f7bd8bb72bf3c0d499f2d5e4b6dee8fd294c92ac3c6356a20727afd25b63dc11

Analysis

max time kernel
135s
max time network
161s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
24-09-2023 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zh-cn.exe
Size

38.5MB
MD5

755deb2968530a262c5b5bc220b593dc
SHA1

5de68bf47828a4da1ccf3d40296266c13f1df22f
SHA256

f7bd8bb72bf3c0d499f2d5e4b6dee8fd294c92ac3c6356a20727afd25b63dc11
SHA512

2d9f8e01396ad25b471a5b8027dc4376c5af3cb9a13c6e6cdb9cdc3e3424078514e1ba748c53efc6d843f49706237032a8ab4261f65ccf0a400c24d59c18b885
SSDEEP

786432:WYHm2mH6FUMRI5b+op6Oxg18AztN0a4TwmgWaIPTBYBIwQA9:WYHNFsAgxOzP0aBlWRTCB51

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

zh-cn.tmpTelegram.exeZ.T-GApp_xh.Gn.exe

pid process

4064 zh-cn.tmp
2396 Telegram.exe
5064 Z.T-GApp_xh.Gn.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Z.T-GApp_xh.Gn.exe

description	ioc	process
File opened (read-only)	\??\B:	Z.T-GApp_xh.Gn.exe
File opened (read-only)	\??\H:	Z.T-GApp_xh.Gn.exe
File opened (read-only)	\??\I:	Z.T-GApp_xh.Gn.exe
File opened (read-only)	\??\O:	Z.T-GApp_xh.Gn.exe
File opened (read-only)	\??\W:	Z.T-GApp_xh.Gn.exe
File opened (read-only)	\??\X:	Z.T-GApp_xh.Gn.exe
File opened (read-only)	\??\G:	Z.T-GApp_xh.Gn.exe
File opened (read-only)	\??\J:	Z.T-GApp_xh.Gn.exe
File opened (read-only)	\??\L:	Z.T-GApp_xh.Gn.exe
File opened (read-only)	\??\P:	Z.T-GApp_xh.Gn.exe
File opened (read-only)	\??\R:	Z.T-GApp_xh.Gn.exe
File opened (read-only)	\??\N:	Z.T-GApp_xh.Gn.exe
File opened (read-only)	\??\Q:	Z.T-GApp_xh.Gn.exe
File opened (read-only)	\??\S:	Z.T-GApp_xh.Gn.exe
File opened (read-only)	\??\V:	Z.T-GApp_xh.Gn.exe
File opened (read-only)	\??\Z:	Z.T-GApp_xh.Gn.exe
File opened (read-only)	\??\Y:	Z.T-GApp_xh.Gn.exe
File opened (read-only)	\??\E:	Z.T-GApp_xh.Gn.exe
File opened (read-only)	\??\K:	Z.T-GApp_xh.Gn.exe
File opened (read-only)	\??\M:	Z.T-GApp_xh.Gn.exe
File opened (read-only)	\??\T:	Z.T-GApp_xh.Gn.exe
File opened (read-only)	\??\U:	Z.T-GApp_xh.Gn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Telegram.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Telegram.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

Z.T-GApp_xh.Gn.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\StatusStatusCodes = ce1077187f631a778f999b9bff3aab9b9b9bc8a84012c7bfc712c7bfeb12c7bfef12c7bfe310db9710db8fcdcc70d9942cd3bf10cbb34a72a864a050e584942ca91859991865fae99d1a5d7b649b9bf264189b9b9b942c6d9865d2ee7a1a7c646464e41a647d075187941f779b9b9b109ba058ee21a86dc8f3cf23228173599d9b9bcbf3e384bbe412dfbfab73289d9b9b64efbfab12dfbfa3f3f9af12c5733a9d9b9b64efbfa312dfbfdff3e81bd39d73149d9b9b64efbfdb12dfbfcbf33e69c7eb73e69d9b9b12dfbfc3185fb316dfbf97cb5cdfbf8bf5effff7fd5cdfbf8ff79b64cfbfb364efbfbb106bf350e22e9673d59d9b9b64efbfb312dfbfdbf35b72838e73a79d9b9b185f8b12dfbfa373b79d9b9ba8521ba79af8eeaa1be79a9af4eeb11be79a99ffeeb81be79a98feee871be79a9ff6ee8e1be79a9efaee951be79a9de9ee9c1be79a9cf0ef8dda1a6293c99b9be75b721d9b9b9b10eb8b728f646464f1db985a259bab9b9bcd121fbf1f9b9b9b64ebbbc864cfbfa310d7bfe7121fbf1f9b9b9b64eabbcb64cfbfa710dfbfe764ebbb185ba3cb642fbf179b9b9b64cfbfdf10dfbfe7f1dbcd64ebb7c864cfbfa310d7bfe7121fbf139b9b9b64eab7cb64cfbfa710dfbfe764ebb710d3bb16df9aa3cb642fbf0b9b9b9b64cfbfdf10dfbfe710d3b798d3bb5cdfbf8fcce8a9c416df9aa3121fbf1b9b9b9b16dfbf8fcb5cdfbf87a8a9b5fffd5cdfbfbbf7f713c7bfb964cfbfb364efbfbb106bf3afbdc9a873819e9b9b64efbfb312dfbfd3f304b6dbbd73939e9b9b64efbfab12dfbfcff39a0ec8da736d9f9b9b64efbfa312dfbffbf34ce6c5e3737f9f9b9b64efbfdb12dfbff7f3531fa1aa73499f9b9b64efbfd312dfbfe3f341cbb092735b9f9b9b64efbfcb121fbf1f9b9b9bf3471c189473309f9b9b64efbfc3121fbf0b9b9b9bf329affa94730d9f9b9b185fdb64efbfbb12dfbfc7f3808d378f731a9f9b9b64efbfb312dfbff3f354b76fd473f49f9b9b185f8b12dfbffb161fbf0b9b9b9bcbf399999b9b64cfbfdf1e5bef92c4c5a85bc0107ec65810dfbfe7a3c3b3f19a16c7bfbfef9c73b79b9b9b709e735c9a9b9b101fbf1b9b9b9b1be3af9bc2f19916c7bfbfef9c73979b9b9b709e733c9a9b9bc2a840705bce107718778bcdccf19df19aa864f19912e66312e66f64c8bb12d8df186364941fd89a9b9bf1dbf39bab9b9bf3959b939bcc64c89312d8c3a05c941fb39a9b9b18e6939aee9e10d8ff709810d8f316d66fcacccccb64c8bf1e5b941e939a9b9b18e6939a10de6f10eb8310d8c716e0d33e3e3e3eee9e10dbbf709810dbabcb64c8b7fd12d8d1f18b16d8d3cb64e8df64c8ab186364941f509b9b9bf19bf19816de67cb64e8dffd5cde67a8a95dde659b64c8af1e5b9415309b9b9bf19ff39bab9b9bf39b439f9ba864cc64c89312de63a05c941f159b9b9bf19bf39b0b9a9b64ee6364e8df64c8a3106b1e6de5e310d8c3cd64ee63985ccb64c88398651a64952b9f9bee48f39b1b9b9ba86dcd64ee6364c89710d0c316da9512d8c312ee6312ee6b10de6b942ddf939f0224539a9b9b6c6410e8c398ee6310de63f1911b59adab8d02c56c6564de6b1e49ee98bace6b64de631ae663952b9f9be75d64c8c364e8fb644b7065a864a2e66fef9d64ee6f64c8b310d8df186364ef9fcb64c8a710d8c3259b1b9b9ba05cef9dcdcccb64c897a2e663ef93cdcc64ee6364c897c4c55258ce10771877b3cdf1dbf39bab9b9ba86df39b9b939bcd12ee7764c89312d8c3a05d941fab999b9b18e6939aee9e10d8ff709810d8f316d677cacdcdcb64c8bf1e5b941e4c9a9b9b18e6939a10de77cc5dde65aa12ee6f12ee7b12ee6312ee7312ee4712ee4312ee6b10eb8310d8c716e0d33e3e3e3eee9e10dbbf709810dbabcb64c8b7fd12d8d164de93f18af199f19964c8bb12d8df186364941fe79a9b9bf18b16d0d3cacb64c8ab186364941ff29a9b9ba864a2e663ef97f39b1b9b9bcc64ee6364c897f1dbf39bab9b9b25539b9b9bcdcc64c8931063f19a16de65cbcc12e66364c883f19f16de6fcbdccc64c883f19bf19e64ee6364e8df64c8af18639e941e6e9b9b9bf19bcd64ee6364e8df64c8a310d66f1e52e592a0d67b9414a39a9b9b186364941f6b9b9b9b186397ef1918638b941f599b9b9b1863f6941eeb64646410ee6318d67f64f19acd16de64cb5dde64ab64c883f19fcc16de7fcb64c8831be664aaeee010de6fa2de7feee818fe6b9b1e5beebff19f16ddf2cb16de73cb64c88310de7302f1ffc26c62a85210611e64940f5ab05a12de7bf19f16ddf2cb16de47cb64c88318e66f9be59010de73a0de47eede10ee6310de7ff05bff98d8c3f1ff185d9ecdcb64c88318e66f9be59310de7ba2de6fef8164de6f724b65646464de6b1ae66beb8c9b9b94155b656464709c5cde439a9b9b9b18e6439aefc210d8df186364ef93cb64c8a718d0df6418e693949417f7656464a86dc4a2ee77ef9d64ee7764c8b310d8df186364ef9fcb64c8a7a2ee63ef97f39b1b9b9bcd64ee6364c89710d8c3a05def91f39b1b9b9bcdcb64c897c5525864c8c364e8fb644b7065109fbf58ce107710dda718778f16d7abe3109ac8cc1e5befe118e29f9befef985d10d38312d6771e52eff310cbbb10e38710dbbf985da840984d986512de6b12c6631e52efd610970118fe6f9b9855118212d6671f40efba115810c66ff240189b9b9b94255b984364de6710de67119b1f5bee7210de6b709810c66f1a78646464e4a0c693ef8910c663d812c663a0c677e928a85bc4c0525818e6979bee9510d663942c9fd3109f1c985d7073cacd64ce97707af8f4fffef6fae9f09b9b9b9b9b9b9b9b9b9b9b9b9b9b9b9b9b9b9b9b9b9b9b9b949b9b9b91819b9b9a9b9b9b949b9b9b23b99b9b9a9b9b9baaaba8b5adabb5a9a9abb5aaa8a89baaaba8b5adabb5a9a9abb5aaa8a89be79baa9ba19bf69bf39be79bab9ba19bff9bf99be79bab9ba19bf79bf09be79bab9ba19bf39be89be79bab9ba19bf79bff9be79baa9ba19bf79bf79be79bab9ba19bf39bf99be79bab9ba19beb9bf19be79bad9baa9bb59ba29bbb9bb59ba89ba99bab9ba99ba19be19bf99be79bab9bb59baa9ba19bf99bf99be79b3f104305a19be19bfd9be79baa9ba19bf79bf89be79baa9ba19bff9bff9be79baa9ba19ba89bef9be79bab9ba39ba19ba89bf49be79ba89ba89baa9bb59bab9ba99ba99bb59bab9bad9bb59ba89bab9baa9ba19ba89beb9be79baa9ba19ba99bef9be79ba39ba39ba39ba39ba19ba99bf49be79ba89ba89baa9bb59bab9ba99ba99bb59bab9bad9bb59ba89bab9baa9ba19ba99beb9be79baa9ba19baa9bef9be79bad9bad9bad9bad9ba19baa9bf49be79ba89ba89baa9bb59bab9ba99ba99bb59bab9bad9bb59ba89bab9baa9ba19baa9beb9be79b9b9b	Z.T-GApp_xh.Gn.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Telegram.exe

pid process

2396 Telegram.exe

pid	process
2396	Telegram.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

zh-cn.tmpZ.T-GApp_xh.Gn.exe

pid	process
4064	zh-cn.tmp
4064	zh-cn.tmp
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe
5064	Z.T-GApp_xh.Gn.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

zh-cn.tmpTelegram.exe

pid process

4064 zh-cn.tmp
2396 Telegram.exe
2396 Telegram.exe
2396 Telegram.exe
2396 Telegram.exe
2396 Telegram.exe
2396 Telegram.exe
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Telegram.exe

pid process

2396 Telegram.exe
2396 Telegram.exe
2396 Telegram.exe
2396 Telegram.exe
2396 Telegram.exe
2396 Telegram.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Z.T-GApp_xh.Gn.exeTelegram.exe

pid process

5064 Z.T-GApp_xh.Gn.exe
2396 Telegram.exe
5064 Z.T-GApp_xh.Gn.exe

pid	process
2396	Telegram.exe
2396	Telegram.exe
2396	Telegram.exe
2396	Telegram.exe
2396	Telegram.exe
2396	Telegram.exe

pid	process
5064	Z.T-GApp_xh.Gn.exe
2396	Telegram.exe
5064	Z.T-GApp_xh.Gn.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

zh-cn.exezh-cn.tmp

description	pid	process	target process
PID 5072 wrote to memory of 4064	5072	zh-cn.exe	zh-cn.tmp
PID 5072 wrote to memory of 4064	5072	zh-cn.exe	zh-cn.tmp
PID 5072 wrote to memory of 4064	5072	zh-cn.exe	zh-cn.tmp
PID 4064 wrote to memory of 2396	4064	zh-cn.tmp	Telegram.exe
PID 4064 wrote to memory of 2396	4064	zh-cn.tmp	Telegram.exe
PID 4064 wrote to memory of 5064	4064	zh-cn.tmp	Z.T-GApp_xh.Gn.exe
PID 4064 wrote to memory of 5064	4064	zh-cn.tmp	Z.T-GApp_xh.Gn.exe
PID 4064 wrote to memory of 5064	4064	zh-cn.tmp	Z.T-GApp_xh.Gn.exe

C:\Users\Admin\AppData\Local\Temp\zh-cn.exe
"C:\Users\Admin\AppData\Local\Temp\zh-cn.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5072

C:\Users\Admin\AppData\Local\Temp\is-MLL9G.tmp\zh-cn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MLL9G.tmp\zh-cn.tmp" /SL5="$700C6,39440345,811008,C:\Users\Admin\AppData\Local\Temp\zh-cn.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4064

C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
3⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2396

C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\Z.T-GApp_xh.Gn.exe
"C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\Z.T-GApp_xh.Gn.exe"
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-MLL9G.tmp\zh-cn.tmp

Filesize
3.0MB

MD5
ed2781559c9e4dcecf2286a1bfde093d

SHA1
cdb08fbf76389238361556e3ff676a72722abaaa

SHA256
066a8e965583021073b58b6ff14308cfbc6acd7566ac4f0c86ff9161a05bbb0e

SHA512
20e8299e1b8b47ef08899bdad16bdb6a56ba2fce623864b8604e33e687fdec6437f4d608fc23338028d7f31bb74cd23ee08af835846b197f6cb30d6233d76fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MLL9G.tmp\zh-cn.tmp

Filesize
3.0MB

MD5
ed2781559c9e4dcecf2286a1bfde093d

SHA1
cdb08fbf76389238361556e3ff676a72722abaaa

SHA256
066a8e965583021073b58b6ff14308cfbc6acd7566ac4f0c86ff9161a05bbb0e

SHA512
20e8299e1b8b47ef08899bdad16bdb6a56ba2fce623864b8604e33e687fdec6437f4d608fc23338028d7f31bb74cd23ee08af835846b197f6cb30d6233d76fe9

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
124.4MB

MD5
2f75f8bbce26fdb4f10f4e7351b04dda

SHA1
53a8c3a363b3c8d036c8ebb8f5bed90835c4559a

SHA256
3d02ac50fef8c1f758c3438b37a9526019e903d3246d8e2929f9f3c9d5bb0c88

SHA512
493cc8e8d380f52944cb55f92b7028762bf607f095f3e451754ba762685f079319d7f1a7cc4182ddebc74f26938286e33429f04909853f22104c414cf02ef486

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
124.4MB

MD5
2f75f8bbce26fdb4f10f4e7351b04dda

SHA1
53a8c3a363b3c8d036c8ebb8f5bed90835c4559a

SHA256
3d02ac50fef8c1f758c3438b37a9526019e903d3246d8e2929f9f3c9d5bb0c88

SHA512
493cc8e8d380f52944cb55f92b7028762bf607f095f3e451754ba762685f079319d7f1a7cc4182ddebc74f26938286e33429f04909853f22104c414cf02ef486

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
124.4MB

MD5
2f75f8bbce26fdb4f10f4e7351b04dda

SHA1
53a8c3a363b3c8d036c8ebb8f5bed90835c4559a

SHA256
3d02ac50fef8c1f758c3438b37a9526019e903d3246d8e2929f9f3c9d5bb0c88

SHA512
493cc8e8d380f52944cb55f92b7028762bf607f095f3e451754ba762685f079319d7f1a7cc4182ddebc74f26938286e33429f04909853f22104c414cf02ef486

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\7517DFA7E0C3774Ds

Filesize
140B

MD5
dacd883d532bc8ba8d7698f12bc9bca8

SHA1
5ea60f395a1746312794fac47354e359a52a705f

SHA256
3ff1e11e729cd21b81f3ebe5bcf24514754ad559e7048d5fad01b8575b5ada13

SHA512
02fa5f4b0872510e3385912677aacef3eea793046b6eeec1cb2008d9212cbc00a47b613e7f78d916364d2052594b7acc33e0c6aaf07b2bf64711b9f35cf70ef6

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\99F8F64E02BD9548s

Filesize
442KB

MD5
b21a77f8bfa27bb7d190f2145f66b063

SHA1
88ca12861abd52abcfc5341db04b689b6ecab725

SHA256
8284d796464b47b02190aa469f4769a5b04d43644c871fc5c82aef82cd59e482

SHA512
398db19fa1b60c995dd3b04065bc7212f4b21f7c784ed245a31f3c05bb1e44190555314eaf06f2838cdadeedf662b06d17aea13a4f490ca77af2baa0bc6ffe72

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\Z.T-GApp_xh.Gn.exe

Filesize
2.5MB

MD5
62234d0042b32491536e15dc78b0e588

SHA1
ff1cd9d6b66ed260137ee8adbfe04e92b53a6f17

SHA256
ad790dd9ce0033df8e212b2776bfd28e1279299b5b75f70051d1b58410933228

SHA512
808d058533806b5d3160180e4e5c85f4a1bd1e97840ff07a191357408b9fcaf04a9562b5e474b9ac146e028531c8003e61c0f91f589a53414e343222a61e46ca

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\Z.T-GApp_xh.Gn.exe

Filesize
2.5MB

MD5
62234d0042b32491536e15dc78b0e588

SHA1
ff1cd9d6b66ed260137ee8adbfe04e92b53a6f17

SHA256
ad790dd9ce0033df8e212b2776bfd28e1279299b5b75f70051d1b58410933228

SHA512
808d058533806b5d3160180e4e5c85f4a1bd1e97840ff07a191357408b9fcaf04a9562b5e474b9ac146e028531c8003e61c0f91f589a53414e343222a61e46ca

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\countries

Filesize
20KB

MD5
56db96207472444836ca9968d78444aa

SHA1
35d004f126306c6cd3fa2e9aa6e0973141ed1a55

SHA256
8ff6f29185d067a820ea8b94644c61ddc8153a5aef97a87cecfca71b930255f9

SHA512
442d9d2636c57328af98cfdb8142a372a948c10e1714e30f4ec43d44e15e474e3cc05419a8448a7ef138350b9ddcd0b34ca45dd88003fbbf1b6d4ebae60e7973

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\key_datas

Filesize
388B

MD5
b132a17e853f29531160ff55f9988826

SHA1
3f3b22729d6e1f52e4b54b15ba1c38617e77923e

SHA256
f1b284b51bdf87dc748422ae698a8599a7acdd679624e2d3437c3b31f6d38611

SHA512
04f338ce5061510177c3b501889c562641fe2555feae60e468c6f63f2aa799297179e9c78c9dcf51dbdb76e19949a6c001472c3a4e7af602479ecf2487f6acdb

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\prefix

Filesize
24B

MD5
3fb9de9c3edf4abc3a42deaf14dfa8d6

SHA1
d02d2382706bffb38831acfcce62e720a6d55733

SHA256
84af1d24b024a1e1670302510fc140e55eb009ed5ab8b8e89bb42fb7f184be28

SHA512
7e60951c5c5cff7f623808e1afa098faff020f000ee4a8fc9af5f848204b8c54fe13f9a32e10bfbc618e41b1be437bb08a775b4b2e10a19122c336b55d093692

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\settingss

Filesize
1KB

MD5
aa56bbd89a1a51683a0665653a4ca12d

SHA1
99d368b7e7ce38d77f2b4292bacc4385d74b0502

SHA256
bda563911e593a48f12ae89425fac2e0163e59cf42031b40c657dfc74490f908

SHA512
894f411b2831c9e370e383e9a30c0a0c008f0aabbd36e935d16b82d51b4f8abbfce0d3a9d81ff8d0010965a2b545ef24d50aef04df991cb20255f5f4cbe0fa9f

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\shortcuts-custom.json

Filesize
404B

MD5
874b930b4c2fddc8043f59113c044a14

SHA1
75b14a96fe1194f27913a096e484283b172b1749

SHA256
f4f666f4b831e84710983b0e9e905e87342b669f61109fd693688d89c12309d8

SHA512
f4b0337fba5c5f4d7e7a02aa5d4538334edd38f5df179e4f1701fa2f1c4d3d856a074fa55ea724c4e2a6c5a1ac1dbfc7e9966c814475c7cd2c65cd44fca14621

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\shortcuts-default.json

Filesize
2KB

MD5
9659e451ac100713429a3116644250ce

SHA1
8825a66fef3c76f57aac29d9f3622037bc6ecadd

SHA256
b002b36119821299aaf94c7d1dcd112ab0fdd6008c3f23429a92b03aa79a3147

SHA512
12d4f9cc6e72d67e31aa94f81d67a1de353314617b25568d113c4484108f8a609c2ec26bd6146d31148556ea214f1587cded79bb51bbc5a26d88682786c46a7f

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\usertag

Filesize
8B

MD5
36ea4b2c04e42167ffaa5a0d36ee2cd9

SHA1
60ee8fea8fbcdc259dc6c0641a8283d8ee8dcaf1

SHA256
0d5655d19406467696275deea8ae1d19b651fc70ada0c7d66af98db442c370fb

SHA512
0536684386296d5cf070c7ba07935a07e0efbf4b888586bdc65b0640cc0baa39119d3f68756d2301a8e7fff31fb1ff4675a6f53e471c1a352a87df001d945733

Download Submit
memory/2396-74-0x00000209BD690000-0x00000209BD6A0000-memory.dmp

Filesize
64KB

Download
memory/2396-101-0x00000209BD690000-0x00000209BD6A0000-memory.dmp

Filesize
64KB

Download
memory/4064-86-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4064-55-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4064-12-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4064-10-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/4064-9-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4064-6-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/5064-110-0x0000000002910000-0x0000000002933000-memory.dmp

Filesize
140KB

Download
memory/5064-159-0x0000000002910000-0x0000000002933000-memory.dmp

Filesize
140KB

Download
memory/5064-98-0x0000000002910000-0x0000000002933000-memory.dmp

Filesize
140KB

Download
memory/5064-97-0x0000000002C30000-0x0000000002CB1000-memory.dmp

Filesize
516KB

Download
memory/5064-90-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/5064-102-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/5064-190-0x0000000003B30000-0x0000000003B68000-memory.dmp

Filesize
224KB

Download
memory/5064-111-0x0000000002910000-0x0000000002933000-memory.dmp

Filesize
140KB

Download
memory/5064-116-0x0000000003370000-0x0000000003393000-memory.dmp

Filesize
140KB

Download
memory/5064-189-0x0000000003B30000-0x0000000003B68000-memory.dmp

Filesize
224KB

Download
memory/5064-117-0x0000000002910000-0x0000000002933000-memory.dmp

Filesize
140KB

Download
memory/5064-181-0x0000000010000000-0x00000000100AE000-memory.dmp

Filesize
696KB

Download
memory/5064-121-0x00000000038A0000-0x00000000038D2000-memory.dmp

Filesize
200KB

Download
memory/5064-122-0x0000000003B30000-0x0000000003B68000-memory.dmp

Filesize
224KB

Download
memory/5064-123-0x0000000003B30000-0x0000000003B68000-memory.dmp

Filesize
224KB

Download
memory/5064-152-0x0000000003B30000-0x0000000003B68000-memory.dmp

Filesize
224KB

Download
memory/5064-153-0x0000000003B30000-0x0000000003B68000-memory.dmp

Filesize
224KB

Download
memory/5064-154-0x0000000003B30000-0x0000000003B68000-memory.dmp

Filesize
224KB

Download
memory/5064-155-0x0000000002910000-0x0000000002933000-memory.dmp

Filesize
140KB

Download
memory/5064-96-0x0000000002910000-0x0000000002933000-memory.dmp

Filesize
140KB

Download
memory/5064-160-0x0000000003370000-0x0000000003393000-memory.dmp

Filesize
140KB

Download
memory/5064-161-0x0000000003370000-0x0000000003393000-memory.dmp

Filesize
140KB

Download
memory/5064-162-0x0000000003370000-0x0000000003393000-memory.dmp

Filesize
140KB

Download
memory/5064-164-0x0000000003F40000-0x0000000003F78000-memory.dmp

Filesize
224KB

Download
memory/5064-165-0x0000000003EC0000-0x0000000003EF2000-memory.dmp

Filesize
200KB

Download
memory/5064-166-0x0000000003F40000-0x0000000003F78000-memory.dmp

Filesize
224KB

Download
memory/5064-169-0x0000000003B30000-0x0000000003B68000-memory.dmp

Filesize
224KB

Download
memory/5064-170-0x0000000003F40000-0x0000000003F78000-memory.dmp

Filesize
224KB

Download
memory/5064-171-0x0000000003F40000-0x0000000003F78000-memory.dmp

Filesize
224KB

Download
memory/5064-172-0x0000000003F40000-0x0000000003F78000-memory.dmp

Filesize
224KB

Download
memory/5064-175-0x0000000003F40000-0x0000000003F78000-memory.dmp

Filesize
224KB

Download
memory/5064-176-0x0000000003370000-0x0000000003393000-memory.dmp

Filesize
140KB

Download
memory/5064-177-0x0000000003370000-0x0000000003393000-memory.dmp

Filesize
140KB

Download
memory/5064-178-0x0000000003B30000-0x0000000003B68000-memory.dmp

Filesize
224KB

Download
memory/5072-1-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/5072-8-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/5072-87-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download