ta505 | hxxps://tuhunaer[.]com/download/telegram-os/index-p[.]html

Analysis

max time kernel
95s
max time network
93s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
31-03-2024 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://tuhunaer.com/download/telegram-os/index-p.html

Score

10^/10

ta505 upx

Malware Config

Signatures

TA505
Cybercrime group active since 2015, responsible for families like Dridex and Locky.
ta505

Executes dropped EXE 3 IoCs

pid	Process
3668	upload.exe
4192	upload.exe
4300	Telegram.exe

Loads dropped DLL 14 IoCs

pid	Process
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
2060	MsiExec.exe
4116	MsiExec.exe
4116	MsiExec.exe
4116	MsiExec.exe
4116	MsiExec.exe
4116	MsiExec.exe
2060	MsiExec.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000100000002a804-173.dat	upx
behavioral1/memory/3668-175-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/4192-207-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/3668-250-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/4192-251-0x0000000000400000-0x000000000053F000-memory.dmp	upx

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Telegram.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NetSarangX\upload.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSarangX\upload.dat	msiexec.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\~DFA42B1B902D2D8D54.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDCF6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE2B4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDA14.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2306DCB6-79C2-4BE0-84BA-54C64BC1877E}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDAA2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDAD1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDB11.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e57d90c.msi	msiexec.exe
File created	C:\Windows\Installer\e57d90a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d90a.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF36C8C846F9149582.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF89D2DCAF827246B6.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\SystemTemp\~DFB36E4BAF3CA8EA9C.TMP	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	Telegram.exe

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\tdesktop.tg	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\tdesktop.tg\shell\open	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\tdesktop.tg\shell	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\tdesktop.tg\shell\open\command	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\tg	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\tg\URL Protocol	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\tg\shell\open\command	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\tdesktop.tg\DefaultIcon	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\TG-21371A822\\Telegram.exe\" -- \"%1\""	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\TG-21371A822\\Telegram.exe,1\""	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\tdesktop.tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\TG-21371A822\\Telegram.exe,1\""	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\tg\ = "URL:Telegram Link"	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\tg\DefaultIcon	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\tg\shell	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\tg\shell\open	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\TG-21371A822\\Telegram.exe\" -- \"%1\""	Telegram.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\setupno-p.zip:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4300	Telegram.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
228	msedge.exe
228	msedge.exe
2732	msedge.exe
2732	msedge.exe
2788	msedge.exe
2788	msedge.exe
3204	identity_helper.exe
3204	identity_helper.exe
5104	msedge.exe
5104	msedge.exe
2168	msiexec.exe
2168	msiexec.exe
3668	upload.exe
3668	upload.exe
3668	upload.exe
3668	upload.exe
4192	upload.exe
4192	upload.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4364	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4364	msiexec.exe
Token: SeSecurityPrivilege	2168	msiexec.exe
Token: SeCreateTokenPrivilege	4364	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4364	msiexec.exe
Token: SeLockMemoryPrivilege	4364	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4364	msiexec.exe
Token: SeMachineAccountPrivilege	4364	msiexec.exe
Token: SeTcbPrivilege	4364	msiexec.exe
Token: SeSecurityPrivilege	4364	msiexec.exe
Token: SeTakeOwnershipPrivilege	4364	msiexec.exe
Token: SeLoadDriverPrivilege	4364	msiexec.exe
Token: SeSystemProfilePrivilege	4364	msiexec.exe
Token: SeSystemtimePrivilege	4364	msiexec.exe
Token: SeProfSingleProcessPrivilege	4364	msiexec.exe
Token: SeIncBasePriorityPrivilege	4364	msiexec.exe
Token: SeCreatePagefilePrivilege	4364	msiexec.exe
Token: SeCreatePermanentPrivilege	4364	msiexec.exe
Token: SeBackupPrivilege	4364	msiexec.exe
Token: SeRestorePrivilege	4364	msiexec.exe
Token: SeShutdownPrivilege	4364	msiexec.exe
Token: SeDebugPrivilege	4364	msiexec.exe
Token: SeAuditPrivilege	4364	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4364	msiexec.exe
Token: SeChangeNotifyPrivilege	4364	msiexec.exe
Token: SeRemoteShutdownPrivilege	4364	msiexec.exe
Token: SeUndockPrivilege	4364	msiexec.exe
Token: SeSyncAgentPrivilege	4364	msiexec.exe
Token: SeEnableDelegationPrivilege	4364	msiexec.exe
Token: SeManageVolumePrivilege	4364	msiexec.exe
Token: SeImpersonatePrivilege	4364	msiexec.exe
Token: SeCreateGlobalPrivilege	4364	msiexec.exe
Token: SeCreateTokenPrivilege	4364	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4364	msiexec.exe
Token: SeLockMemoryPrivilege	4364	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4364	msiexec.exe
Token: SeMachineAccountPrivilege	4364	msiexec.exe
Token: SeTcbPrivilege	4364	msiexec.exe
Token: SeSecurityPrivilege	4364	msiexec.exe
Token: SeTakeOwnershipPrivilege	4364	msiexec.exe
Token: SeLoadDriverPrivilege	4364	msiexec.exe
Token: SeSystemProfilePrivilege	4364	msiexec.exe
Token: SeSystemtimePrivilege	4364	msiexec.exe
Token: SeProfSingleProcessPrivilege	4364	msiexec.exe
Token: SeIncBasePriorityPrivilege	4364	msiexec.exe
Token: SeCreatePagefilePrivilege	4364	msiexec.exe
Token: SeCreatePermanentPrivilege	4364	msiexec.exe
Token: SeBackupPrivilege	4364	msiexec.exe
Token: SeRestorePrivilege	4364	msiexec.exe
Token: SeShutdownPrivilege	4364	msiexec.exe
Token: SeDebugPrivilege	4364	msiexec.exe
Token: SeAuditPrivilege	4364	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4364	msiexec.exe
Token: SeChangeNotifyPrivilege	4364	msiexec.exe
Token: SeRemoteShutdownPrivilege	4364	msiexec.exe
Token: SeUndockPrivilege	4364	msiexec.exe
Token: SeSyncAgentPrivilege	4364	msiexec.exe
Token: SeEnableDelegationPrivilege	4364	msiexec.exe
Token: SeManageVolumePrivilege	4364	msiexec.exe
Token: SeImpersonatePrivilege	4364	msiexec.exe
Token: SeCreateGlobalPrivilege	4364	msiexec.exe
Token: SeCreateTokenPrivilege	4364	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4364	msiexec.exe
Token: SeLockMemoryPrivilege	4364	msiexec.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
4364	msiexec.exe
4364	msiexec.exe
4300	Telegram.exe
4300	Telegram.exe
4300	Telegram.exe
4300	Telegram.exe
4300	Telegram.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
4300	Telegram.exe
4300	Telegram.exe
4300	Telegram.exe
4300	Telegram.exe
4300	Telegram.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3668	upload.exe
3668	upload.exe
4192	upload.exe
4192	upload.exe
4300	Telegram.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 840	2732	msedge.exe	76
PID 2732 wrote to memory of 840	2732	msedge.exe	76
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 4200	2732	msedge.exe	77
PID 2732 wrote to memory of 228	2732	msedge.exe	78
PID 2732 wrote to memory of 228	2732	msedge.exe	78
PID 2732 wrote to memory of 5092	2732	msedge.exe	79
PID 2732 wrote to memory of 5092	2732	msedge.exe	79
PID 2732 wrote to memory of 5092	2732	msedge.exe	79
PID 2732 wrote to memory of 5092	2732	msedge.exe	79
PID 2732 wrote to memory of 5092	2732	msedge.exe	79
PID 2732 wrote to memory of 5092	2732	msedge.exe	79
PID 2732 wrote to memory of 5092	2732	msedge.exe	79
PID 2732 wrote to memory of 5092	2732	msedge.exe	79
PID 2732 wrote to memory of 5092	2732	msedge.exe	79
PID 2732 wrote to memory of 5092	2732	msedge.exe	79
PID 2732 wrote to memory of 5092	2732	msedge.exe	79
PID 2732 wrote to memory of 5092	2732	msedge.exe	79
PID 2732 wrote to memory of 5092	2732	msedge.exe	79
PID 2732 wrote to memory of 5092	2732	msedge.exe	79
PID 2732 wrote to memory of 5092	2732	msedge.exe	79
PID 2732 wrote to memory of 5092	2732	msedge.exe	79
PID 2732 wrote to memory of 5092	2732	msedge.exe	79
PID 2732 wrote to memory of 5092	2732	msedge.exe	79
PID 2732 wrote to memory of 5092	2732	msedge.exe	79
PID 2732 wrote to memory of 5092	2732	msedge.exe	79

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://tuhunaer.com/download/telegram-os/index-p.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffb6c13cb8,0x7fffb6c13cc8,0x7fffb6c13cd8
  2⤵
  PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1792,8229079908977021118,3264075281836276326,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1792,8229079908977021118,3264075281836276326,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1792,8229079908977021118,3264075281836276326,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,8229079908977021118,3264075281836276326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,8229079908977021118,3264075281836276326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1888 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,8229079908977021118,3264075281836276326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,8229079908977021118,3264075281836276326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1792,8229079908977021118,3264075281836276326,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1792,8229079908977021118,3264075281836276326,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,8229079908977021118,3264075281836276326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,8229079908977021118,3264075281836276326,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1792,8229079908977021118,3264075281836276326,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4548 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,8229079908977021118,3264075281836276326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:3800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,8229079908977021118,3264075281836276326,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:3300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:664

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5096

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\setupno-p\setup.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4364

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BEBF3F34FA785EB275DAB8762F18039B C
  2⤵
  - Loads dropped DLL
  PID:2060
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1C35CC5C75F19247B2B395E55695A9DB
  2⤵
  - Loads dropped DLL
  PID:4116

C:\Program Files (x86)\NetSarangX\upload.exe
"C:\Program Files (x86)\NetSarangX\upload.exe" /NOFOCUS /checkin
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3668

C:\Program Files (x86)\NetSarangX\upload.exe
"C:\Program Files (x86)\NetSarangX\upload.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4192
- \??\c:\windows\SysWOW64\msiexec.exe
  "c:\windows\sysWoW64\msiexec.exe"
  2⤵
  PID:2120

C:\Users\Admin\AppData\Roaming\TG-21371A822\Telegram.exe
"C:\Users\Admin\AppData\Roaming\TG-21371A822\Telegram.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57d90b.rbs

Filesize
207KB

MD5
7d23ab1e961e80b4c4ccf6b5d5664945

SHA1
fe8d224d750ac92034c2ecbdceafa7b18c5e6d69

SHA256
d019d2c66739306f0bd096ce0ae10ad44b0ac3c78c6cb7dc685c598f9290bcfb

SHA512
30b6305584106b3ccae085a4452efac7311e91b41736e380dd968f10cf38b8e6229a7936e0e8541139593683e2faf255f28c323d27d63c26f15683cbcd7ef56f

Download Submit
C:\Program Files (x86)\NetSarangX\upload.dat

Filesize
74KB

MD5
ed5ce3c2d78ace16956117ab67d77c2c

SHA1
d9ba439f9e723c04bd12a33c6455d0eff70fc2ba

SHA256
fffc1d2f822b8ddaba16e86ddd445b70fc5cb4d5a910d24b62f5d9c1ffaa2b22

SHA512
b6f36640320ed463aa5fc1a2e7db727128f6fa235b3d6f0b4afce1ca475ebaa287ad547384560c441b9ee4d95299b37125c27e46b3a7f3e95739859a66be6dc2

Download Submit
C:\Program Files (x86)\NetSarangX\upload.exe

Filesize
474KB

MD5
9050ac019b4c8dddbc5e250bb87cf9f2

SHA1
241f50bf6100bd84a14bd927a28bba5bc7df30f3

SHA256
83d225323c8783c84d70aee1da5b507dde1e717ab3233f784fbb1b749dba11b9

SHA512
2d3a167bb8d5c06b371f1f0c82ffb25e2aabb2c518b062816ae324d4ed1916f7c2271a7bb220bd49079cc4e33162e27757f3d35b062576ee160de4c209aedbc3

Download Submit
C:\ProgramData\templateWatch.dat

Filesize
763KB

MD5
add29ba22ae4ae6d7cd9644b0ffb700e

SHA1
ada6bbaec9b0cb6a71ab1e43649a9c40ef2dd60d

SHA256
34bf280094307245528bac7acf799cb59a6af8613cfd887c2cd09030fb95eedd

SHA512
460e5195f65dc84a41b2bff7b5ae07122a7bf92b1df80128d1ade53b6d36b4df922baf822bb958fa74a14bd4d2405578c4c63e51821b4b4e15fafe90330dc5ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0407c5de270b9ae0ceee6cb9b61bbf1

SHA1
fb2bb8184c1b8e680bf873e5537e1260f057751e

SHA256
a56989933628f6a677ad09f634fc9b7dd9cf7d06c72a76ddbb8221bc4a62ffcd

SHA512
65162bf07705dfdd348d4eaf0a3feba08dc2c0942a3a052b4492d0675ab803b104c03c945f5608fac9544681e0fe8b81d1aaca859663e79aa87fcb591ddb8136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ded21ddc295846e2b00e1fd766c807db

SHA1
497eb7c9c09cb2a247b4a3663ce808869872b410

SHA256
26025f86effef56caa2ee50a64e219c762944b1e50e465be3a6b454bc0ed7305

SHA512
ddfaa73032590de904bba398331fdbf188741d96a17116ada50298b42d6eb7b20d6e50b0cfae8b17e2f145997b8ebce6c8196e6f46fbe11f133d3d82ce3656db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
3e27f02f10c193be61092dee213b59b7

SHA1
9e2aeaefb0d4822bb531a64746a9f67b56622ee7

SHA256
120cb9b1c4fcb3aeea5321dcdd0c7f80f4ff61d5eb867d493bb22130070d54cf

SHA512
ddfb8cc3b9d676be68f90a8172beb455978cb4bb076e504cc898fea0a82f27f4efdbfdc5f84992f1b26c8c90680e28187946694eb2e0331e41b0eeef1a9e35a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
996ea4ddbeac834b93acb14c9024e117

SHA1
69d66e17476d84d0211b5e8b8abc838b0b55993b

SHA256
6093b76c1104e91910fb79a89d2b9a6cde57fba8bb631af8b72e493280ae4881

SHA512
2c91754f7ffe87b3d9b71b18ad294facf76dbee875285c2a235e09f605fa62cff45357bb55f7a035f659edb8b16b61542fba5bba9a143fad9693478f89c19f9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0e721c86dd3615dfe4b472d585cfe771

SHA1
fc191c8693ade868e5f9839b0ec8f197ba58c937

SHA256
837dcb420be081d4cc757ad8c395e22b6292743f7e40dadc1e82916002c66d11

SHA512
54ed7129708a0afee7af44049c59fbe80072c7c23a210b35f40c0703cb744e60dfa7827a99af9eedd75d11f3c06f04a96b8f340786518bf32fb384bd2462b5fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
958fc85777eccb3e3895dc7e7723779a

SHA1
6766619fb33d301878da2bd09b800cd68f964d60

SHA256
3b187a6b0437f19e97409b0dd2405abeb3d4a5551f54da449beac195f125f3dd

SHA512
ed2323e604792b1b61a9b28cdcd71dfca42f9fa1258f2506ec4e5d2faf39c48bae9841c711d1ae71a66cbf8f82b39451e1b74786b9eceb836b049c4428a99025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7e3da042f14f98366c240d8ae01760ce

SHA1
7031d445b7c2242e45436e1bc6f22af53dbaec19

SHA256
da398d7b97618d3c4c5cfd068f9945c9c16acde3df3fc8cc03bd2cb82f3ca121

SHA512
ad482909a22eaf4a571aff662b6a49d896fb8f53f16f0e8c7d40804aac7dfa24e59367beaed2bc29ecaad3bec172115a3a64bcf2ad8d88fcfcf78dc927569bcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
10d69dfd9b7c154f76646899da5c8895

SHA1
2e5a2dd248140f501ccef3a059835456ff223e76

SHA256
b1f568bbedface99cd220549d274008e6eeb80da3a12d564a7ab478e19ead44a

SHA512
a1d7b1358a59a1064707129d822bb6297e307e0d42c903288f67f48780e57ccfe6ded1b57fb14020ae7d60ddbb6757c037be1f31d235c6c55ba21dd39f5fcf9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\25643

Filesize
50.2MB

MD5
4420b28183c8ee12833b6cb3d54e49cc

SHA1
19c4fcd42151be69ac66ad5ef1c6be7fbed4a050

SHA256
3a3a2757dcaee54f39b4da93a85f894281d82d59885634b4e0ccd7896de9cfb6

SHA512
1814f9038fd2c62c22b9fb883e1c12664ae4bca16c69a52bbd8c8535ae9b385a16fd37bf98f50598450293bec1a8e409cbab6aaa18a48d8cc9d752784b093480

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC822.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICAD9.tmp

Filesize
196KB

MD5
afaf2bf9ed4559e63022a51f8a3ca55b

SHA1
0a208adfc1cdb5a5dd5889001f64e1324821329f

SHA256
867e5da047518573fc985224803d370374f95e6be0034f371922e58dbed30e54

SHA512
2249db94628c6106620218757518d958c301a1d6ba1d3d47ea4b66c787bb0433fe792991fca4a883dc410dcf124f652574c1689a8957c71ab500c2f92e0cd0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG2.JPG

Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Admin\AppData\Roaming\TG-21371A822\Telegram.exe

Filesize
140.7MB

MD5
553818ae7cc6c4526b4c1d1aadca25f9

SHA1
0b0097351607b4fd3a522b6482766be717b1fcb7

SHA256
b6511e9d5445da09ff944467a991388cdb3725b9f2f70c7f619907cb6d14be49

SHA512
08227d6f7438199d8176c0b49a69999ce64074cd57ff3a2faa08d2f5bfb65006a9ab9eb49c0f7525f8337a9058189d2e3c25a22dfeaa8f8dcf4775532e8d3484

Download Submit
C:\Users\Admin\AppData\Roaming\TG-21371A822\tdata\00B5C7D6A3E9F5D3s

Filesize
140B

MD5
a21cbb73d656baf4fc1cc3a3cb272be2

SHA1
bfd66f3da8a6f25de6cd832730a2444b66cfa173

SHA256
bb29c6a06e29f5d1e02eb4fc6458ff7e4d65975fc909667b21e43cbfd7c7c2b5

SHA512
9322f6949ac21f3f17bc631511c0af24a2361dd6055e6c3e6ef6430bef8d4711f558c7e6106813d6e85f076960b0cca1bc5b62f6113a878a1edebdd396f07ddb

Download Submit
C:\Users\Admin\AppData\Roaming\TG-21371A822\tdata\E3768DD92A664D45s

Filesize
292KB

MD5
af849ce888f25a59034a4857d513dd26

SHA1
7c345bd6b1401c390dc8533d83fe18f8508141b7

SHA256
4ed5610a9add75e3941fa9c8c0bb868bde66a4e249bf7b28bd5c543fb95bf6bd

SHA512
a23f273653eaade3d577bccd86f17d6c64d3ffda24aebeb7e30765068a90965c1a9933b2a39ac47c49c83fdc53c637aaa5d858b20939acae0fcad20e93b8476a

Download Submit
C:\Users\Admin\AppData\Roaming\TG-21371A822\tdata\key_datas

Filesize
388B

MD5
267395d7a0ca4263aa5d2bc948802382

SHA1
c6d86340605e2722a489141c8d7e7c69fa761eba

SHA256
6d67f5df1e1812ac7ee0efab19cbb876e854fd5de9944dfda1634e595bb8c78a

SHA512
0b610748b10f2c0b49de07c1e5d6672a7fd936191adcfe2b198e4421f137e1dd985969415cc480d39798c39ee39578961e960e50d6e065eaf87cf842242b299e

Download Submit
C:\Users\Admin\AppData\Roaming\TG-21371A822\tdata\settingss

Filesize
1KB

MD5
fcaadb2bca61db4b61fc717baa29ff7a

SHA1
db8d0a6441a852c5f7be11838e3f7ed38cdad79f

SHA256
2414f6e27fc48e299fbe697a2f02003eb8c7dd569e7a88fd9b35ddb3c389af7d

SHA512
bf70599b237258b2738a750c99e8cfa4f1c08ad0e7a710d21e657a26d947c248d0dd4e84101a81f1134d4a29523d4a5c9ea183f946bfc790fa68fca21e7a4447

Download Submit
C:\Users\Admin\AppData\Roaming\TG-21371A822\tdata\shortcuts-custom.json

Filesize
390B

MD5
41f06d2aebabfb2cf89e0e83818eed41

SHA1
e14fae1620474acdced6c57e03fd65b4d58285db

SHA256
0d7d3f01a2aefef56633929791964a5c3bcf1d38798e23bb82e67c68165bc1dc

SHA512
ac7deb8ec53cc76028d6f73084c358ee45642dcb79b53a137cfb67ba8360da5cae6a91c878cb033d864ad692c776de4f25a9a109b7da65271eda46ace78e7fde

Download Submit
C:\Users\Admin\AppData\Roaming\TG-21371A822\tdata\shortcuts-default.json

Filesize
3KB

MD5
33984341ce0660d81b8e4f6a20942d94

SHA1
33644335c49d4e8c84c09ff07af37d3f6ae65dfe

SHA256
0275a16fd35abad23fab70da5f2fe36fe46e197ce36416bc5e383e484dfdcfe8

SHA512
019bbbb3ab050345bc0a492a48eb0fee61999311449b0930ded5aab4247d342cb7f4d0899290d8c6e9197be465ee766791d25d547f7d5700026fef7d194134dd

Download Submit
C:\Users\Admin\AppData\Roaming\TG-21371A822\tdata\usertag

Filesize
8B

MD5
aab558bf33539c679f4887f2b5ca211c

SHA1
67c78a14927e4094afaa3008cec63c4adcf6aced

SHA256
b91b1b9e64bd73f488559039b81c5d001ab0c5de0e648a76e808ef03c61f6354

SHA512
245d27ce4d3491354ec89adb08ba815869f0ef984a51200ec06e00589cfa0f3f8ac5046422ad0a4a658ef2fdb7ad94d61ef7cc53edcb5bae7c0ac9a2dbace758

Download Submit
C:\Users\Admin\Downloads\setupno-p.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\Installer\e57d90a.msi

Filesize
106.0MB

MD5
0d99549bad3b6663684b7897137678c8

SHA1
a24205ab3713d0d685948ebd64e237fe3db7ecbb

SHA256
214bbdd6acc678c1f84db918a49faf1353b7268f0786bee1cfb074caa340308e

SHA512
746c76fdd9174e5a28f1f3402361f001b63a6bcb210f09c9a1f9892c86b44e7d585f4df0c07e9faf03fe8283f2ac0d575bbc0b37f37d07d13724d6e6a0776881

Download Submit
C:\Windows\Temp\_ir_tu2_temp_0\IRIMG3.JPG

Filesize
13KB

MD5
29b994bbbfa6110402d25849acd61baa

SHA1
e3dae0632750d70cb38a1a7a741fc1a91f28580d

SHA256
165c99b55b3dcc4844d5066e4f3beea3181320d7e6c647439c0fe3035a4695fe

SHA512
98cc2abfb6904cffa82681b4f799a19f3bc9605cc2e17f1778cecc0b67d78c49ad7e08c9f2b606ffe8a572e0224a355cf9bb3b8d97dcc15e7d3a0841e423b889

Download Submit
C:\Windows\Temp\_ir_tu2_temp_0\_TUProjDT.dat

Filesize
4B

MD5
67bf1f80834081fc794c6ed1f7c2fed5

SHA1
4d73fbec18037110be3248e97a555b7f9e458777

SHA256
54fd2361602e82db016d6ea62fbadc3984b566399dfaac7e0a1181e4c70b90c2

SHA512
fd08c52f7f712dc477ce548476cc2f2582b19f05dc03a814e93ea8464b9a4510375b26f2a39ec50057bd0b0bfc3bdd94eda1e814254a259f0b209da2358d3bae

Download Submit
memory/2120-236-0x0000000010000000-0x00000000100C4000-memory.dmp

Filesize
784KB

Download
memory/2120-235-0x0000000000A70000-0x0000000000B2F000-memory.dmp

Filesize
764KB

Download
memory/3668-175-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3668-195-0x0000000002CA0000-0x0000000002CA2000-memory.dmp

Filesize
8KB

Download
memory/3668-201-0x0000000002FF0000-0x00000000030B4000-memory.dmp

Filesize
784KB

Download
memory/3668-200-0x0000000002DF0000-0x0000000002EAF000-memory.dmp

Filesize
764KB

Download
memory/3668-196-0x0000000010000000-0x0000000010004000-memory.dmp

Filesize
16KB

Download
memory/3668-250-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4192-226-0x0000000010000000-0x0000000010004000-memory.dmp

Filesize
16KB

Download
memory/4192-230-0x0000000001B80000-0x0000000001C44000-memory.dmp

Filesize
784KB

Download
memory/4192-207-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4192-251-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4300-293-0x00000221B6930000-0x00000221B6940000-memory.dmp

Filesize
64KB

Download
memory/4300-385-0x00000221B6930000-0x00000221B6940000-memory.dmp

Filesize
64KB

Download