_4.8.10.exe
1104	handinput.exe
1104	handinput.exe
572	Aqiyq.exe
572	Aqiyq.exe
2324	Aqiyq.exe
2324	Aqiyq.exe
1340

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 16 IoCs

Processes:

Telegram.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\tg\DefaultIcon	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\tg\shell\open\command	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\tdesktop.tg\DefaultIcon	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\tdesktop.tg\shell\open\command	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\tg\shell\open	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\tdesktop.tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\tdesktop.tg\shell	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\tg	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\tg\URL Protocol	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\tg\ = "URL:Telegram Link"	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\tdesktop.tg	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\tdesktop.tg\shell\open	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\tg\shell	Telegram.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

268 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Telegram.exe

pid process

2136 Telegram.exe

pid	process
268	PING.EXE

pid	process
2136	Telegram.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

tsetup-x64.4.9.2.tmphandinput.exe

pid	process
2868	tsetup-x64.4.9.2.tmp
2868	tsetup-x64.4.9.2.tmp
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe
1104	handinput.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

tsetup-x64.4.9.2.tmp

pid process

2868 tsetup-x64.4.9.2.tmp

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

handinput.exeAqiyq.exeAqiyq.exe

description	pid	process
Token: SeDebugPrivilege	1104	handinput.exe
Token: SeDebugPrivilege	572	Aqiyq.exe
Token: SeIncBasePriorityPrivilege	1104	handinput.exe
Token: SeDebugPrivilege	2324	Aqiyq.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

tsetup-x64.4.9.2.tmpTelegram.exe

pid process

2868 tsetup-x64.4.9.2.tmp
2136 Telegram.exe
2136 Telegram.exe
2136 Telegram.exe
2136 Telegram.exe
2136 Telegram.exe
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

Telegram.exe

pid process

2136 Telegram.exe
2136 Telegram.exe
2136 Telegram.exe
2136 Telegram.exe
2136 Telegram.exe

pid	process
2136	Telegram.exe
2136	Telegram.exe
2136	Telegram.exe
2136	Telegram.exe
2136	Telegram.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

New_4.8.10.exetsetup-x64.4.9.2.exetsetup-x64.4.9.2.tmphandinput.exeAqiyq.execmd.exe

description	pid	process	target process
PID 1920 wrote to memory of 2892	1920	New_4.8.10.exe	tsetup-x64.4.9.2.exe
PID 1920 wrote to memory of 2892	1920	New_4.8.10.exe	tsetup-x64.4.9.2.exe
PID 1920 wrote to memory of 2892	1920	New_4.8.10.exe	tsetup-x64.4.9.2.exe
PID 1920 wrote to memory of 2892	1920	New_4.8.10.exe	tsetup-x64.4.9.2.exe
PID 1920 wrote to memory of 2892	1920	New_4.8.10.exe	tsetup-x64.4.9.2.exe
PID 1920 wrote to memory of 2892	1920	New_4.8.10.exe	tsetup-x64.4.9.2.exe
PID 1920 wrote to memory of 2892	1920	New_4.8.10.exe	tsetup-x64.4.9.2.exe
PID 2892 wrote to memory of 2868	2892	tsetup-x64.4.9.2.exe	tsetup-x64.4.9.2.tmp
PID 2892 wrote to memory of 2868	2892	tsetup-x64.4.9.2.exe	tsetup-x64.4.9.2.tmp
PID 2892 wrote to memory of 2868	2892	tsetup-x64.4.9.2.exe	tsetup-x64.4.9.2.tmp
PID 2892 wrote to memory of 2868	2892	tsetup-x64.4.9.2.exe	tsetup-x64.4.9.2.tmp
PID 2892 wrote to memory of 2868	2892	tsetup-x64.4.9.2.exe	tsetup-x64.4.9.2.tmp
PID 2892 wrote to memory of 2868	2892	tsetup-x64.4.9.2.exe	tsetup-x64.4.9.2.tmp
PID 2892 wrote to memory of 2868	2892	tsetup-x64.4.9.2.exe	tsetup-x64.4.9.2.tmp
PID 2868 wrote to memory of 2136	2868	tsetup-x64.4.9.2.tmp	Telegram.exe
PID 2868 wrote to memory of 2136	2868	tsetup-x64.4.9.2.tmp	Telegram.exe
PID 2868 wrote to memory of 2136	2868	tsetup-x64.4.9.2.tmp	Telegram.exe
PID 2868 wrote to memory of 2136	2868	tsetup-x64.4.9.2.tmp	Telegram.exe
PID 1920 wrote to memory of 1104	1920	New_4.8.10.exe	handinput.exe
PID 1920 wrote to memory of 1104	1920	New_4.8.10.exe	handinput.exe
PID 1920 wrote to memory of 1104	1920	New_4.8.10.exe	handinput.exe
PID 1920 wrote to memory of 1104	1920	New_4.8.10.exe	handinput.exe
PID 1104 wrote to memory of 2100	1104	handinput.exe	cmd.exe
PID 1104 wrote to memory of 2100	1104	handinput.exe	cmd.exe
PID 1104 wrote to memory of 2100	1104	handinput.exe	cmd.exe
PID 1104 wrote to memory of 2100	1104	handinput.exe	cmd.exe
PID 572 wrote to memory of 2324	572	Aqiyq.exe	Aqiyq.exe
PID 572 wrote to memory of 2324	572	Aqiyq.exe	Aqiyq.exe
PID 572 wrote to memory of 2324	572	Aqiyq.exe	Aqiyq.exe
PID 572 wrote to memory of 2324	572	Aqiyq.exe	Aqiyq.exe
PID 2100 wrote to memory of 268	2100	cmd.exe	PING.EXE
PID 2100 wrote to memory of 268	2100	cmd.exe	PING.EXE
PID 2100 wrote to memory of 268	2100	cmd.exe	PING.EXE
PID 2100 wrote to memory of 268	2100	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\New_4.8.10.exe
"C:\Users\Admin\AppData\Local\Temp\New_4.8.10.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920

C:\ProgramData\tsetup-x64.4.9.2.exe
"C:\ProgramData\tsetup-x64.4.9.2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892

C:\Users\Admin\AppData\Local\Temp\is-NAQM8.tmp\tsetup-x64.4.9.2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NAQM8.tmp\tsetup-x64.4.9.2.tmp" /SL5="$7011E,40524263,814592,C:\ProgramData\tsetup-x64.4.9.2.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
4⤵
- Drops desktop.ini file(s)
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2136

C:\ProgramData\handinput.exe
"C:\ProgramData\handinput.exe"
2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\PROGRA~3\HANDIN~1.EXE > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:268

C:\ProgramData\Aqiyq.exe
C:\ProgramData\Aqiyq.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:572

C:\ProgramData\Aqiyq.exe
C:\ProgramData\Aqiyq.exe -acsi
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Aqiyq.exe

Filesize
834KB

MD5
a7bb376117fd97810fa4b41a46d3ab97

SHA1
14ef3d161a262270c2db1696f06c9a4067da1984

SHA256
09930bfc1962f0b0d500fc1cb67d528f21b11d6d911f1fa3c251399483728b80

SHA512
a4a0ae8ce7c6b9a57f04a4a9a450e243b04743717d4860421538e47879e48561d37d02c1b7a0dd682c5e1eaa8bb2a98bd72e58cfe5a5b47b79c710832fd60b23

Download Submit
C:\ProgramData\Aqiyq.exe

Filesize
834KB

MD5
a7bb376117fd97810fa4b41a46d3ab97

SHA1
14ef3d161a262270c2db1696f06c9a4067da1984

SHA256
09930bfc1962f0b0d500fc1cb67d528f21b11d6d911f1fa3c251399483728b80

SHA512
a4a0ae8ce7c6b9a57f04a4a9a450e243b04743717d4860421538e47879e48561d37d02c1b7a0dd682c5e1eaa8bb2a98bd72e58cfe5a5b47b79c710832fd60b23

Download Submit
C:\ProgramData\Aqiyq.exe

Filesize
834KB

MD5
a7bb376117fd97810fa4b41a46d3ab97

SHA1
14ef3d161a262270c2db1696f06c9a4067da1984

SHA256
09930bfc1962f0b0d500fc1cb67d528f21b11d6d911f1fa3c251399483728b80

SHA512
a4a0ae8ce7c6b9a57f04a4a9a450e243b04743717d4860421538e47879e48561d37d02c1b7a0dd682c5e1eaa8bb2a98bd72e58cfe5a5b47b79c710832fd60b23

Download Submit
C:\ProgramData\Server.log

Filesize
112KB

MD5
06fbabe3121f537287e6f834e6a1d44e

SHA1
8ed8a90f0de4203133a9432e61f3d2191bbe4008

SHA256
3a0bf79af3a94c98d8ab121d9e2faa1d7f6639ecbef3369d68fa9a88f4bbe11f

SHA512
d142dc8cc89f86c1a1bacaa94e78f030159c72d681cc9ae387e87c21e975e839d1cc6f2d07246ba599d3e9c8af77a775b2accbf0bd18185d4619d80d7da9136e

Download Submit
C:\ProgramData\VCRUNTIME140.dll

Filesize
74KB

MD5
a075828073369628bcca8a80fa225744

SHA1
2d576b316860c141d81ba9916d5915aceb336c7e

SHA256
dbc5559ca8d99f045c5511f56a2c4dd156d2672d189935e242284a835c0d7f92

SHA512
f92bc90a1d75268f2961e8a83268afc1efbf1381c884742658bca135367104b148fdbb8c0d643daa10063a98e032bcd7d4da50daebf4fa96e203814030a2c993

Download Submit
C:\ProgramData\XDLL.dll

Filesize
83.2MB

MD5
eb86e41abd837c01151298eaef1ae4d3

SHA1
51e9b5afdd681ed7d9c893780cfc881119b90234

SHA256
587a48a6ab153356f5cd94c47c817413047ed2e04636a4e90d693d8f6d325f14

SHA512
7568223cde9a13bf8945673009869638909ffdfb8b2bdfb5a2e3d3a9b53e5c93f8a5c581d442aee6458cff9b6ac32087849c186d8d397a9eecc1f482d3cda892

Download Submit
C:\ProgramData\handinput.exe

Filesize
834KB

MD5
a7bb376117fd97810fa4b41a46d3ab97

SHA1
14ef3d161a262270c2db1696f06c9a4067da1984

SHA256
09930bfc1962f0b0d500fc1cb67d528f21b11d6d911f1fa3c251399483728b80

SHA512
a4a0ae8ce7c6b9a57f04a4a9a450e243b04743717d4860421538e47879e48561d37d02c1b7a0dd682c5e1eaa8bb2a98bd72e58cfe5a5b47b79c710832fd60b23

Download Submit
C:\ProgramData\handinput.exe

Filesize
834KB

MD5
a7bb376117fd97810fa4b41a46d3ab97

SHA1
14ef3d161a262270c2db1696f06c9a4067da1984

SHA256
09930bfc1962f0b0d500fc1cb67d528f21b11d6d911f1fa3c251399483728b80

SHA512
a4a0ae8ce7c6b9a57f04a4a9a450e243b04743717d4860421538e47879e48561d37d02c1b7a0dd682c5e1eaa8bb2a98bd72e58cfe5a5b47b79c710832fd60b23

Download Submit
C:\ProgramData\tsetup-x64.4.9.2.exe

Filesize
39.5MB

MD5
ea3b525e8235810679f604b4cb504cb3

SHA1
8f238faf46acfaa4b170cd2babf8222f12c24828

SHA256
3087d90cf63d1cf2d40a5c19def7aa166024e66a6b8f20ff9cd28527edd5a74c

SHA512
0ea5ce2c1e54515cb752f8ec8f2217311f13695b84c3efe1d5104464a9ad64d015f56cfd9360bc46569e3eb64bddfabb55f7d26d5ded9e0fee67c28750b0f982

Download Submit
C:\ProgramData\tsetup-x64.4.9.2.exe

Filesize
39.5MB

MD5
ea3b525e8235810679f604b4cb504cb3

SHA1
8f238faf46acfaa4b170cd2babf8222f12c24828

SHA256
3087d90cf63d1cf2d40a5c19def7aa166024e66a6b8f20ff9cd28527edd5a74c

SHA512
0ea5ce2c1e54515cb752f8ec8f2217311f13695b84c3efe1d5104464a9ad64d015f56cfd9360bc46569e3eb64bddfabb55f7d26d5ded9e0fee67c28750b0f982

Download Submit
C:\ProgramData\tsetup-x64.4.9.2.exe

Filesize
39.5MB

MD5
ea3b525e8235810679f604b4cb504cb3

SHA1
8f238faf46acfaa4b170cd2babf8222f12c24828

SHA256
3087d90cf63d1cf2d40a5c19def7aa166024e66a6b8f20ff9cd28527edd5a74c

SHA512
0ea5ce2c1e54515cb752f8ec8f2217311f13695b84c3efe1d5104464a9ad64d015f56cfd9360bc46569e3eb64bddfabb55f7d26d5ded9e0fee67c28750b0f982

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NAQM8.tmp\tsetup-x64.4.9.2.tmp

Filesize
3.0MB

MD5
b0a8085decfb065f44561789f4be1b92

SHA1
5f3abb84bb78f3d447c999a99983b93b41c3adcb

SHA256
ae2d3dd7b7682a11f57d3fe637a6481017810450a67ab9a608bd37114e20f510

SHA512
4fbfc613112ba439217f7133214d4b7381c390286aaccacbcb484ab4c3280fd413f6d4ef2273b2a904ef996ffca898f071f0e97ff7056265c605ae8eedd6150a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NAQM8.tmp\tsetup-x64.4.9.2.tmp

Filesize
3.0MB

MD5
b0a8085decfb065f44561789f4be1b92

SHA1
5f3abb84bb78f3d447c999a99983b93b41c3adcb

SHA256
ae2d3dd7b7682a11f57d3fe637a6481017810450a67ab9a608bd37114e20f510

SHA512
4fbfc613112ba439217f7133214d4b7381c390286aaccacbcb484ab4c3280fd413f6d4ef2273b2a904ef996ffca898f071f0e97ff7056265c605ae8eedd6150a

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
130.1MB

MD5
3df5bcea0ca91ab9fc317bcc6d9ea15f

SHA1
843a46a3a2495ec3b25eac11ae24b4c4988e7b36

SHA256
4e5cfb0d2ad36e4bd55b02cbad768b979f712d780ffde9b055f0fcabb1919ff4

SHA512
490f4840a83ba49295abd14c815973822af0de18ab34f525318a6075c3cba23fcfcd56d006e9d13df91fa32569d0f740d183d7d9c8a764a69f54d70760a58911

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
130.1MB

MD5
3df5bcea0ca91ab9fc317bcc6d9ea15f

SHA1
843a46a3a2495ec3b25eac11ae24b4c4988e7b36

SHA256
4e5cfb0d2ad36e4bd55b02cbad768b979f712d780ffde9b055f0fcabb1919ff4

SHA512
490f4840a83ba49295abd14c815973822af0de18ab34f525318a6075c3cba23fcfcd56d006e9d13df91fa32569d0f740d183d7d9c8a764a69f54d70760a58911

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
130.1MB

MD5
3df5bcea0ca91ab9fc317bcc6d9ea15f

SHA1
843a46a3a2495ec3b25eac11ae24b4c4988e7b36

SHA256
4e5cfb0d2ad36e4bd55b02cbad768b979f712d780ffde9b055f0fcabb1919ff4

SHA512
490f4840a83ba49295abd14c815973822af0de18ab34f525318a6075c3cba23fcfcd56d006e9d13df91fa32569d0f740d183d7d9c8a764a69f54d70760a58911

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll

Filesize
4.7MB

MD5
62a89e7867d853fee9ad07b7c9d64379

SHA1
944a53602492187308352103d80ff27af1093abf

SHA256
d412909f1b597045b856caecedfc677eb4708af00e5b70788a01fa6af49c09d9

SHA512
7f66bf278222bf1079a3695ad55086ccc7d8b05d7db4f9a5bcbfe4ac8d82bc1a618b1c6dc675da61d47f48fce2b0670ce6f66db63e79e232604304cfc629d6d0

Download Submit
\ProgramData\Xdll.dll

Filesize
83.2MB

MD5
eb86e41abd837c01151298eaef1ae4d3

SHA1
51e9b5afdd681ed7d9c893780cfc881119b90234

SHA256
587a48a6ab153356f5cd94c47c817413047ed2e04636a4e90d693d8f6d325f14

SHA512
7568223cde9a13bf8945673009869638909ffdfb8b2bdfb5a2e3d3a9b53e5c93f8a5c581d442aee6458cff9b6ac32087849c186d8d397a9eecc1f482d3cda892

Download Submit
\ProgramData\Xdll.dll

Filesize
83.2MB

MD5
eb86e41abd837c01151298eaef1ae4d3

SHA1
51e9b5afdd681ed7d9c893780cfc881119b90234

SHA256
587a48a6ab153356f5cd94c47c817413047ed2e04636a4e90d693d8f6d325f14

SHA512
7568223cde9a13bf8945673009869638909ffdfb8b2bdfb5a2e3d3a9b53e5c93f8a5c581d442aee6458cff9b6ac32087849c186d8d397a9eecc1f482d3cda892

Download Submit
\ProgramData\Xdll.dll

Filesize
83.2MB

MD5
eb86e41abd837c01151298eaef1ae4d3

SHA1
51e9b5afdd681ed7d9c893780cfc881119b90234

SHA256
587a48a6ab153356f5cd94c47c817413047ed2e04636a4e90d693d8f6d325f14

SHA512
7568223cde9a13bf8945673009869638909ffdfb8b2bdfb5a2e3d3a9b53e5c93f8a5c581d442aee6458cff9b6ac32087849c186d8d397a9eecc1f482d3cda892

Download Submit
\ProgramData\handinput.exe

Filesize
834KB

MD5
a7bb376117fd97810fa4b41a46d3ab97

SHA1
14ef3d161a262270c2db1696f06c9a4067da1984

SHA256
09930bfc1962f0b0d500fc1cb67d528f21b11d6d911f1fa3c251399483728b80

SHA512
a4a0ae8ce7c6b9a57f04a4a9a450e243b04743717d4860421538e47879e48561d37d02c1b7a0dd682c5e1eaa8bb2a98bd72e58cfe5a5b47b79c710832fd60b23

Download Submit
\ProgramData\tsetup-x64.4.9.2.exe

Filesize
39.5MB

MD5
ea3b525e8235810679f604b4cb504cb3

SHA1
8f238faf46acfaa4b170cd2babf8222f12c24828

SHA256
3087d90cf63d1cf2d40a5c19def7aa166024e66a6b8f20ff9cd28527edd5a74c

SHA512
0ea5ce2c1e54515cb752f8ec8f2217311f13695b84c3efe1d5104464a9ad64d015f56cfd9360bc46569e3eb64bddfabb55f7d26d5ded9e0fee67c28750b0f982

Download Submit
\ProgramData\vcruntime140.dll

Filesize
74KB

MD5
a075828073369628bcca8a80fa225744

SHA1
2d576b316860c141d81ba9916d5915aceb336c7e

SHA256
dbc5559ca8d99f045c5511f56a2c4dd156d2672d189935e242284a835c0d7f92

SHA512
f92bc90a1d75268f2961e8a83268afc1efbf1381c884742658bca135367104b148fdbb8c0d643daa10063a98e032bcd7d4da50daebf4fa96e203814030a2c993

Download Submit
\ProgramData\vcruntime140.dll

Filesize
74KB

MD5
a075828073369628bcca8a80fa225744

SHA1
2d576b316860c141d81ba9916d5915aceb336c7e

SHA256
dbc5559ca8d99f045c5511f56a2c4dd156d2672d189935e242284a835c0d7f92

SHA512
f92bc90a1d75268f2961e8a83268afc1efbf1381c884742658bca135367104b148fdbb8c0d643daa10063a98e032bcd7d4da50daebf4fa96e203814030a2c993

Download Submit
\ProgramData\vcruntime140.dll

Filesize
74KB

MD5
a075828073369628bcca8a80fa225744

SHA1
2d576b316860c141d81ba9916d5915aceb336c7e

SHA256
dbc5559ca8d99f045c5511f56a2c4dd156d2672d189935e242284a835c0d7f92

SHA512
f92bc90a1d75268f2961e8a83268afc1efbf1381c884742658bca135367104b148fdbb8c0d643daa10063a98e032bcd7d4da50daebf4fa96e203814030a2c993

Download Submit
\Users\Admin\AppData\Local\Temp\is-NAQM8.tmp\tsetup-x64.4.9.2.tmp

Filesize
3.0MB

MD5
b0a8085decfb065f44561789f4be1b92

SHA1
5f3abb84bb78f3d447c999a99983b93b41c3adcb

SHA256
ae2d3dd7b7682a11f57d3fe637a6481017810450a67ab9a608bd37114e20f510

SHA512
4fbfc613112ba439217f7133214d4b7381c390286aaccacbcb484ab4c3280fd413f6d4ef2273b2a904ef996ffca898f071f0e97ff7056265c605ae8eedd6150a

Download Submit
\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
130.1MB

MD5
3df5bcea0ca91ab9fc317bcc6d9ea15f

SHA1
843a46a3a2495ec3b25eac11ae24b4c4988e7b36

SHA256
4e5cfb0d2ad36e4bd55b02cbad768b979f712d780ffde9b055f0fcabb1919ff4

SHA512
490f4840a83ba49295abd14c815973822af0de18ab34f525318a6075c3cba23fcfcd56d006e9d13df91fa32569d0f740d183d7d9c8a764a69f54d70760a58911

Download Submit
\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
130.1MB

MD5
3df5bcea0ca91ab9fc317bcc6d9ea15f

SHA1
843a46a3a2495ec3b25eac11ae24b4c4988e7b36

SHA256
4e5cfb0d2ad36e4bd55b02cbad768b979f712d780ffde9b055f0fcabb1919ff4

SHA512
490f4840a83ba49295abd14c815973822af0de18ab34f525318a6075c3cba23fcfcd56d006e9d13df91fa32569d0f740d183d7d9c8a764a69f54d70760a58911

Download Submit
\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
130.1MB

MD5
3df5bcea0ca91ab9fc317bcc6d9ea15f

SHA1
843a46a3a2495ec3b25eac11ae24b4c4988e7b36

SHA256
4e5cfb0d2ad36e4bd55b02cbad768b979f712d780ffde9b055f0fcabb1919ff4

SHA512
490f4840a83ba49295abd14c815973822af0de18ab34f525318a6075c3cba23fcfcd56d006e9d13df91fa32569d0f740d183d7d9c8a764a69f54d70760a58911

Download Submit
\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
130.1MB

MD5
3df5bcea0ca91ab9fc317bcc6d9ea15f

SHA1
843a46a3a2495ec3b25eac11ae24b4c4988e7b36

SHA256
4e5cfb0d2ad36e4bd55b02cbad768b979f712d780ffde9b055f0fcabb1919ff4

SHA512
490f4840a83ba49295abd14c815973822af0de18ab34f525318a6075c3cba23fcfcd56d006e9d13df91fa32569d0f740d183d7d9c8a764a69f54d70760a58911

Download Submit
\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
130.1MB

MD5
3df5bcea0ca91ab9fc317bcc6d9ea15f

SHA1
843a46a3a2495ec3b25eac11ae24b4c4988e7b36

SHA256
4e5cfb0d2ad36e4bd55b02cbad768b979f712d780ffde9b055f0fcabb1919ff4

SHA512
490f4840a83ba49295abd14c815973822af0de18ab34f525318a6075c3cba23fcfcd56d006e9d13df91fa32569d0f740d183d7d9c8a764a69f54d70760a58911

Download Submit
\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
130.1MB

MD5
3df5bcea0ca91ab9fc317bcc6d9ea15f

SHA1
843a46a3a2495ec3b25eac11ae24b4c4988e7b36

SHA256
4e5cfb0d2ad36e4bd55b02cbad768b979f712d780ffde9b055f0fcabb1919ff4

SHA512
490f4840a83ba49295abd14c815973822af0de18ab34f525318a6075c3cba23fcfcd56d006e9d13df91fa32569d0f740d183d7d9c8a764a69f54d70760a58911

Download Submit
\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
130.1MB

MD5
3df5bcea0ca91ab9fc317bcc6d9ea15f

SHA1
843a46a3a2495ec3b25eac11ae24b4c4988e7b36

SHA256
4e5cfb0d2ad36e4bd55b02cbad768b979f712d780ffde9b055f0fcabb1919ff4

SHA512
490f4840a83ba49295abd14c815973822af0de18ab34f525318a6075c3cba23fcfcd56d006e9d13df91fa32569d0f740d183d7d9c8a764a69f54d70760a58911

Download Submit
\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll

Filesize
4.7MB

MD5
62a89e7867d853fee9ad07b7c9d64379

SHA1
944a53602492187308352103d80ff27af1093abf

SHA256
d412909f1b597045b856caecedfc677eb4708af00e5b70788a01fa6af49c09d9

SHA512
7f66bf278222bf1079a3695ad55086ccc7d8b05d7db4f9a5bcbfe4ac8d82bc1a618b1c6dc675da61d47f48fce2b0670ce6f66db63e79e232604304cfc629d6d0

Download Submit
\Users\Admin\AppData\Roaming\Telegram Desktop\unins000.exe

Filesize
3.0MB

MD5
576e10ceefad00f63b83d7546676f200

SHA1
d5f28282043c069f0b47fc6b21542eefd5f16061

SHA256
7b8e6afeb6be1fe58b0f12794c6a1a0fdb5571cf20fbbc473eba93b6f4ae160b

SHA512
8e55982fdff8008d7a6c480f29a5462de73af01481a7c3928c6f220dea9b67eb2bf86af9a2a935f2c579269034b46af483b10c431a489dd2f649039a8f574727

Download Submit
memory/572-133-0x0000000005C90000-0x0000000005CAD000-memory.dmp

Filesize
116KB

Download
memory/1104-122-0x0000000007100000-0x000000000711D000-memory.dmp

Filesize
116KB

Download
memory/1920-0-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/1920-56-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2136-253-0x0000000000100000-0x0000000000106000-memory.dmp

Filesize
24KB

Download
memory/2136-252-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2324-142-0x0000000006F00000-0x0000000006F1D000-memory.dmp

Filesize
116KB

Download
memory/2868-66-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2868-105-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/2868-65-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/2868-61-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2892-108-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2892-63-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2892-52-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download