Windows Analysis Report
https://investors.spotify.com.sg.misteri.us.kg/

Overview

General Information

Sample URL: https://investors.spotify.com.sg.misteri.us.kg/
Analysis ID: 1521726
Tags: openphish
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Downloads suspicious files via Chrome
Drops large PE files
Allocates memory with a write watch (potentially for evading sandboxes)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found dropped PE file which has not been started or loaded
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
PE file overlay found
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: https://investors.spotify.com.sg.misteri.us.kg/ Virustotal: Detection: 13% Perma Link
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: -----BEGIN RSA PUBLIC KEY----- memstr_4fd3903a-a
Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: Binary string: aesni_init_keycrypto\evp\e_aes.caesni_gcm_init_keyaesni_xts_init_keyaesni_ccm_init_keyaesni_ocb_init_keyaes_init_keyaes_gcm_init_keyaes_gcm_tls_cipheraes_xts_init_keyaes_xts_cipheraes_ccm_init_keyaes_wrap_init_keyaes_wrap_cipheraes_ocb_init_keyaes_ocb_ciphercompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /FS -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.2.1 30 Jan 20243.2.1built on: Sun Aug 25 15:14:21 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecopy_integercrypto\params.cunsigned_from_signedgeneral_get_intgeneral_set_intgeneral_get_uintgeneral_set_uintOSSL_PARAM_get_int32OSSL_PARAM_set_int32OSSL_PARAM_get_uint32OSSL_PARAM_set_uint32OSSL_PARAM_get_int64OSSL_PARAM_set_int64OSSL_PARAM_get_uint64OSSL_PARAM_set_uint64OSSL_PARAM_get_BNOSSL_PARAM_set_BNget_string_internalOSSL_PARAM_get_utf8_stringset_string_internalOSSL_PARAM_set_utf8_stringOSSL_PARAM_set_octet_stringget_ptr_internalset_ptr_internalOSSL_PARAM_set_utf8_ptrOSSL_PARAM_set_octet_ptrget_string_ptr_internalcrypto\evp\mac_meth.cevp_mac_from_algorithmcrypto\evp\mac_lib.cEVP_MAC_CTX_newEVP_MAC_CTX_dupblock-sizeevp_mac_finalEVP_Q_mac source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /FS -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: crypto\modes\ocb128.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /FS -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\OpenSSL\lib\engines-3.dllCPUINFO: %s::%s:%d:%s source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: C:\Telegram\tx64\out\Release\Telegram.pdb source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65B00A000.00000002.00000001.01000000.00000008.sdmp
Source: chrome.exe Memory has grown: Private usage: 0MB later: 34MB
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: 04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1email.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06d7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3login.yahoo.com39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:293e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47login.skype.com92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43addons.mozilla.orgb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0login.live.comd8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0global trustee05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56*.google.com0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4cDigiNotar Root CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Services CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services 1024 CA0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Root CA G2a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21CertiID Enterprise Certificate Authority5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41DigiNotar Qualified CA46:9c:2c:b007:27:10:0dDigiNotar Cyber CA07:27:0f:f907:27:10:0301:31:69:b0DigiNotar PKIoverheid CA Overheid en Bedrijven01:31:34:bfDigiNotar PKIoverheid CA Organisatie - G2d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar Extended Validation CA1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Public CA 202546:9c:2c:af46:9c:3c:c907:27:14:a9Digisign Server ID (Enrich)4c:0e:63:6aDigisign Server ID - (Enrich)72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0UTN-USERFirst-HardwareMD5 Collisions Inc. (http://www.phreedom.org/md5)08:27*.EGO.GOV.TR08:64e-islem.kktcmerkezbankasi.org03:1d:a7AC DG Tr equals www.yahoo.com (Yahoo)
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6596D7000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://.css
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6596D7000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://.jpg
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/1423136
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/1423136Disables
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/1452
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/1452Bug
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/2152
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/2152On
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/3246
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/3246On
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/3682
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/3682There
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/5007
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/5007Disable
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/5658
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/5658Even
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/5750
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/5750Set
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/6041
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/6041Force-enable
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/7036
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/7036Enable
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/7279
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/7279Emulate
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/7724
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/7724Disable
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/7760
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/7760Write
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/7761
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://anglebug.com/7761Check
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://bugreports.qt.io/
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://bugreports.qt.io/_q_receiveReplyensureClientPrefaceSentMicrosoft-IIS/4.Microsoft-IIS/5.Netsca
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://crbug.com/941620
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://crbug.com/941620Some
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6596D7000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://html4/loose.dtd
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Digitized
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlLicensed
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01x
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.phreedom.org/md5)
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.phreedom.org/md5)08:27
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-time
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-timehttp://www.webrtc.org/experiments/rtp-h
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/color-space
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/generic-frame-descriptor-00
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/inband-cn
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/inband-cnurn:ietf:params:rtp-hdrext:csrc-audio-level
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/playout-delay
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/transport-wide-cc-02
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-content-type
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-frame-tracking-id
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-layers-allocation00
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-timing
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://%1/%2tokenize/cardtgb.smart-glocal.com/cds/v1expiration_yearexpiration_monthtgb-playground.s
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://ads.telegram.orgTelegram
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://anglebug.com/7246
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://anglebug.com/7246Force
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://api.mapbox.com/mapbox-gl-js/v3.4.0/mapbox-gl.css
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://api.mapbox.com/mapbox-gl-js/v3.4.0/mapbox-gl.js
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://api.mapbox.com/search/geocode/v6/reverse?longitude=%1&latitude=%2&language=%3&access_token=%
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://chromium.googlesource.com/angle/angle/
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://core.telegram.org/api
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://core.telegram.org/apihttps://promote.telegram.org
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://crbug.com/1053756
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://crbug.com/1053756ICE
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://crbug.com/593024
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://crbug.com/593024Copying
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://crbug.com/650547
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://crbug.com/650547Using
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://crbug.com/655534
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://crbug.com/655534Using
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp, Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://desktop.telegram.org
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://desktop.telegram.org/changelog
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://desktop.telegram.orghttps://snapcraft.io/telegram-desktophttps://flathub.org/apps/details/or
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://flathub.org/apps/details/org.telegram.desktop
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://github.com/davelab6/Roboto-ClassicThis
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://github.com/rastikerdar/vazirmatn)Vazirmatn
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://github.com/telegramdesktop/tdesktop
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://github.com/telegramdesktop/tdesktop/blob/master/LICENSE
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://github.com/telegramdesktop/tdesktop/blob/master/LICENSEdeThe
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://github.com/telegramdesktop/tdesktopGNU
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://instagram.com/
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://instagram.com/explore/tags/
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://issuetracker.google.com/220069903
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://issuetracker.google.com/220069903Force
Source: Unconfirmed 103549.crdownload.0.dr String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp, Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://maps.google.com/maps?q=
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://promote.telegram.org
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://promote.telegram.org/guidelines
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://scripts.sil.org/OFLhttps://scripts.sil.org/OFL
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://scripts.sil.org/OFLhttps://scripts.sil.org/OFLVazirmatn
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://snapcraft.io/telegram-desktop
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://ss3.4sqi.net/img/categories_v2/
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://streams.videolan.org/upload/
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://t.me
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp, Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://t.me/
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://t.me/$
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://t.me/$premium.promo_screen_showpremium.promo_screen_acceptpremium_promo_ordersourceprofile_:
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://t.me/TelegramTipsWarningYou
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://t.me/c/%1/%2
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://t.me/setlanguage/
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://td.telegram.org
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://td.telegram.org/
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://tdesktop.com/
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://tdesktop.com/crash.php?act=query_report&apiid=%1&version=%2&dmp=%3&platform=%4
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://tdesktop.com/crash.php?act=report
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://telegram.org/
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://telegram.org/blog/monetization-for-channelsAd
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://telegram.org/blog/telegram-business#chatbots-for-businessbot
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://telegram.org/blog/telegram-starsUnlock
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://telegram.org/faq
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://telegram.org/faq#general-questionsTelegram
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://telegram.org/privacy
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://telegram.org/privacy-tpa
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://telegram.org/tos
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://telegram.org/tos/mini-appsNotification
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://telegram.org/tos/stars
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://telegram.org/tos/starsAll
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://telegram.org/tos/starsMedia
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://telegram.org/tos/starsSubscription
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65B91B000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://telegram.org/tos/starsWithdraw
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://telesco.pe/
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://twitter.com/
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65BA85000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: https://twitter.com/hashtag/
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://webrtc.googlesource.com/src/
Source: 7za.exe, 0000000A.00000003.3292432282.0000000002F30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/0

System Summary
barindex
Downloads suspicious files via Chrome
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File dump: C:\Users\user\Downloads\tportable-x64.5.5.5.zip (copy) Jump to dropped file
Drops large PE files
Source: C:\Windows\SysWOW64\7za.exe File dump: Telegram.exe.10.dr 162952456 Jump to dropped file
PE file does not import any functions
Source: 012cb3cd-41cf-435d-b141-c65927ddb5ee.tmp.0.dr Static PE information: No import functions for PE file found
Source: 0b8031df-20d6-4a21-b2d6-249cd53d0db3.tmp.0.dr Static PE information: No import functions for PE file found
PE file overlay found
Source: 012cb3cd-41cf-435d-b141-c65927ddb5ee.tmp.0.dr Static PE information: Data appended to the last section found
Source: 0b8031df-20d6-4a21-b2d6-249cd53d0db3.tmp.0.dr Static PE information: Data appended to the last section found
Source: Telegram.exe.10.dr Static PE information: Section: .qtmimed ZLIB complexity 0.9983110514817629
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: ndre-land.nonet.slnet.soin-brb.de123website.lutrentino-stirol.it
Source: classification engine Classification label: mal56.win@35/48@0/13
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2076:120:WilError_03
Source: C:\Windows\SysWOW64\unarchiver.exe File created: C:\Users\user\AppData\Local\Temp\unarchiver.log Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2012,i,5296181332326272263,8081676399308569334,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://investors.spotify.com.sg.misteri.us.kg/"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4200 --field-trial-handle=2012,i,5296181332326272263,8081676399308569334,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4308 --field-trial-handle=2012,i,5296181332326272263,8081676399308569334,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\tportable-x64.5.5.5.zip"
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\34yqvajp.yju" "C:\Users\user\Downloads\tportable-x64.5.5.5.zip"
Source: C:\Windows\SysWOW64\7za.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\34yqvajp.yju\Telegram\Telegram.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\34yqvajp.yju\Telegram\Telegram.exe C:\Users\user\AppData\Local\Temp\34yqvajp.yju\Telegram\Telegram.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2012,i,5296181332326272263,8081676399308569334,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4200 --field-trial-handle=2012,i,5296181332326272263,8081676399308569334,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4308 --field-trial-handle=2012,i,5296181332326272263,8081676399308569334,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\tportable-x64.5.5.5.zip" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\34yqvajp.yju" "C:\Users\user\Downloads\tportable-x64.5.5.5.zip" Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\34yqvajp.yju\Telegram\Telegram.exe" Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe Section loaded: 7z.dll Jump to behavior
Source: Google Drive.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: Binary string: aesni_init_keycrypto\evp\e_aes.caesni_gcm_init_keyaesni_xts_init_keyaesni_ccm_init_keyaesni_ocb_init_keyaes_init_keyaes_gcm_init_keyaes_gcm_tls_cipheraes_xts_init_keyaes_xts_cipheraes_ccm_init_keyaes_wrap_init_keyaes_wrap_cipheraes_ocb_init_keyaes_ocb_ciphercompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /FS -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.2.1 30 Jan 20243.2.1built on: Sun Aug 25 15:14:21 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecopy_integercrypto\params.cunsigned_from_signedgeneral_get_intgeneral_set_intgeneral_get_uintgeneral_set_uintOSSL_PARAM_get_int32OSSL_PARAM_set_int32OSSL_PARAM_get_uint32OSSL_PARAM_set_uint32OSSL_PARAM_get_int64OSSL_PARAM_set_int64OSSL_PARAM_get_uint64OSSL_PARAM_set_uint64OSSL_PARAM_get_BNOSSL_PARAM_set_BNget_string_internalOSSL_PARAM_get_utf8_stringset_string_internalOSSL_PARAM_set_utf8_stringOSSL_PARAM_set_octet_stringget_ptr_internalset_ptr_internalOSSL_PARAM_set_utf8_ptrOSSL_PARAM_set_octet_ptrget_string_ptr_internalcrypto\evp\mac_meth.cevp_mac_from_algorithmcrypto\evp\mac_lib.cEVP_MAC_CTX_newEVP_MAC_CTX_dupblock-sizeevp_mac_finalEVP_Q_mac source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /FS -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: crypto\modes\ocb128.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /FS -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\OpenSSL\lib\engines-3.dllCPUINFO: %s::%s:%d:%s source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: C:\Telegram\tx64\out\Release\Telegram.pdb source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65B00A000.00000002.00000001.01000000.00000008.sdmp
PE file contains an invalid checksum
Source: 012cb3cd-41cf-435d-b141-c65927ddb5ee.tmp.0.dr Static PE information: real checksum: 0x2bca9df should be: 0x8a41
Source: 0b8031df-20d6-4a21-b2d6-249cd53d0db3.tmp.0.dr Static PE information: real checksum: 0x2bca9df should be: 0x39f1f
PE file contains sections with non-standard names
Source: 012cb3cd-41cf-435d-b141-c65927ddb5ee.tmp.0.dr Static PE information: section name: .didata
Source: Unconfirmed 103549.crdownload.0.dr Static PE information: section name: .didata
Source: 0b8031df-20d6-4a21-b2d6-249cd53d0db3.tmp.0.dr Static PE information: section name: .didata
Source: Unconfirmed 342131.crdownload.0.dr Static PE information: section name: .didata
Source: Telegram.exe.10.dr Static PE information: section name: .rodata
Source: Telegram.exe.10.dr Static PE information: section name: .qtmetad
Source: Telegram.exe.10.dr Static PE information: section name: .qtmimed
Source: Telegram.exe.10.dr Static PE information: section name: _RDATA
Drops PE files
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\AppData\Local\Temp\34yqvajp.yju\Telegram\Telegram.exe Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\Downloads\012cb3cd-41cf-435d-b141-c65927ddb5ee.tmp Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\Downloads\0b8031df-20d6-4a21-b2d6-249cd53d0db3.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\AppData\Local\Temp\34yqvajp.yju\Telegram\modules\x64\d3d\d3dcompiler_47.dll Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\Downloads\Unconfirmed 103549.crdownload Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\Downloads\Unconfirmed 342131.crdownload Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: 11F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: 3140000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: 5140000 memory commit | memory reserve | memory write watch Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\34yqvajp.yju\Telegram\modules\x64\d3d\d3dcompiler_47.dll Jump to dropped file
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\unarchiver.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 9_2_0103B1D6 GetSystemInfo, 9_2_0103B1D6
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: VMware
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: VMnet
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65C485000.00000008.00000001.01000000.00000008.sdmp Binary or memory string: .?AVQEmulationPaintEngine@@h
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: C:\Telegram\Libraries\win64\tg_owt\src\rtc_base\network.ccIgnore link local IP:Ignore Mac based IP:Ignore deprecated IP:WebRTC-IPv6NetworkResolutionFixesIpAddressAttributesEnabledWebRTC-SignalNetworkPreferenceChangeToo many network interfaces to handle!WebRTC-AllowMACBasedIPv6WebRTC-BindUsingInterfaceNameNetwork change was observedVMnetSocket creation failedConnect failed with NetworkManager detected , active ? , IgnoredWebRTC-UseDifferentiatedCellularCostsWebRTC-AddNetworkCostToVpnUnknown network cost: Net[:id=
Source: Unconfirmed 103549.crdownload.0.dr Binary or memory string: @VMCII
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF6597D8000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: IIAMDARMBroadcomGoogleIntelMesaMicrosoftNVIDIAImagination TechnologiesQualcommSamsung Electronics Co., Ltd.VivanteVMwareVirtIOTestFrontend workaroundsFrontend featuresOpenGL workaroundsOpenGL featuresD3D workaroundsVulkan app workaroundsVulkan workaroundsVulkan featuresMetal featuresMetal workaroundsUnknownenableddisabled
Source: Telegram.exe, 0000000E.00000000.3311646704.00007FF65C485000.00000008.00000001.01000000.00000008.sdmp Binary or memory string: .?AVQEmulationPaintEngine@@
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: VMware Screen Codec / VMware Video
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\34yqvajp.yju" "C:\Users\user\Downloads\tportable-x64.5.5.5.zip" Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\34yqvajp.yju\Telegram\Telegram.exe" Jump to behavior
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF65A60A000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: System Error: GetWindowPlacement failed.WindowsCustomMarginsShell_TrayWndC:\Telegram\tx64\Telegram\lib_ui\ui\platform\win\ui_window_win.cppFailed to get taskbar pos"_handle != nullptr"GetSystemMetricsForDpiAdjustWindowRectExForDpix&.[
Source: Telegram.exe, 0000000E.00000000.3308240792.00007FF659502000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: C:\Telegram\Libraries\win64\tg_owt\src\modules\desktop_capture\cropping_window_capturer.ccWindow no longer on top when ScreenCapturer finishesScreenCapturer failed to capture a frameWindow rect is emptyWindow is outside of the captured displayC:\Telegram\Libraries\win64\tg_owt\src\modules\desktop_capture\win\screen_capture_utils.ccNo HMONITOR found for supplied device index.GetDpiForMonitor() failedChrome_WidgetWin_ProgmanButton
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1521726 URL: https://investors.spotify.c... Startdate: 29/09/2024 Architecture: WINDOWS Score: 56 59 Multi AV Scanner detection for submitted file 2->59 61 Downloads suspicious files via Chrome 2->61 8 chrome.exe 25 2->8         started        12 chrome.exe 2->12         started        process3 dnsIp4 53 192.168.2.4 unknown unknown 8->53 55 192.168.2.5 unknown unknown 8->55 57 2 other IPs or domains 8->57 39 C:\Users\...\tportable-x64.5.5.5.zip (copy), Zip 8->39 dropped 41 C:\Users\...\Unconfirmed 342131.crdownload, PE32 8->41 dropped 43 C:\Users\...\Unconfirmed 103549.crdownload, PE32 8->43 dropped 45 2 other files (none is malicious) 8->45 dropped 14 unarchiver.exe 4 8->14         started        16 chrome.exe 8->16         started        19 chrome.exe 8->19         started        21 chrome.exe 8->21         started        file5 process6 dnsIp7 23 7za.exe 11 14->23         started        27 cmd.exe 1 14->27         started        47 149.154.167.99 TELEGRAMRU United Kingdom 16->47 49 108.177.15.84 GOOGLEUS United States 16->49 51 7 other IPs or domains 16->51 process8 file9 35 C:\Users\user\AppData\...\d3dcompiler_47.dll, PE32+ 23->35 dropped 37 C:\Users\user\AppData\Local\...\Telegram.exe, PE32+ 23->37 dropped 63 Drops large PE files 23->63 29 conhost.exe 23->29         started        31 conhost.exe 27->31         started        33 Telegram.exe 27->33         started        signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
1.1.1.1
 unknown Australia
13335 CLOUDFLARENETUS false
108.177.15.84
 unknown United States
15169 GOOGLEUS false
172.217.18.3
 unknown United States
15169 GOOGLEUS false
104.21.47.42
 unknown United States
13335 CLOUDFLARENETUS false
142.250.185.132
 unknown United States
15169 GOOGLEUS false
142.250.185.227
 unknown United States
15169 GOOGLEUS false
149.154.167.99
 unknown United Kingdom
62041 TELEGRAMRU false
216.58.206.46
 unknown United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
142.250.184.206
 unknown United States
15169 GOOGLEUS false

Private

IP
192.168.2.4
192.168.2.6
192.168.2.5

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://desktop.telegram.org/ false
    		unknown