File name:

tsetup-x64.5.4.0.exe

Full analysis: https://app.any.run/tasks/125c149e-a1ad-45a3-8a72-16486e0a4142
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 25, 2024, 21:40:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

45177991CB1978D5CB3C06461AE8BE12

SHA1:

C2AA0581C86EAE32CC3D7DA720BF5E7B6E019E0E

SHA256:

B9C5F836DCBEF426B53B882FA4CD0CBEBD9C43F1734FC20B5001AB9823B8A318

SSDEEP:

393216:pozVaHvDnuGKXVbu6UXczxYiJL7DlHlWI/eDVi8oFQFa:K5kuFY1wVJX5ui8oFQFa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • tsetup-x64.5.4.0.tmp (PID: 6572)
      • Telegram.exe (PID: 1656)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • tsetup-x64.5.4.0.tmp (PID: 6572)
      • tsetup-x64.5.4.0.exe (PID: 2136)

    • Drops the executable file immediately after the start

      • tsetup-x64.5.4.0.exe (PID: 2136)
      • tsetup-x64.5.4.0.tmp (PID: 6572)

    • Reads the date of Windows installation

      • Telegram.exe (PID: 1656)

    • Reads the Windows owner or organization settings

      • tsetup-x64.5.4.0.tmp (PID: 6572)

    • Process drops legitimate windows executable

      • tsetup-x64.5.4.0.tmp (PID: 6572)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Telegram.exe (PID: 1656)

  • INFO

    • Create files in a temporary directory

      • tsetup-x64.5.4.0.exe (PID: 2136)
      • tsetup-x64.5.4.0.tmp (PID: 6572)
      • Telegram.exe (PID: 1656)

    • Reads the computer name

      • tsetup-x64.5.4.0.tmp (PID: 6572)
      • Telegram.exe (PID: 1656)

    • Checks supported languages

      • tsetup-x64.5.4.0.tmp (PID: 6572)
      • tsetup-x64.5.4.0.exe (PID: 2136)
      • Telegram.exe (PID: 1656)

    • Checks proxy server information

      • Telegram.exe (PID: 1656)

    • Creates files or folders in the user directory

      • tsetup-x64.5.4.0.tmp (PID: 6572)
      • Telegram.exe (PID: 1656)

    • Creates a software uninstall entry

      • tsetup-x64.5.4.0.tmp (PID: 6572)

    • Reads the machine GUID from the registry

      • Telegram.exe (PID: 1656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:04:14 16:10:23+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 71680
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 5.4.0.0
ProductVersionNumber: 5.4.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Telegram FZ-LLC
FileDescription: Telegram Desktop Setup
FileVersion: 5.4.0
LegalCopyright: Telegram FZ-LLC 2014-2024
OriginalFileName:
ProductName: Telegram Desktop
ProductVersion: 5.4
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start tsetup-x64.5.4.0.exe tsetup-x64.5.4.0.tmp telegram.exe

Process information

PID
CMD
Path
Indicators
Parent process
1656"C:\Users\admin\AppData\Roaming\Telegram Desktop\Telegram.exe"C:\Users\admin\AppData\Roaming\Telegram Desktop\Telegram.exe
tsetup-x64.5.4.0.tmp
User:
admin
Company:
Telegram FZ-LLC
Integrity Level:
MEDIUM
Description:
Telegram Desktop
Version:
5.4.0.0
Modules
Images
c:\users\admin\appdata\roaming\telegram desktop\telegram.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
2136"C:\Users\admin\Desktop\tsetup-x64.5.4.0.exe" C:\Users\admin\Desktop\tsetup-x64.5.4.0.exe
explorer.exe
User:
admin
Company:
Telegram FZ-LLC
Integrity Level:
MEDIUM
Description:
Telegram Desktop Setup
Exit code:
0
Version:
5.4.0
Modules
Images
c:\users\admin\desktop\tsetup-x64.5.4.0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6572"C:\Users\admin\AppData\Local\Temp\is-3O2L7.tmp\tsetup-x64.5.4.0.tmp" /SL5="$603C8,44821718,814592,C:\Users\admin\Desktop\tsetup-x64.5.4.0.exe" C:\Users\admin\AppData\Local\Temp\is-3O2L7.tmp\tsetup-x64.5.4.0.tmp
tsetup-x64.5.4.0.exe
User:
admin
Company:
Telegram FZ-LLC
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-3o2l7.tmp\tsetup-x64.5.4.0.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
Total events
9 780
Read events
9 737
Write events
37
Delete events
6

Modification events

(PID) Process:(6572) tsetup-x64.5.4.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
AC190000017A657B37F7DA01
(PID) Process:(6572) tsetup-x64.5.4.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
44CDF2E60FDA966B0F8F4EC0DFD9B155F4CE0A37372C6B85F184447AC089B2EE
(PID) Process:(6572) tsetup-x64.5.4.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(6572) tsetup-x64.5.4.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Users\admin\AppData\Roaming\Telegram Desktop\Telegram.exe
(PID) Process:(6572) tsetup-x64.5.4.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
457FD9BAAA8477B129007B5501335868C765D231E7C2213EFB2E77C782C7F047
(PID) Process:(6572) tsetup-x64.5.4.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.2.1
(PID) Process:(6572) tsetup-x64.5.4.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Users\admin\AppData\Roaming\Telegram Desktop
(PID) Process:(6572) tsetup-x64.5.4.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Roaming\Telegram Desktop\
(PID) Process:(6572) tsetup-x64.5.4.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Telegram Desktop
(PID) Process:(6572) tsetup-x64.5.4.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1
Operation:writeName:Inno Setup: User
Value:
admin
Executable files
8
Suspicious files
72
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
6572tsetup-x64.5.4.0.tmpC:\Users\admin\AppData\Roaming\Telegram Desktop\is-ICLK2.tmp
MD5:
SHA256:
6572tsetup-x64.5.4.0.tmpC:\Users\admin\AppData\Roaming\Telegram Desktop\Telegram.exe
MD5:
SHA256:
2136tsetup-x64.5.4.0.exeC:\Users\admin\AppData\Local\Temp\is-3O2L7.tmp\tsetup-x64.5.4.0.tmpexecutable
MD5:7BF93D8A0F6378E86596F8990D73AF73
SHA256:44029F87CE4A37F2A6D42A8BED5A214BA5248C52D27F8B12F28671943114A7E8
6572tsetup-x64.5.4.0.tmpC:\Users\admin\AppData\Roaming\Telegram Desktop\Updater.exeexecutable
MD5:F061D9FA563D2BAD5058655F8CE8951A
SHA256:44870CF5ADB12108744B0AA5A535CE0F469B8E4509428C1D515829237EEB8808
1656Telegram.exeC:\Users\admin\AppData\Roaming\Telegram Desktop\tdata\emoji\cache_24_0binary
MD5:12C4BA6A0DE449F15E431A08106E9CAC
SHA256:6C25A4F25C152CF981427C584FA367259AFC5CA43E178E2B504575C9C98765C3
6572tsetup-x64.5.4.0.tmpC:\Users\admin\AppData\Roaming\Telegram Desktop\is-SBJ1O.tmpexecutable
MD5:F061D9FA563D2BAD5058655F8CE8951A
SHA256:44870CF5ADB12108744B0AA5A535CE0F469B8E4509428C1D515829237EEB8808
6572tsetup-x64.5.4.0.tmpC:\Users\admin\AppData\Roaming\Telegram Desktop\is-K3Q9I.tmpexecutable
MD5:7BF93D8A0F6378E86596F8990D73AF73
SHA256:44029F87CE4A37F2A6D42A8BED5A214BA5248C52D27F8B12F28671943114A7E8
6572tsetup-x64.5.4.0.tmpC:\Users\admin\AppData\Roaming\Telegram Desktop\unins000.msgbinary
MD5:313D0CC5D1A64D2565E35937991775A6
SHA256:5ED0233C0922E9F20307315E24B4F33C3D56AB9F42B2F75AE91E7A27FD313B66
6572tsetup-x64.5.4.0.tmpC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Telegram Desktop\Telegram.lnkbinary
MD5:E18C6158AEFA876AE023B21ECB05C9C4
SHA256:CF5F14EDD707795425D204170A2E1B4DE8255E5069F6EE389A40F70073613436
6572tsetup-x64.5.4.0.tmpC:\Users\admin\AppData\Roaming\Telegram Desktop\unins000.datdat
MD5:3998551F8918CF7FFC686E4E6F525DFA
SHA256:20A90AAE4FBFED33E6D0E8E927C2F073F41DBB7F6A9BC7D397FAF6FE786AE3F9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
170
TCP/UDP connections
108
DNS requests
13
Threats
140

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1656
Telegram.exe
POST
200
95.161.76.100:80
http://95.161.76.100:80/api
unknown
unknown
GET
1.0.0.1:443
https://mozilla.cloudflare-dns.com/dns-query?name=apv3.stel.com&type=16&random_padding=2xB3D3paWBVBLZiO8Cwe1s7t6D1bLKeKVpnqCGrNhmDPHy0bb8xbKRprV3RNJtJc6ioeEEHuSeOLOTytz1eUBnAV6fBB5YrC6TeG5vQdv4ATB4fPre7dDg8nNcOOR
unknown
unknown
GET
149.154.167.99:443
https://td.telegram.org/tx64/tx64upd5004001
unknown
unknown
1656
Telegram.exe
POST
200
149.154.167.51:80
http://149.154.167.51:80/api
unknown
unknown
1656
Telegram.exe
POST
149.154.167.51:80
http://149.154.167.51:80/api
unknown
unknown
1656
Telegram.exe
POST
149.154.175.100:80
http://149.154.175.100:80/api
unknown
unknown
1656
Telegram.exe
POST
149.154.175.100:80
http://149.154.175.100:80/api
unknown
unknown
1656
Telegram.exe
POST
95.161.76.100:80
http://95.161.76.100:80/api
unknown
unknown
1656
Telegram.exe
POST
149.154.167.51:80
http://149.154.167.51:80/api
unknown
unknown
GET
172.217.16.138:443
https://firestore.googleapis.com/v1/projects/reserve-5a846/databases/(default)/documents/ipconfig/v3
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
3540
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1656
Telegram.exe
149.154.167.51:443
Telegram Messenger Inc
GB
unknown
1656
Telegram.exe
95.161.76.100:443
Telegram Messenger Inc
AG
unknown
1656
Telegram.exe
95.161.76.100:80
Telegram Messenger Inc
AG
unknown
1656
Telegram.exe
149.154.167.51:80
Telegram Messenger Inc
GB
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.46
  • 142.250.184.238
whitelisted
td.telegram.org
  • 149.154.167.99
whitelisted
mozilla.cloudflare-dns.com
  • 162.159.61.4
  • 172.64.41.4
whitelisted
dns.google.com
  • 8.8.8.8
  • 8.8.4.4
whitelisted
firebaseremoteconfig.googleapis.com
  • 142.250.184.202
  • 142.250.186.74
  • 142.250.185.202
  • 216.58.212.138
  • 142.250.181.234
  • 216.58.212.170
  • 142.250.185.234
  • 142.250.185.170
  • 216.58.206.42
  • 142.250.184.234
  • 142.250.186.106
  • 216.58.206.74
  • 142.250.186.42
  • 172.217.16.202
  • 142.250.185.74
  • 172.217.18.10
whitelisted
google.ru
  • 142.250.186.99
whitelisted
firestore.googleapis.com
  • 172.217.16.138
whitelisted
www.google.ru
  • 142.250.186.163
whitelisted
www.google.com
  • 142.250.185.228
whitelisted

Threats

PID
Process
Class
Message
1656
Telegram.exe
Misc activity
ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)
1656
Telegram.exe
Misc activity
ET INFO Observed Google DNS over HTTPS Domain (dns .google .com in TLS SNI)
138 ETPRO signatures available at the full report
Process
Message
Telegram.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
tsetup-x64.5.4.0.exe