Edit tour

Windows Analysis Report
Telegram.exe

Overview

General Information

Sample name:	Telegram.exe
Analysis ID:	1502415
MD5:	15fbc3057d25e308e0832ad1a7d62e26
SHA1:	c90180b2360b4f12a32630f007b3e560d06be558
SHA256:	356f56cabcc406f1600831cbd209f3b177037986443a6e3681a54f1b6b25ce61
Tags:	exe
Infos:

Detection

ZTrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected ZTrat

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Classification

Process Tree

System is w10x64

Telegram.exe (PID: 7580 cmdline: "C:\Users\user\Desktop\Telegram.exe" MD5: 15FBC3057D25E308E0832AD1A7D62E26)

netsh.exe (PID: 7612 cmdline: netsh firewall add allowedprogram"C:\Users\user\Desktop\Telegram.exe" "Telegram" ENABLE MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 7680 cmdline: netsh firewall add allowedprogram"C:\Users\user\Desktop\Telegram.exe" "Telegram" ENABLE MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7776 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Telegram" /tr "C:\Users\user\Desktop\Telegram.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Telegram.exe (PID: 7848 cmdline: C:\Users\user\Desktop\Telegram.exe MD5: 15FBC3057D25E308E0832AD1A7D62E26)

Telegram.exe (PID: 7956 cmdline: C:\Users\user\Desktop\Telegram.exe MD5: 15FBC3057D25E308E0832AD1A7D62E26)

Telegram.exe (PID: 8044 cmdline: "C:\Users\user\Desktop\Telegram.exe" MD5: 15FBC3057D25E308E0832AD1A7D62E26)

Telegram.exe (PID: 7200 cmdline: "C:\Users\user\Desktop\Telegram.exe" MD5: 15FBC3057D25E308E0832AD1A7D62E26)

Telegram.exe (PID: 4948 cmdline: "C:\Users\user\Desktop\Telegram.exe" MD5: 15FBC3057D25E308E0832AD1A7D62E26)

Telegram.exe (PID: 7500 cmdline: "C:\Users\user\Desktop\Telegram.exe" MD5: 15FBC3057D25E308E0832AD1A7D62E26)

Telegram.exe (PID: 7692 cmdline: C:\Users\user\Desktop\Telegram.exe MD5: 15FBC3057D25E308E0832AD1A7D62E26)

Telegram.exe (PID: 8072 cmdline: C:\Users\user\Desktop\Telegram.exe MD5: 15FBC3057D25E308E0832AD1A7D62E26)

Telegram.exe (PID: 2004 cmdline: C:\Users\user\Desktop\Telegram.exe MD5: 15FBC3057D25E308E0832AD1A7D62E26)

Telegram.exe (PID: 3744 cmdline: C:\Users\user\Desktop\Telegram.exe MD5: 15FBC3057D25E308E0832AD1A7D62E26)

cleanup

Malware Configuration

Threatname: ZTrat

{"Botnet": "|<'ZT_RAT_HF9j2z24DD8P'>|", "C2 url": "6.tcp.ngrok.io", "Port": 16963}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Telegram.exe	JoeSecurity_ZTrat	Yara detected ZTrat	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1659524351.0000024D33552000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ZTrat	Yara detected ZTrat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Telegram.exe.24d33550000.0.unpack	JoeSecurity_ZTrat	Yara detected ZTrat	Joe Security

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\Desktop\Telegram.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Telegram.exe, ProcessId: 7580, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Telegram

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Telegram.exe, ProcessId: 7580, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Telegram.lnk

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Telegram.exe

Avira: detected

Antivirus detection for URL or domain

Source: 6.tcp.ngrok.io

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Recovery.exe

Avira: detection malicious, Label: HEUR/AGEN.1326753

Found malware configuration

Source: Telegram.exe

Malware Configuration Extractor: ZTrat {"Botnet": "|<'ZT_RAT_HF9j2z24DD8P'>|", "C2 url": "6.tcp.ngrok.io", "Port": 16963}

Multi AV Scanner detection for domain / URL

Source: 6.tcp.ngrok.io	Virustotal: Detection: 10%			Perma Link
Source: 6.tcp.ngrok.io	Virustotal: Detection: 10%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Recovery.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Roaming\Recovery.exe	Virustotal: Detection: 69%			Perma Link

Multi AV Scanner detection for submitted file

Source: Telegram.exe

Virustotal: Detection: 54%

Perma Link

Yara detected ZTrat

Source: Yara match	File source: Telegram.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Telegram.exe.24d33550000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1659524351.0000024D33552000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Recovery.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Telegram.exe

Joe Sandbox ML: detected

Source: Telegram.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Telegram.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Chat\Chat\obj\Debug\Chat.pdb source: Telegram.exe, 00000000.00000002.4126840860.0000024D4DC90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Chat\Chat\obj\Debug\Chat.pdb` source: Telegram.exe, 00000000.00000002.4126840860.0000024D4DC90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: PluginLoader.pdb source: Telegram.exe, 00000000.00000002.4126840860.0000024D4DC90000.00000004.08000000.00040000.00000000.sdmp, Recovery.exe.0.dr
Source:	Binary string: C:\StartupManager\StartupManager\obj\Debug\StartupManager.pdbP source: Telegram.exe, 00000000.00000002.4126840860.0000024D4DC90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\AudioCapture\AudioCapture\obj\Debug\AudioCapture.pdb source: Telegram.exe, 00000000.00000002.4126840860.0000024D4DC90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Microphone\Microphone\obj\Debug\Microphone.pdb source: Telegram.exe, 00000000.00000002.4126840860.0000024D4DC90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\RemoteCamera\RemoteCamera\obj\Debug\RemoteCamera.pdb source: Telegram.exe, 00000000.00000002.4126840860.0000024D4DC90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\StartupManager\StartupManager\obj\Debug\StartupManager.pdb source: Telegram.exe, 00000000.00000002.4126840860.0000024D4DC90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\AudioCapture\AudioCapture\obj\Debug\AudioCapture.pdb source: Telegram.exe, 00000000.00000002.4126840860.0000024D4DC90000.00000004.08000000.00040000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 6.tcp.ngrok.io

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 3.140.223.7:16963

Source: global traffic

HTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 3.140.223.7 3.140.223.7

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: 6.tcp.ngrok.io
Source: global traffic	DNS traffic detected: DNS query: ip-api.com

Source: Telegram.exe	String found in binary or memory: http://ip-api.com/xml/?fields=country
Source: Telegram.exe	String found in binary or memory: http://ip-api.com/xml/?fields=countryCode
Source: Telegram.exe, 00000000.00000002.4120156003.0000024D35511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

E-Banking Fraud

Yara detected ZTrat

Source: Yara match	File source: Telegram.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Telegram.exe.24d33550000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1659524351.0000024D33552000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Telegram.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Telegram.exe	Code function: 0_2_00007FFD9B8AE732	0_2_00007FFD9B8AE732
Source: C:\Users\user\Desktop\Telegram.exe	Code function: 0_2_00007FFD9B8AD986	0_2_00007FFD9B8AD986
Source: C:\Users\user\Desktop\Telegram.exe	Code function: 0_2_00007FFD9B8A4CB1	0_2_00007FFD9B8A4CB1

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\Recovery.exe 50BA6F23ECABABDAB3CE09CD1E93EDCE9539EB82E2D51C9A38D84CBD896EEEF2

Source: Telegram.exe, 0000000E.00000002.1953570852.000002AE31AB8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs Telegram.exe

Source: Telegram.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Recovery.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Telegram.exe, HBQ-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Telegram.exe, HBQ-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Recovery.exe.0.dr, NHo8Kxf1tmObMSoUDI.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Recovery.exe.0.dr, MP5oX3TsUhmnjXxdWS.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Recovery.exe.0.dr, MP5oX3TsUhmnjXxdWS.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Recovery.exe.0.dr, MP5oX3TsUhmnjXxdWS.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Telegram.exe.24d4dd143dd.0.raw.unpack, ZT_RAT_Resolver.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Telegram.exe.24d4dd143dd.0.raw.unpack, ZT_RAT_Resolver.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Telegram.exe.24d4dc903d3.2.raw.unpack, ZT_RAT_Resolver.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Telegram.exe.24d4dc903d3.2.raw.unpack, ZT_RAT_Resolver.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Telegram.exe.24d4dd0efd8.1.raw.unpack, ZT_RAT_Resolver.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Telegram.exe.24d4dd0efd8.1.raw.unpack, ZT_RAT_Resolver.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Telegram.exe, zRM-.cs

Base64 encoded string: 'U29mdHdhcmVcQ2xhc3Nlc1xtcy1zZXR0aW5nc1xzaGVsbFxvcGVuXGNvbW1hbmQ=', 'U29mdHdhcmVcQ2xhc3Nlc1xtcy1zZXR0aW5nc1xzaGVsbFxvcGVuXGNvbW1hbmQ='

Source: Telegram.exe, zRM-.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Telegram.exe, zRM-.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Telegram.exe, RRQ-.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Telegram.exe, RRQ-.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@20/5@2/2

Source: C:\Users\user\Desktop\Telegram.exe

File created: C:\Users\user\AppData\Roaming\Recovery.exe

Jump to behavior

Source: C:\Users\user\Desktop\Telegram.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
Source: C:\Users\user\Desktop\Telegram.exe	Mutant created: \Sessions\1\BaseNamedObjects\ZT_RAT_2Y7YoUTCE2B5vRJ0cmaD35ygZS266f82X9
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03

Source: Telegram.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Telegram.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Telegram.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Telegram.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Telegram.exe

Virustotal: Detection: 54%

Source: Telegram.exe	String found in binary or memory: /add-window
Source: Telegram.exe	String found in binary or memory: /stop-wav
Source: Telegram.exe	String found in binary or memory: /stop-wav
Source: Telegram.exe	String found in binary or memory: Start!/enter-directory-/add-filemanager-items
Source: Telegram.exe	String found in binary or memory: <[Runned]> #/start-monitoring!/stop-monitoring!/run-file-memory
Source: Telegram.exe	String found in binary or memory: <[Runned]> #/start-monitoring!/stop-monitoring!/run-file-memory
Source: Telegram.exe	String found in binary or memory: /add-userTemp
Source: Telegram.exe	String found in binary or memory: /stop'/get-remote-desktop
Source: Telegram.exe	String found in binary or memory: /stop'/get-remote-desktop
Source: Telegram.exe	String found in binary or memory: /add-services
Source: Telegram.exe	String found in binary or memory: /stop-service
Source: Telegram.exe	String found in binary or memory: /stop-service
Source: Telegram.exe	String found in binary or memory: /add-processes

Source: unknown	Process created: C:\Users\user\Desktop\Telegram.exe "C:\Users\user\Desktop\Telegram.exe"
Source: C:\Users\user\Desktop\Telegram.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram"C:\Users\user\Desktop\Telegram.exe" "Telegram" ENABLE
Source: C:\Windows\System32\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Telegram.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram"C:\Users\user\Desktop\Telegram.exe" "Telegram" ENABLE
Source: C:\Windows\System32\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Telegram.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Telegram" /tr "C:\Users\user\Desktop\Telegram.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\Telegram.exe C:\Users\user\Desktop\Telegram.exe
Source: unknown	Process created: C:\Users\user\Desktop\Telegram.exe C:\Users\user\Desktop\Telegram.exe
Source: unknown	Process created: C:\Users\user\Desktop\Telegram.exe "C:\Users\user\Desktop\Telegram.exe"
Source: unknown	Process created: C:\Users\user\Desktop\Telegram.exe "C:\Users\user\Desktop\Telegram.exe"
Source: unknown	Process created: C:\Users\user\Desktop\Telegram.exe "C:\Users\user\Desktop\Telegram.exe"
Source: unknown	Process created: C:\Users\user\Desktop\Telegram.exe "C:\Users\user\Desktop\Telegram.exe"
Source: unknown	Process created: C:\Users\user\Desktop\Telegram.exe C:\Users\user\Desktop\Telegram.exe
Source: unknown	Process created: C:\Users\user\Desktop\Telegram.exe C:\Users\user\Desktop\Telegram.exe
Source: unknown	Process created: C:\Users\user\Desktop\Telegram.exe C:\Users\user\Desktop\Telegram.exe
Source: unknown	Process created: C:\Users\user\Desktop\Telegram.exe C:\Users\user\Desktop\Telegram.exe
Source: C:\Users\user\Desktop\Telegram.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram"C:\Users\user\Desktop\Telegram.exe" "Telegram" ENABLE	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram"C:\Users\user\Desktop\Telegram.exe" "Telegram" ENABLE	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Telegram" /tr "C:\Users\user\Desktop\Telegram.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Telegram.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\Telegram.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Telegram.lnk.0.dr

LNK file: ..\..\..\..\..\..\..\Desktop\Telegram.exe

Source: C:\Users\user\Desktop\Telegram.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Telegram.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Telegram.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Telegram.exe

Static file information: File size 2874368 > 1048576

Source: Telegram.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2bd400

Source: Telegram.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Chat\Chat\obj\Debug\Chat.pdb source: Telegram.exe, 00000000.00000002.4126840860.0000024D4DC90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Chat\Chat\obj\Debug\Chat.pdb` source: Telegram.exe, 00000000.00000002.4126840860.0000024D4DC90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: PluginLoader.pdb source: Telegram.exe, 00000000.00000002.4126840860.0000024D4DC90000.00000004.08000000.00040000.00000000.sdmp, Recovery.exe.0.dr
Source:	Binary string: C:\StartupManager\StartupManager\obj\Debug\StartupManager.pdbP source: Telegram.exe, 00000000.00000002.4126840860.0000024D4DC90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\AudioCapture\AudioCapture\obj\Debug\AudioCapture.pdb source: Telegram.exe, 00000000.00000002.4126840860.0000024D4DC90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Microphone\Microphone\obj\Debug\Microphone.pdb source: Telegram.exe, 00000000.00000002.4126840860.0000024D4DC90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\RemoteCamera\RemoteCamera\obj\Debug\RemoteCamera.pdb source: Telegram.exe, 00000000.00000002.4126840860.0000024D4DC90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\StartupManager\StartupManager\obj\Debug\StartupManager.pdb source: Telegram.exe, 00000000.00000002.4126840860.0000024D4DC90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\AudioCapture\AudioCapture\obj\Debug\AudioCapture.pdb source: Telegram.exe, 00000000.00000002.4126840860.0000024D4DC90000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: Telegram.exe, GTs-.cs	.Net Code: HDs_003D System.Reflection.Assembly.Load(byte[])
Source: Telegram.exe, JhQ-.cs	.Net Code: KBQ_003D
Source: Telegram.exe, zRM-.cs	.Net Code: _5hM_003D System.Reflection.Assembly.Load(byte[])
Source: Telegram.exe, zRM-.cs	.Net Code: _5hM_003D
Source: Telegram.exe, zRM-.cs	.Net Code: vRM_003D System.Reflection.Assembly.Load(byte[])
Source: Telegram.exe, zRM-.cs	.Net Code: vRM_003D
Source: Recovery.exe.0.dr, NHo8Kxf1tmObMSoUDI.cs	.Net Code: NWcBDLfA2xZ1tRDixM System.Reflection.Assembly.Load(byte[])

Source: Recovery.exe.0.dr

Static PE information: section name: .text entropy: 7.971057347412118

Source: Recovery.exe.0.dr, NHo8Kxf1tmObMSoUDI.cs	High entropy of concatenated method names: 'Y7u4B2dCuk', 'Da54reTuLO', 'uYj4gKIhw5', 'njP4PBod3Y', 'HdT4QBGQ0b', 'Qyq4AxML9R', 'fhc49cm4i2', 'aOx4MWC618', 'U554ObJImv', 'HPJ40rcGf5'
Source: Recovery.exe.0.dr, MP5oX3TsUhmnjXxdWS.cs	High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'kYd4vQX9Yy', 'tLYhl8JOA1PxR', 'AHW2wpGmj', 'mIwlVflxN', 'O8KfDo4M0', 'XIXqirSmE', 'mmVBvHpT6', 'K39rOyNI0', 'MLogIiUCe'

Source: C:\Users\user\Desktop\Telegram.exe

File created: C:\Users\user\AppData\Roaming\Recovery.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Telegram.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Telegram" /tr "C:\Users\user\Desktop\Telegram.exe"

Source: C:\Users\user\Desktop\Telegram.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Telegram.lnk

Jump to behavior

Source: C:\Users\user\Desktop\Telegram.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Telegram.lnk

Jump to behavior

Source: C:\Users\user\Desktop\Telegram.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Telegram	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Telegram	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Telegram	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Telegram	Jump to behavior

Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Telegram.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\Telegram.exe	Memory allocated: 24D35300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Memory allocated: 24D4D510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Memory allocated: 1E7305C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Memory allocated: 1E74A100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Memory allocated: 26D062A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Memory allocated: 26D20090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Memory allocated: 13F44BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Memory allocated: 13F5E640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Memory allocated: 25CA70A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Memory allocated: 25CC0B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Memory allocated: 2AE31CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Memory allocated: 2AE4B700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Memory allocated: 29173E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Memory allocated: 29175890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Memory allocated: 1CFC4980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Memory allocated: 1CFDE420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Memory allocated: 1DFEFCC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Memory allocated: 1DFF1720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Memory allocated: 21008800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Memory allocated: 21022280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Memory allocated: 1C61A290000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\Telegram.exe	Memory allocated: 1C6323B0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Telegram.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Telegram.exe	Window / User API: threadDelayed 798	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Window / User API: threadDelayed 3821	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Window / User API: threadDelayed 4999	Jump to behavior

Source: C:\Users\user\Desktop\Telegram.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Recovery.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Telegram.exe TID: 7868	Thread sleep count: 166 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe TID: 7860	Thread sleep count: 798 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe TID: 7860	Thread sleep time: -3192000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe TID: 7584	Thread sleep count: 3821 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe TID: 7584	Thread sleep time: -38210s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe TID: 7860	Thread sleep count: 4999 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe TID: 7860	Thread sleep time: -19996000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe TID: 7896	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe TID: 7976	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe TID: 8072	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe TID: 7264	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe TID: 5600	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe TID: 3844	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe TID: 7684	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe TID: 8040	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe TID: 5600	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe TID: 5824	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Telegram.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Thread delayed: delay time: 922337203685477

Source: netsh.exe, 00000001.00000003.1668297766.000001509D5A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: Telegram.exe, 00000000.00000002.4128644657.0000024D4E034000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWfl%SystemRoot%\system32\mswsock.dll<workflowInstanceQuery>
Source: netsh.exe, 00000003.00000003.1669753876.00000213CC997000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Telegram.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Telegram.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Telegram.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Telegram" /tr "C:\Users\user\Desktop\Telegram.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Telegram.exe	Queries volume information: C:\Users\user\Desktop\Telegram.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Queries volume information: C:\Users\user\Desktop\Telegram.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Queries volume information: C:\Users\user\Desktop\Telegram.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Queries volume information: C:\Users\user\Desktop\Telegram.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Queries volume information: C:\Users\user\Desktop\Telegram.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Queries volume information: C:\Users\user\Desktop\Telegram.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Queries volume information: C:\Users\user\Desktop\Telegram.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Queries volume information: C:\Users\user\Desktop\Telegram.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Queries volume information: C:\Users\user\Desktop\Telegram.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Queries volume information: C:\Users\user\Desktop\Telegram.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telegram.exe	Queries volume information: C:\Users\user\Desktop\Telegram.exe VolumeInformation

Source: C:\Users\user\Desktop\Telegram.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Users\user\Desktop\Telegram.exe

Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram"C:\Users\user\Desktop\Telegram.exe" "Telegram" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\Desktop\Telegram.exe

Process created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram"C:\Users\user\Desktop\Telegram.exe" "Telegram" ENABLE

Source: Telegram.exe, 00000000.00000002.4128644657.0000024D4E0D0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\Telegram.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected ZTrat

Source: Yara match	File source: Telegram.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Telegram.exe.24d33550000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1659524351.0000024D33552000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Remote Access Functionality

Yara detected ZTrat

Source: Yara match	File source: Telegram.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Telegram.exe.24d33550000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1659524351.0000024D33552000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	121 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	21 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	21 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	21 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Obfuscated Files or Information	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Telegram.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: ZTrat

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Telegram.exe