ta505 | hxxps://download[.]tuhunaer[.]com/download/telegram-os/index-p[.]html

Resubmissions

20-04-2024 16:51

240420-vdaqfadd9x 10

20-04-2024 16:44

240420-t8zsdach37 10

Analysis

max time kernel
102s
max time network
106s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
20-04-2024 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.tuhunaer.com/download/telegram-os/index-p.html

Score

10^/10

ta505 upx

Malware Config

Signatures

TA505
Cybercrime group active since 2015, responsible for families like Dridex and Locky.
ta505

Executes dropped EXE 3 IoCs

pid	Process
2352	upload.exe
3976	upload.exe
2100	Telegram.exe

Loads dropped DLL 14 IoCs

pid	Process
332	MsiExec.exe
332	MsiExec.exe
332	MsiExec.exe
332	MsiExec.exe
332	MsiExec.exe
332	MsiExec.exe
332	MsiExec.exe
332	MsiExec.exe
2080	MsiExec.exe
2080	MsiExec.exe
2080	MsiExec.exe
2080	MsiExec.exe
2080	MsiExec.exe
332	MsiExec.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000100000002a9b7-200.dat	upx
behavioral1/memory/2352-202-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/3976-234-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/2352-277-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral1/memory/3976-278-0x0000000000400000-0x000000000053F000-memory.dmp	upx

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Telegram.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NetSarangX\upload.dat	msiexec.exe
File created	C:\Program Files (x86)\NetSarangX\upload.exe	msiexec.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIADF3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAEEE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAF4E.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF5DFD9D8DEDD3D5FF.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2306DCB6-79C2-4BE0-84BA-54C64BC1877E}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF57A48C9A218F67BA.TMP	msiexec.exe
File created	C:\Windows\Installer\e57ad1a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB124.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB73F.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAF1E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DFC1C4D9CB1F7AF2FB.TMP	msiexec.exe
File created	C:\Windows\Installer\e57ad18.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57ad18.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFFE68919883C5FE15.TMP	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	Telegram.exe

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\tg\shell	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\tg\shell\open\command	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\TG-21371A822\\Telegram.exe\" -- \"%1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\tdesktop.tg\DefaultIcon	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\tdesktop.tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\TG-21371A822\\Telegram.exe,1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\tdesktop.tg\shell\open	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\TG-21371A822\\Telegram.exe\" -- \"%1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\tg	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\tg\URL Protocol	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\TG-21371A822\\Telegram.exe,1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\tg\shell\open	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\tdesktop.tg	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\tdesktop.tg\shell\open\command	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\tdesktop.tg\shell	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\tg\ = "URL:Telegram Link"	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\tg\DefaultIcon	Telegram.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\setupno-p.zip:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2100	Telegram.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
724	msedge.exe
724	msedge.exe
3432	msedge.exe
3432	msedge.exe
2424	identity_helper.exe
2424	identity_helper.exe
2552	msedge.exe
2552	msedge.exe
2660	msedge.exe
2660	msedge.exe
1052	msiexec.exe
1052	msiexec.exe
2352	upload.exe
2352	upload.exe
2352	upload.exe
2352	upload.exe
3976	upload.exe
3976	upload.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1596	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1596	msiexec.exe
Token: SeSecurityPrivilege	1052	msiexec.exe
Token: SeCreateTokenPrivilege	1596	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1596	msiexec.exe
Token: SeLockMemoryPrivilege	1596	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1596	msiexec.exe
Token: SeMachineAccountPrivilege	1596	msiexec.exe
Token: SeTcbPrivilege	1596	msiexec.exe
Token: SeSecurityPrivilege	1596	msiexec.exe
Token: SeTakeOwnershipPrivilege	1596	msiexec.exe
Token: SeLoadDriverPrivilege	1596	msiexec.exe
Token: SeSystemProfilePrivilege	1596	msiexec.exe
Token: SeSystemtimePrivilege	1596	msiexec.exe
Token: SeProfSingleProcessPrivilege	1596	msiexec.exe
Token: SeIncBasePriorityPrivilege	1596	msiexec.exe
Token: SeCreatePagefilePrivilege	1596	msiexec.exe
Token: SeCreatePermanentPrivilege	1596	msiexec.exe
Token: SeBackupPrivilege	1596	msiexec.exe
Token: SeRestorePrivilege	1596	msiexec.exe
Token: SeShutdownPrivilege	1596	msiexec.exe
Token: SeDebugPrivilege	1596	msiexec.exe
Token: SeAuditPrivilege	1596	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1596	msiexec.exe
Token: SeChangeNotifyPrivilege	1596	msiexec.exe
Token: SeRemoteShutdownPrivilege	1596	msiexec.exe
Token: SeUndockPrivilege	1596	msiexec.exe
Token: SeSyncAgentPrivilege	1596	msiexec.exe
Token: SeEnableDelegationPrivilege	1596	msiexec.exe
Token: SeManageVolumePrivilege	1596	msiexec.exe
Token: SeImpersonatePrivilege	1596	msiexec.exe
Token: SeCreateGlobalPrivilege	1596	msiexec.exe
Token: SeCreateTokenPrivilege	1596	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1596	msiexec.exe
Token: SeLockMemoryPrivilege	1596	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1596	msiexec.exe
Token: SeMachineAccountPrivilege	1596	msiexec.exe
Token: SeTcbPrivilege	1596	msiexec.exe
Token: SeSecurityPrivilege	1596	msiexec.exe
Token: SeTakeOwnershipPrivilege	1596	msiexec.exe
Token: SeLoadDriverPrivilege	1596	msiexec.exe
Token: SeSystemProfilePrivilege	1596	msiexec.exe
Token: SeSystemtimePrivilege	1596	msiexec.exe
Token: SeProfSingleProcessPrivilege	1596	msiexec.exe
Token: SeIncBasePriorityPrivilege	1596	msiexec.exe
Token: SeCreatePagefilePrivilege	1596	msiexec.exe
Token: SeCreatePermanentPrivilege	1596	msiexec.exe
Token: SeBackupPrivilege	1596	msiexec.exe
Token: SeRestorePrivilege	1596	msiexec.exe
Token: SeShutdownPrivilege	1596	msiexec.exe
Token: SeDebugPrivilege	1596	msiexec.exe
Token: SeAuditPrivilege	1596	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1596	msiexec.exe
Token: SeChangeNotifyPrivilege	1596	msiexec.exe
Token: SeRemoteShutdownPrivilege	1596	msiexec.exe
Token: SeUndockPrivilege	1596	msiexec.exe
Token: SeSyncAgentPrivilege	1596	msiexec.exe
Token: SeEnableDelegationPrivilege	1596	msiexec.exe
Token: SeManageVolumePrivilege	1596	msiexec.exe
Token: SeImpersonatePrivilege	1596	msiexec.exe
Token: SeCreateGlobalPrivilege	1596	msiexec.exe
Token: SeCreateTokenPrivilege	1596	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1596	msiexec.exe
Token: SeLockMemoryPrivilege	1596	msiexec.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
1596	msiexec.exe
1596	msiexec.exe
2100	Telegram.exe
2100	Telegram.exe
2100	Telegram.exe
2100	Telegram.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
2100	Telegram.exe
2100	Telegram.exe
2100	Telegram.exe
2100	Telegram.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2352	upload.exe
2352	upload.exe
3976	upload.exe
3976	upload.exe
2100	Telegram.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 4832	3432	msedge.exe	80
PID 3432 wrote to memory of 4832	3432	msedge.exe	80
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 3964	3432	msedge.exe	81
PID 3432 wrote to memory of 724	3432	msedge.exe	82
PID 3432 wrote to memory of 724	3432	msedge.exe	82
PID 3432 wrote to memory of 1520	3432	msedge.exe	83
PID 3432 wrote to memory of 1520	3432	msedge.exe	83
PID 3432 wrote to memory of 1520	3432	msedge.exe	83
PID 3432 wrote to memory of 1520	3432	msedge.exe	83
PID 3432 wrote to memory of 1520	3432	msedge.exe	83
PID 3432 wrote to memory of 1520	3432	msedge.exe	83
PID 3432 wrote to memory of 1520	3432	msedge.exe	83
PID 3432 wrote to memory of 1520	3432	msedge.exe	83
PID 3432 wrote to memory of 1520	3432	msedge.exe	83
PID 3432 wrote to memory of 1520	3432	msedge.exe	83
PID 3432 wrote to memory of 1520	3432	msedge.exe	83
PID 3432 wrote to memory of 1520	3432	msedge.exe	83
PID 3432 wrote to memory of 1520	3432	msedge.exe	83
PID 3432 wrote to memory of 1520	3432	msedge.exe	83
PID 3432 wrote to memory of 1520	3432	msedge.exe	83
PID 3432 wrote to memory of 1520	3432	msedge.exe	83
PID 3432 wrote to memory of 1520	3432	msedge.exe	83
PID 3432 wrote to memory of 1520	3432	msedge.exe	83
PID 3432 wrote to memory of 1520	3432	msedge.exe	83
PID 3432 wrote to memory of 1520	3432	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download.tuhunaer.com/download/telegram-os/index-p.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdc06b3cb8,0x7ffdc06b3cc8,0x7ffdc06b3cd8
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,16917086858657713038,12968603253411205157,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,16917086858657713038,12968603253411205157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,16917086858657713038,12968603253411205157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16917086858657713038,12968603253411205157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16917086858657713038,12968603253411205157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16917086858657713038,12968603253411205157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16917086858657713038,12968603253411205157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,16917086858657713038,12968603253411205157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16917086858657713038,12968603253411205157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16917086858657713038,12968603253411205157,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,16917086858657713038,12968603253411205157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16917086858657713038,12968603253411205157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16917086858657713038,12968603253411205157,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,16917086858657713038,12968603253411205157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:668

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3300

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp1_setupno-p.zip\setup.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1596

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8F55E739572AF3D0AD5F0B8340E178D0 C
  2⤵
  - Loads dropped DLL
  PID:332
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 07F3831B80BA4CD8EEEBD4A3D8BF2052
  2⤵
  - Loads dropped DLL
  PID:2080

C:\Program Files (x86)\NetSarangX\upload.exe
"C:\Program Files (x86)\NetSarangX\upload.exe" /NOFOCUS /checkin
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2352

C:\Program Files (x86)\NetSarangX\upload.exe
"C:\Program Files (x86)\NetSarangX\upload.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3976
- \??\c:\windows\SysWOW64\msiexec.exe
  "c:\windows\sysWoW64\msiexec.exe"
  2⤵
  PID:5016

C:\Users\Admin\AppData\Roaming\TG-21371A822\Telegram.exe
"C:\Users\Admin\AppData\Roaming\TG-21371A822\Telegram.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57ad19.rbs

Filesize
207KB

MD5
99cc76b605a86a119b38bb3d0d23b454

SHA1
a6cf94ff190318e67fbbff1371e4f11fdcaeda62

SHA256
1b73c70145d116633ae92f5d5c7ab1772ad7fe0f4bbd4816ffc71a6f5f1de1de

SHA512
a7b9eeb044b12d5fe4da450867c6f82ba7901278e6433d33d38e3f079e7e7b075c6ab531b2f474337e3c3de8af6312fc6ae42f36a2d1e42815e6a24597138608

Download Submit
C:\Program Files (x86)\NetSarangX\upload.dat

Filesize
74KB

MD5
ed5ce3c2d78ace16956117ab67d77c2c

SHA1
d9ba439f9e723c04bd12a33c6455d0eff70fc2ba

SHA256
fffc1d2f822b8ddaba16e86ddd445b70fc5cb4d5a910d24b62f5d9c1ffaa2b22

SHA512
b6f36640320ed463aa5fc1a2e7db727128f6fa235b3d6f0b4afce1ca475ebaa287ad547384560c441b9ee4d95299b37125c27e46b3a7f3e95739859a66be6dc2

Download Submit
C:\Program Files (x86)\NetSarangX\upload.exe

Filesize
474KB

MD5
9050ac019b4c8dddbc5e250bb87cf9f2

SHA1
241f50bf6100bd84a14bd927a28bba5bc7df30f3

SHA256
83d225323c8783c84d70aee1da5b507dde1e717ab3233f784fbb1b749dba11b9

SHA512
2d3a167bb8d5c06b371f1f0c82ffb25e2aabb2c518b062816ae324d4ed1916f7c2271a7bb220bd49079cc4e33162e27757f3d35b062576ee160de4c209aedbc3

Download Submit
C:\ProgramData\templateWatch.dat

Filesize
763KB

MD5
add29ba22ae4ae6d7cd9644b0ffb700e

SHA1
ada6bbaec9b0cb6a71ab1e43649a9c40ef2dd60d

SHA256
34bf280094307245528bac7acf799cb59a6af8613cfd887c2cd09030fb95eedd

SHA512
460e5195f65dc84a41b2bff7b5ae07122a7bf92b1df80128d1ade53b6d36b4df922baf822bb958fa74a14bd4d2405578c4c63e51821b4b4e15fafe90330dc5ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
57e5c5a9236321d336e2c8ce1eeff844

SHA1
8fd4288af72ba3f7a0ecc5583a9265723fefc096

SHA256
ae6496cf397848bf3139858deaf567e3df991bab5a7704a0fa7aae95474872d7

SHA512
bc3f24afe6ce0494022d8201a01a60239ac5cfee54e0650a337036817056424b418cb636d58d07e5034dffe2226906202b56509e4cc07562c0b60f618c420080

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
493e7e14aceba0ff1c0720920cccc4a2

SHA1
468f39cefbcf14a04388b72d4f02552649bf3101

SHA256
a0dd32ed60115f661a4ca537472e0d4e230ff844d56a3db766299cf4cd817842

SHA512
e16c748e4513ea10bf7124cef7b50dc5f3a1802205af9228e0c33fdbf3c24286739db08db4b813079ed7cc36be43d7457f4c26f00ae3126a2fafd77d2696107a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
14979f476cc0e295c574fc02d2b95325

SHA1
cc1ac2e83586283bb916a0e2ef19e972aeec90a2

SHA256
b75122028696b3c39ab2deaf70be9ab7b72de2e65e1f0efa8274f812f4222944

SHA512
9859432723dc8b18f6ca680b47ab82f98cf96af497258966c83c5dd9b9ac20b23866bc4299f55a53fec312828bce7a724bf5fa95050e2ab9027fd6091194e380

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
36ceb0e4c8d1390e63f465a455cf294f

SHA1
e77c6ee06e2e4361cb70465a77e7ff910fa0c20b

SHA256
24927fa22db53a5ee8bb80169dc651e09248cdaecabaabf11e68c702a064880a

SHA512
fc41faf893c56a254919645d4febb6ce611c43a549d5f66834d5ed95430cb3820c5085a3345c5416b0d68f66843492912073dca7e988a5f3dc06c38d4d2da393

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2fceb1a9507d237b6fd059677446dfe8

SHA1
6e6082a6253e94a01004dabb34a4a39bfc57660a

SHA256
8122c678770ef372c30695218023718bec3d219ae70fe94b1a83fcac5b575a4f

SHA512
d6bf565d21e52f5881f03ae3bde290a203f65af6af9803b5ee7837c28913a77d489e1954c978e0319efa5752dd60ef37ddf08053af8c9e34bc5597df7e7f1f8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
640f59932daa61b1bdf6a5342225ccdc

SHA1
3631ff00ebc87d718e3a9ba82cbfc1a389616202

SHA256
b0907a7d083b37c744f9be72e081d24d358c61068fdff13a0fc2d11c409acaf8

SHA512
5e281713d3d14aef19f6fb62cc646f165fa866e8e366669da4276f2b2416ebcd16936cec07aae76b39e9a00c70d558abee4049b2e4caa24904bba675eae44b7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2161363eda7da2762a8ef4c13d61466b

SHA1
8c2d0e28cd56dd1974abe6c8b370af912c23a67c

SHA256
34ee991c339dfe604e2d9a7791a344ba517ab07a5c5c89fae88bf6ff080aeba5

SHA512
65acc552b046e50a33f7f77496e207ecd21300e62d8a4cdd1d29306bd6e4214a81ec6dcf308cbf94038a7548236087bad291ead1d6760a87dc9e7926c6e5d97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\25643

Filesize
50.2MB

MD5
4420b28183c8ee12833b6cb3d54e49cc

SHA1
19c4fcd42151be69ac66ad5ef1c6be7fbed4a050

SHA256
3a3a2757dcaee54f39b4da93a85f894281d82d59885634b4e0ccd7896de9cfb6

SHA512
1814f9038fd2c62c22b9fb883e1c12664ae4bca16c69a52bbd8c8535ae9b385a16fd37bf98f50598450293bec1a8e409cbab6aaa18a48d8cc9d752784b093480

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9C4F.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9ED7.tmp

Filesize
196KB

MD5
afaf2bf9ed4559e63022a51f8a3ca55b

SHA1
0a208adfc1cdb5a5dd5889001f64e1324821329f

SHA256
867e5da047518573fc985224803d370374f95e6be0034f371922e58dbed30e54

SHA512
2249db94628c6106620218757518d958c301a1d6ba1d3d47ea4b66c787bb0433fe792991fca4a883dc410dcf124f652574c1689a8957c71ab500c2f92e0cd0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG2.JPG

Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Admin\AppData\Roaming\TG-21371A822\Telegram.exe

Filesize
140.7MB

MD5
553818ae7cc6c4526b4c1d1aadca25f9

SHA1
0b0097351607b4fd3a522b6482766be717b1fcb7

SHA256
b6511e9d5445da09ff944467a991388cdb3725b9f2f70c7f619907cb6d14be49

SHA512
08227d6f7438199d8176c0b49a69999ce64074cd57ff3a2faa08d2f5bfb65006a9ab9eb49c0f7525f8337a9058189d2e3c25a22dfeaa8f8dcf4775532e8d3484

Download Submit
C:\Users\Admin\AppData\Roaming\TG-21371A822\tdata\00B5C7D6A3E9F5D3s

Filesize
140B

MD5
a21cbb73d656baf4fc1cc3a3cb272be2

SHA1
bfd66f3da8a6f25de6cd832730a2444b66cfa173

SHA256
bb29c6a06e29f5d1e02eb4fc6458ff7e4d65975fc909667b21e43cbfd7c7c2b5

SHA512
9322f6949ac21f3f17bc631511c0af24a2361dd6055e6c3e6ef6430bef8d4711f558c7e6106813d6e85f076960b0cca1bc5b62f6113a878a1edebdd396f07ddb

Download Submit
C:\Users\Admin\AppData\Roaming\TG-21371A822\tdata\E3768DD92A664D45s

Filesize
292KB

MD5
af849ce888f25a59034a4857d513dd26

SHA1
7c345bd6b1401c390dc8533d83fe18f8508141b7

SHA256
4ed5610a9add75e3941fa9c8c0bb868bde66a4e249bf7b28bd5c543fb95bf6bd

SHA512
a23f273653eaade3d577bccd86f17d6c64d3ffda24aebeb7e30765068a90965c1a9933b2a39ac47c49c83fdc53c637aaa5d858b20939acae0fcad20e93b8476a

Download Submit
C:\Users\Admin\AppData\Roaming\TG-21371A822\tdata\key_datas

Filesize
388B

MD5
267395d7a0ca4263aa5d2bc948802382

SHA1
c6d86340605e2722a489141c8d7e7c69fa761eba

SHA256
6d67f5df1e1812ac7ee0efab19cbb876e854fd5de9944dfda1634e595bb8c78a

SHA512
0b610748b10f2c0b49de07c1e5d6672a7fd936191adcfe2b198e4421f137e1dd985969415cc480d39798c39ee39578961e960e50d6e065eaf87cf842242b299e

Download Submit
C:\Users\Admin\AppData\Roaming\TG-21371A822\tdata\settingss

Filesize
1KB

MD5
fcaadb2bca61db4b61fc717baa29ff7a

SHA1
db8d0a6441a852c5f7be11838e3f7ed38cdad79f

SHA256
2414f6e27fc48e299fbe697a2f02003eb8c7dd569e7a88fd9b35ddb3c389af7d

SHA512
bf70599b237258b2738a750c99e8cfa4f1c08ad0e7a710d21e657a26d947c248d0dd4e84101a81f1134d4a29523d4a5c9ea183f946bfc790fa68fca21e7a4447

Download Submit
C:\Users\Admin\AppData\Roaming\TG-21371A822\tdata\shortcuts-custom.json

Filesize
390B

MD5
41f06d2aebabfb2cf89e0e83818eed41

SHA1
e14fae1620474acdced6c57e03fd65b4d58285db

SHA256
0d7d3f01a2aefef56633929791964a5c3bcf1d38798e23bb82e67c68165bc1dc

SHA512
ac7deb8ec53cc76028d6f73084c358ee45642dcb79b53a137cfb67ba8360da5cae6a91c878cb033d864ad692c776de4f25a9a109b7da65271eda46ace78e7fde

Download Submit
C:\Users\Admin\AppData\Roaming\TG-21371A822\tdata\shortcuts-default.json

Filesize
3KB

MD5
33984341ce0660d81b8e4f6a20942d94

SHA1
33644335c49d4e8c84c09ff07af37d3f6ae65dfe

SHA256
0275a16fd35abad23fab70da5f2fe36fe46e197ce36416bc5e383e484dfdcfe8

SHA512
019bbbb3ab050345bc0a492a48eb0fee61999311449b0930ded5aab4247d342cb7f4d0899290d8c6e9197be465ee766791d25d547f7d5700026fef7d194134dd

Download Submit
C:\Users\Admin\AppData\Roaming\TG-21371A822\tdata\usertag

Filesize
8B

MD5
aab558bf33539c679f4887f2b5ca211c

SHA1
67c78a14927e4094afaa3008cec63c4adcf6aced

SHA256
b91b1b9e64bd73f488559039b81c5d001ab0c5de0e648a76e808ef03c61f6354

SHA512
245d27ce4d3491354ec89adb08ba815869f0ef984a51200ec06e00589cfa0f3f8ac5046422ad0a4a658ef2fdb7ad94d61ef7cc53edcb5bae7c0ac9a2dbace758

Download Submit
C:\Users\Admin\Downloads\setupno-p.zip

Filesize
104.8MB

MD5
2eda3c738183a870592280be2e0b3cca

SHA1
b367268b4fc4da42155e0dbbc3034edc78d46de6

SHA256
c6218c957cea12177c1e865dff0b7b54017809421c531b95352e2a8e0caba1c0

SHA512
3c500dad3bf7fa61846d67356272262e1c102b6e59b97d706a4b1861fe2896466541655cd150cc3d475b409d25afea10b04c3023ed36544ddc97c011d329e3e6

Download Submit
C:\Windows\Installer\e57ad18.msi

Filesize
106.0MB

MD5
0d99549bad3b6663684b7897137678c8

SHA1
a24205ab3713d0d685948ebd64e237fe3db7ecbb

SHA256
214bbdd6acc678c1f84db918a49faf1353b7268f0786bee1cfb074caa340308e

SHA512
746c76fdd9174e5a28f1f3402361f001b63a6bcb210f09c9a1f9892c86b44e7d585f4df0c07e9faf03fe8283f2ac0d575bbc0b37f37d07d13724d6e6a0776881

Download Submit
C:\Windows\Temp\_ir_tu2_temp_0\IRIMG3.JPG

Filesize
13KB

MD5
29b994bbbfa6110402d25849acd61baa

SHA1
e3dae0632750d70cb38a1a7a741fc1a91f28580d

SHA256
165c99b55b3dcc4844d5066e4f3beea3181320d7e6c647439c0fe3035a4695fe

SHA512
98cc2abfb6904cffa82681b4f799a19f3bc9605cc2e17f1778cecc0b67d78c49ad7e08c9f2b606ffe8a572e0224a355cf9bb3b8d97dcc15e7d3a0841e423b889

Download Submit
C:\Windows\Temp\_ir_tu2_temp_0\_TUProjDT.dat

Filesize
4B

MD5
67bf1f80834081fc794c6ed1f7c2fed5

SHA1
4d73fbec18037110be3248e97a555b7f9e458777

SHA256
54fd2361602e82db016d6ea62fbadc3984b566399dfaac7e0a1181e4c70b90c2

SHA512
fd08c52f7f712dc477ce548476cc2f2582b19f05dc03a814e93ea8464b9a4510375b26f2a39ec50057bd0b0bfc3bdd94eda1e814254a259f0b209da2358d3bae

Download Submit
memory/2100-310-0x000001D94BB80000-0x000001D94BB90000-memory.dmp

Filesize
64KB

Download
memory/2100-395-0x000001D94BB80000-0x000001D94BB90000-memory.dmp

Filesize
64KB

Download
memory/2352-227-0x0000000002CC0000-0x0000000002D7F000-memory.dmp

Filesize
764KB

Download
memory/2352-277-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2352-228-0x0000000002EC0000-0x0000000002F84000-memory.dmp

Filesize
784KB

Download
memory/2352-202-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2352-222-0x0000000002490000-0x0000000002492000-memory.dmp

Filesize
8KB

Download
memory/2352-223-0x0000000010000000-0x0000000010004000-memory.dmp

Filesize
16KB

Download
memory/3976-278-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3976-257-0x0000000001B70000-0x0000000001C34000-memory.dmp

Filesize
784KB

Download
memory/3976-234-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/5016-263-0x0000000010000000-0x00000000100C4000-memory.dmp

Filesize
784KB

Download
memory/5016-262-0x0000000000870000-0x000000000092F000-memory.dmp

Filesize
764KB

Download