fatalrat | aa3f58f228d9d0ef44417c33aa03e3d3c7b3cfde67c0db70a9d21fb8b5cb981c

Analysis

max time kernel
302s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2023 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Size

44.9MB
MD5

66a1e1458b9790758f8b985ffb582383
SHA1

670d1185dad515b8b963717b249da3641f8c9b14
SHA256

06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787
SHA512

3d1a20ff2f5584e14e10cf2d4cd8aefeeec9335cf1308c5d91d1bcb576a8598247f006d2112833c2f5d36fce88b2cdef726c20f6ca95de31a0c13b822afd5ca1
SSDEEP

786432:tKatKpswghEMxrpw+en0PYisnDpCf4YiHfaVC4JL4DJvuk7RuPq0yUkmSH592gU2:tXs2r3gVnYiHAC41e5uuRuPK1H59G8px

Score

10^/10

fatalrat infostealer persistence rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/3844-6854-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat

Executes dropped EXE 4 IoCs

pid	Process
2448	FTvrst.exe
3844	spolsvt.exe
4144	audidog.exe
2316	Telegram.exe

Loads dropped DLL 19 IoCs

pid	Process
1356	MsiExec.exe
2724	MsiExec.exe
2724	MsiExec.exe
2724	MsiExec.exe
2724	MsiExec.exe
2724	MsiExec.exe
2724	MsiExec.exe
2724	MsiExec.exe
2724	MsiExec.exe
2724	MsiExec.exe
2724	MsiExec.exe
3452	MsiExec.exe
3452	MsiExec.exe
3452	MsiExec.exe
3452	MsiExec.exe
3452	MsiExec.exe
2724	MsiExec.exe
2724	MsiExec.exe
2724	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Therecontinuous = "C:\\WINDOWS\\DNomb\\FTvrst.exe"	FTvrst.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\T:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\V:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\W:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\J:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\Z:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\N:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\S:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\M:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\R:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\X:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\Q:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\K:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\O:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\P:	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 46 IoCs

pid	Process
2448	FTvrst.exe
2448	FTvrst.exe
2448	FTvrst.exe
2448	FTvrst.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe
4144	audidog.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2448 set thread context of 3844	2448	FTvrst.exe	114

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_6	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\log.txt	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.yRbCbR	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.iwkLCx	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\7B7D9BF38A42FD50s.uvGMyi	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8C\configs.ccTITP	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\log_start0.txt	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\key_datas.CMfeMj	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\key_datas.CMfeMj	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8C0	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\countries	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.dRVMPN	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\log.txt	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\shortcuts-default.json	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\7B7D9BF38A42FD50s.ivljfr	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\tupdate4008003	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.mdrssw	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\spoiler\text	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.iwkLCx	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.XxdYAP	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\opengl_crash_check	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.dRVMPN	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_0	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.yRbCbR	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_6	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.YIQeuh	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\Telegram.exe	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\modules\x86\d3d\d3dcompiler_47.dll	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\A7FDF864FBC10B77s	msiexec.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_3	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.nQVxah	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_4	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs	msiexec.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_2	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_4	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\shortcuts-custom.json	msiexec.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\tdata\version	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\usertag	msiexec.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A944101708800	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\90AB52E6EF1558C8s.OrATKG	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\ready	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_2	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_5	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.CWNxDs	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\7B7D9BF38A42FD50s.uvGMyi	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\7B7D9BF38A42FD50s.ivljfr	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.nQVxah	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s	msiexec.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\shortcuts-default.json	msiexec.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\working	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.IUHLUh	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.IUHLUh	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\countries	msiexec.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_5	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\0469A94410170880s.YIQeuh	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\settingss.AKxZre	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_18_1	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\emoji\cache_24_1	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8Cs.CWNxDs	Telegram.exe
File opened for modification	C:\Program Files (x86)\Telegram X\Telegram中文版\tupdates\temp\Updater.exe	Telegram.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\90AB52E6EF1558C8s	msiexec.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\key_datas	msiexec.exe
File created	C:\Program Files (x86)\Telegram X\Telegram中文版\tdata\D877F783D5D3EF8C\configs.oAHEFe	Telegram.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e58877b.msi	msiexec.exe
File created	C:\Windows\DNomb\Mpec.mbt	msiexec.exe
File created	C:\WINDOWS\DNombaudidog.exe	audidog.exe
File opened for modification	C:\Windows\Installer\MSI8930.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A3B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A99.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8CDE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\DNomb\FTvrst.exe	msiexec.exe
File created	C:\Windows\DNomb\spolsvt.exe	msiexec.exe
File created	C:\Windows\DNomb\audidog.exe	msiexec.exe
File created	C:\Windows\Installer\e58877b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8C02.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{463B1E3F-726C-45AE-BA5B-6DD11BC72C1C}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9DB7.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000081ef621b6f8a8ae20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000081ef621b0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff00000000070001000068090081ef621b000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff00000000070001000068091981ef621b000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000081ef621b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\DefaultIcon\ = "\"C:\\Program Files (x86)\\Telegram X\\Telegram中文版\\Telegram.exe,1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\shell\open	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\shell\open\command\ = "\"C:\\Program Files (x86)\\Telegram X\\Telegram中文版\\Telegram.exe\" -- \"%1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg\DefaultIcon	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Program Files (x86)\\Telegram X\\Telegram中文版\\Telegram.exe\" -- \"%1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\DefaultIcon	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg\shell\open	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\ = "URL:Telegram Link"	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\shell	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg\shell	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg\shell\open\command	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\shell\open\command	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg\DefaultIcon\ = "\"C:\\Program Files (x86)\\Telegram X\\Telegram中文版\\Telegram.exe,1\""	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\URL Protocol	Telegram.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2316	Telegram.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3184	msiexec.exe
3184	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3184	msiexec.exe
Token: SeCreateTokenPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeAssignPrimaryTokenPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeLockMemoryPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeIncreaseQuotaPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeMachineAccountPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeTcbPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeSecurityPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeTakeOwnershipPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeLoadDriverPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeSystemProfilePrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeSystemtimePrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeProfSingleProcessPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeIncBasePriorityPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeCreatePagefilePrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeCreatePermanentPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeBackupPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeRestorePrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeShutdownPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeDebugPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeAuditPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeSystemEnvironmentPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeChangeNotifyPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeRemoteShutdownPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeUndockPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeSyncAgentPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeEnableDelegationPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeManageVolumePrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeImpersonatePrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeCreateGlobalPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeCreateTokenPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeAssignPrimaryTokenPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeLockMemoryPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeIncreaseQuotaPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeMachineAccountPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeTcbPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeSecurityPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeTakeOwnershipPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeLoadDriverPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeSystemProfilePrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeSystemtimePrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeProfSingleProcessPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeIncBasePriorityPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeCreatePagefilePrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeCreatePermanentPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeBackupPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeRestorePrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeShutdownPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeDebugPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeAuditPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeSystemEnvironmentPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeChangeNotifyPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeRemoteShutdownPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeUndockPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeSyncAgentPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeEnableDelegationPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeManageVolumePrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeImpersonatePrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeCreateGlobalPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeCreateTokenPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeAssignPrimaryTokenPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeLockMemoryPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeIncreaseQuotaPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
Token: SeMachineAccountPrivilege	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
3544	msiexec.exe
3544	msiexec.exe
2316	Telegram.exe
2316	Telegram.exe
2316	Telegram.exe
2316	Telegram.exe
2316	Telegram.exe
2316	Telegram.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2316	Telegram.exe
2316	Telegram.exe
2316	Telegram.exe
2316	Telegram.exe
2316	Telegram.exe
2316	Telegram.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2448	FTvrst.exe
2448	FTvrst.exe
4144	audidog.exe
4144	audidog.exe
2316	Telegram.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 1356	3184	msiexec.exe	88
PID 3184 wrote to memory of 1356	3184	msiexec.exe	88
PID 3184 wrote to memory of 1356	3184	msiexec.exe	88
PID 376 wrote to memory of 3544	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe	89
PID 376 wrote to memory of 3544	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe	89
PID 376 wrote to memory of 3544	376	06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe	89
PID 3184 wrote to memory of 2724	3184	msiexec.exe	91
PID 3184 wrote to memory of 2724	3184	msiexec.exe	91
PID 3184 wrote to memory of 2724	3184	msiexec.exe	91
PID 2724 wrote to memory of 2704	2724	MsiExec.exe	98
PID 2724 wrote to memory of 2704	2724	MsiExec.exe	98
PID 2724 wrote to memory of 2704	2724	MsiExec.exe	98
PID 3184 wrote to memory of 2176	3184	msiexec.exe	107
PID 3184 wrote to memory of 2176	3184	msiexec.exe	107
PID 3184 wrote to memory of 3452	3184	msiexec.exe	109
PID 3184 wrote to memory of 3452	3184	msiexec.exe	109
PID 3184 wrote to memory of 3452	3184	msiexec.exe	109
PID 2724 wrote to memory of 2448	2724	MsiExec.exe	112
PID 2724 wrote to memory of 2448	2724	MsiExec.exe	112
PID 2724 wrote to memory of 2448	2724	MsiExec.exe	112
PID 2448 wrote to memory of 3844	2448	FTvrst.exe	114
PID 2448 wrote to memory of 3844	2448	FTvrst.exe	114
PID 2448 wrote to memory of 3844	2448	FTvrst.exe	114
PID 2448 wrote to memory of 3844	2448	FTvrst.exe	114
PID 2448 wrote to memory of 3844	2448	FTvrst.exe	114
PID 2448 wrote to memory of 3844	2448	FTvrst.exe	114
PID 2448 wrote to memory of 3844	2448	FTvrst.exe	114
PID 2448 wrote to memory of 3844	2448	FTvrst.exe	114
PID 2448 wrote to memory of 4144	2448	FTvrst.exe	115
PID 2448 wrote to memory of 4144	2448	FTvrst.exe	115
PID 2448 wrote to memory of 4144	2448	FTvrst.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
"C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:376
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\飞机.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1687843898 "
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:3544

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 38484FF2BED28525FBB7B671FB537640 C
  2⤵
  - Loads dropped DLL
  PID:1356
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 09C4BAA69F83110CCD53A4A65C4F0C9F C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe
    "C:\Users\Admin\AppData\Local\Temp\06583e57b016025cd46fa7362fb6c063515940f70fc7e785df1527b8df22d787.exe" /groupsextract:100; /out:"C:\Users\Public" /callbackid:2724
    3⤵
    PID:2704
- - C:\Users\Public\tg\FTvrst.exe
    "C:\Users\Public\tg\FTvrst.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\WINDOWS\DNomb\spolsvt.exe
      C:\WINDOWS\DNomb\spolsvt.exe
      4⤵
      Executes dropped EXE
      PID:3844
  - - C:\WINDOWS\DNomb\audidog.exe
      C:\WINDOWS\DNomb\audidog.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:4144
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2176
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7FD4C073B37BF23A6C16226E80CC0715
  2⤵
  - Loads dropped DLL
  PID:3452

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4508

C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe
"C:\Program Files (x86)\Telegram X\Telegram中文版\Telegram.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58877c.rbs

Filesize
4KB

MD5
7c23184b471060f50caee8f669f5f0d6

SHA1
3a77fd5ef4e8aea87cb519aaaf575c2a6d59f541

SHA256
43a9325c0a0a8a6032609768d568062bab771e48283e165519f52e89d332c80c

SHA512
f6cdd55d884802e557664b860ecfe9f770766fed998d82d3b29da2559f6ff1bc95ae36f9050ae1c1d0f1a17651714f437231b646bb51163d5452d6ef1bf34977

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1791.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1791.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI346F.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI346F.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3865.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3865.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI39AE.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI39AE.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI39AE.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3A4C.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3A4C.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3ACA.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3ACA.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3DF7.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3DF7.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3F31.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3F31.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3FDE.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3FDE.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA9D4.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA9D4.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAA90.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAA90.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAA90.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAADB.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAADB.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB09C.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB09C.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\Telegram.exe

Filesize
101.1MB

MD5
5a6de14a436de1c22e6f328fa40c4835

SHA1
454f68ad0a02cb29d3f11a0f4f187b6b384994d9

SHA256
663726ede77de2960f7b53c85b1eb19af394e1710d43ef7718ae832067d0a2ce

SHA512
1a4406b6b6fdccd9ec105932b790c0a0599dd0b74cd7c0afe17b3c655c595230cb753bfc2c1a6b7e1577ca5d825e5c3a2e827a9f8b3acf51bb41ffaddde3c552

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\WindowsFolder\DNomb\FTvrst.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\WindowsFolder\DNomb\Mpec.mbt

Filesize
93KB

MD5
e3c9c776015c5b25b99ae3913988548d

SHA1
8b00bc9e7d0e24e56da14bfd7f41aa482cdae8a9

SHA256
04e8a2953aa566fb433eab669cf35bfa3240353ab8cec1457b3a75263178c96e

SHA512
4995cf0660485aa615ac3c54bfc554ca4d6fbc54019133cb51046c3badadc28591783d185345ef889ab731c9dc853f74ee025843e0221ea08f7c3ac700f8cc10

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\WindowsFolder\DNomb\audidog.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\WindowsFolder\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\0469A94410170880s

Filesize
306KB

MD5
237b2bc4ba380664d0e69d95bfbdca62

SHA1
42fb204f0fb1b5a1e7d7152070accee988747198

SHA256
bfb3af061014f48924f4412402ee99f566725932e80f8a27c5bc429544b0dad6

SHA512
15bd8b90b1508e40e5e20b4630cf69f3ff597cb11768d78528a0db4a9ef3fd6f20aa1e93cf0b945bff3d6864d4182e1ac4cb33f0d3c83462d6db7c3d53bc2741

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\7B7D9BF38A42FD50s

Filesize
140B

MD5
4d28d8121c1365d8b66048804cf85431

SHA1
e19b061f138c52b1a67c123fd8cff8d2f6f3e7ce

SHA256
f620154eb8472755c58e631803e45e08279e5f70b381aa71bfc256a4f06fe6eb

SHA512
4ef49fb867af0894fa42537832bfd567a0fc6e1f9fbd6966cac6215b30d91617f43acfb3b20b62a6f43163162a0f2123dc8e2ad36f493b5c3b9202689c54a482

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\90AB52E6EF1558C8s

Filesize
220B

MD5
0aa0727f6230692e520295abca999a94

SHA1
2dca6accd906adf49bfd4cfa93b2d862a9c29651

SHA256
9676ed8e4497fab0d92b1e2c8c63dec8b9f309db8e379ffbbff919d3c6762e10

SHA512
8d0633ef21107c7e5ca4f4ba50ba762bf62956c5bcd3ccfc3ab9b7845bb2a5388b5bacd7c9ddff0b2c7d0b4ed761c15ebb437deb912cf4a573a1fab5e328093d

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\A7FDF864FBC10B77s

Filesize
1KB

MD5
72339e5b4ca4743c2c1313c90fa38b27

SHA1
8123ac4d35080c0c397478845b2ab16944636bae

SHA256
6a8a6995f4f87336681017417d6ae78223cd725e1118c4e336c93e203c17a9e4

SHA512
3eb657959bdfc0b30124a7e087d44b33aa7814ee9a18a20205b5debc1b290754024d8529174f3e17646fae77339d28a02312584bd6bda7021ad5b59c67d6fa0d

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\D877F783D5D3EF8Cs

Filesize
1KB

MD5
e58b4c34a563191cfee1d6d617a78216

SHA1
83ff6975bacf2f4e5ff44dbf5f8de38f7dd7f437

SHA256
729c64f4ee746214839002d6e79bd82baebc2eba5e38e47307e65fcf25a83cf1

SHA512
3d875550e6f0f43cc1306f3eb2f83d2b5a06ddc211dcd03c31abc0cce0350481b19015adde62ed8632b8a902138c345e6f7c533be50a55343566903e8d593eeb

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\F8806DD0C461824Fs

Filesize
1KB

MD5
fb9a1cbbd1b3531943eecfefa15df5de

SHA1
0295ac1bdc3a668a5f488e6c98a34ad71a53c67b

SHA256
438c768ac7851e93d1081c4291c2b14c250b7cc847050d7716626ab3948760d8

SHA512
abc104efdbf46c9ff9621e9d3c7e3be2d803208e62b63658a1a7f94c8deb823302896b0878c8d9f4962045a7d257afe51047b1ff73f64c2f8e440680a3ef1e60

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\countries

Filesize
20KB

MD5
5d1f2b862acb26f8353cb1d178a2116f

SHA1
e3989f717bb652b4ee3fd18e4dc3f2e0193c75bd

SHA256
3d6d4e33dcaeff17425ea9451d37bb9c866d711d6ece51ef5c09d2fbd296e85e

SHA512
adb1ef7675a0292b236aafdd923be94705eb7ea7baf25a0d3c001fba2014b8f90473375e96739d8af43a7bd9a123f1ce38c532516da3d1a46db50bf66a0c1a73

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\key_datas

Filesize
388B

MD5
eb7e5e1d7636232186c42fe52b7611b6

SHA1
ae235dcf06db5931e082155da14936ed7c7db2fb

SHA256
66d374699b23bd425bb68f5480785ae70f0f87f2e5948d0bd51ce7838fdb706a

SHA512
813d9318d6937ba6a6def9bd676a26999cb97e0f0b744c0a99174d4fd6163414cff9f5195d420fdd7cdc86442cceb7a7130ad0fe2f93ab5d961381b90df859e5

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\prefix

Filesize
24B

MD5
3fb9de9c3edf4abc3a42deaf14dfa8d6

SHA1
d02d2382706bffb38831acfcce62e720a6d55733

SHA256
84af1d24b024a1e1670302510fc140e55eb009ed5ab8b8e89bb42fb7f184be28

SHA512
7e60951c5c5cff7f623808e1afa098faff020f000ee4a8fc9af5f848204b8c54fe13f9a32e10bfbc618e41b1be437bb08a775b4b2e10a19122c336b55d093692

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\settingss

Filesize
2KB

MD5
d149ddf991c084294f019fc76161fb15

SHA1
d42777f18ed62c3f4c8ff5d326f63fccfe06d454

SHA256
9afef05acbb201afd6007584482f01c93628484d9d80858f8cb67ef9f0c18875

SHA512
f45c7fc6ba1e192b41fcb267572a81342eb2657f9025181b5be660095c19e7d39c50190fe62ee400d7d1cf8132fb757cbd90222f8ba6aad91d3458bd82de6da6

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\shortcuts-custom.json

Filesize
404B

MD5
874b930b4c2fddc8043f59113c044a14

SHA1
75b14a96fe1194f27913a096e484283b172b1749

SHA256
f4f666f4b831e84710983b0e9e905e87342b669f61109fd693688d89c12309d8

SHA512
f4b0337fba5c5f4d7e7a02aa5d4538334edd38f5df179e4f1701fa2f1c4d3d856a074fa55ea724c4e2a6c5a1ac1dbfc7e9966c814475c7cd2c65cd44fca14621

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\shortcuts-default.json

Filesize
2KB

MD5
a56b95951d30537236b8a4b5792abbe4

SHA1
ca418e143fa5bf6930cea986f2f02914ba2b34c8

SHA256
422a4c74d98877f87f5d3eb6f70a903782d00e362e9fca75f06a1f84be387808

SHA512
20f2fa66f02ff3da80ec67ff89a232bd6642051702a6ddd94fb382980b46502ca0bda8ba09793fae2f068b4dc18c80ab0186e6426af9760670e8a328ef3c1e95

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\tdata\usertag

Filesize
8B

MD5
87ccdff6d764416c75d4aa695f9be3e4

SHA1
d4c197cb78f5e5f62aef16af3840d3be0509020a

SHA256
e02453e232a9fdc9446885a629109231c07b35f8d2adf886e010cdf07685fdec

SHA512
0224a43341ad897613a233b9b170d4ed523ac45d8d13ab8ae023c6c0b266cb7b68abf3e365f3474045d103f6ce7682d009719592578b601edfceab31d678dca5

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\飞机.msi

Filesize
1.7MB

MD5
f4adbf929ac90c4a9fff6142b5daa670

SHA1
9d0c56596957d04bb9582a2e0e556dbe7977e9c1

SHA256
e79ef9535612ba30be0b07a9666d0fe26466eca698a1dbf5a014b176def2df7a

SHA512
ffed2c3da71bb4c6f66c04152df70a2756cc49c7c3eeb4940c08d43bf6e58b7c1656a4915b96f5e87f561ed715c47c68419d4ae89082b221f5e8e0a147aa3a38

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram X\Telegram中文版 1.2.3\install\BC72C1C\飞机.msi

Filesize
1.7MB

MD5
f4adbf929ac90c4a9fff6142b5daa670

SHA1
9d0c56596957d04bb9582a2e0e556dbe7977e9c1

SHA256
e79ef9535612ba30be0b07a9666d0fe26466eca698a1dbf5a014b176def2df7a

SHA512
ffed2c3da71bb4c6f66c04152df70a2756cc49c7c3eeb4940c08d43bf6e58b7c1656a4915b96f5e87f561ed715c47c68419d4ae89082b221f5e8e0a147aa3a38

Download Submit
C:\Users\Public\tg\FTvrst.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
C:\Users\Public\tg\FTvrst.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
C:\WINDOWS\DNomb\Mpec.mbt

Filesize
93KB

MD5
e3c9c776015c5b25b99ae3913988548d

SHA1
8b00bc9e7d0e24e56da14bfd7f41aa482cdae8a9

SHA256
04e8a2953aa566fb433eab669cf35bfa3240353ab8cec1457b3a75263178c96e

SHA512
4995cf0660485aa615ac3c54bfc554ca4d6fbc54019133cb51046c3badadc28591783d185345ef889ab731c9dc853f74ee025843e0221ea08f7c3ac700f8cc10

Download Submit
C:\WINDOWS\DNomb\audidog.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
C:\WINDOWS\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\DNomb\FTvrst.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
C:\Windows\DNomb\audidog.exe

Filesize
2.2MB

MD5
3a9c682b077bc044b21131216bdf6304

SHA1
afdd419f084b56838c7eb07ff2b28ff9b960e27e

SHA256
8beaa45a7ca8a10127ed2e359be90f856a4ac0b87ed31e57a59aadc58ad94cc8

SHA512
99a2d2ce97a50791ddac4caa359bc335e404ad4f1ec3bdc5e3df6917e9c6eceba2d7c821eb0728e9d0989df1d021625db7ab962c1ebf705f8770090501d64b14

Download Submit
C:\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\Installer\MSI8930.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Windows\Installer\MSI8930.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Windows\Installer\MSI8A3B.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Windows\Installer\MSI8A3B.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Windows\Installer\MSI8A99.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Windows\Installer\MSI8A99.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Windows\Installer\MSI8C02.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Windows\Installer\MSI8C02.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Windows\Installer\MSI8CDE.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Windows\Installer\MSI8CDE.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
1f29e3557c40597e3a0cb92cc80b312d

SHA1
95b496b43ccc3e18d40b99ed66d7984125d285ac

SHA256
69f9ce856fe79d411d97c4b7251b3698cc59d3e7ae2b13222d22143cf816e35a

SHA512
6fdcf1bdb9f3ba65eef28a8a1ba0f44af0fa502210ecb7ab2974b9416c1e7b0db22025b431ccc68f37f4fb4004ad8f70c84e272c32665d2caf29fd9923cc8a1c

Download Submit
\??\Volume{1b62ef81-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f55d956f-4091-439a-8c45-734e49c0dda8}_OnDiskSnapshotProp

Filesize
5KB

MD5
86d616502ed4bd6d2e806e238c7bc98a

SHA1
ddefde442420a6b872bc1dd3bcce5f728a622276

SHA256
9cd7ffdde6dbda7bab25a2c841ef7a365bb367aa40f31d17a62e5c016843f54c

SHA512
223d14480ed620969f76bac4b02d3d1394d2367545e7dd0a70b83d12cec919c757d4f41265615190f8c4140b72df792aa8eaf762b56cf43b636504304594d6f4

Download Submit
memory/2316-13417-0x0000000008EA0000-0x0000000008EB0000-memory.dmp

Filesize
64KB

Download
memory/2316-13474-0x0000000008EA0000-0x0000000008EB0000-memory.dmp

Filesize
64KB

Download
memory/2448-6840-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/2448-298-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/2448-10405-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/2448-2239-0x00000000765F0000-0x0000000076790000-memory.dmp

Filesize
1.6MB

Download
memory/2448-6841-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/2448-3244-0x0000000075790000-0x000000007580A000-memory.dmp

Filesize
488KB

Download
memory/2448-6839-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/2448-6838-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/2448-3387-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/2448-301-0x0000000075BE0000-0x0000000075DF5000-memory.dmp

Filesize
2.1MB

Download
memory/2448-6859-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/2448-6860-0x0000000002C50000-0x0000000002D50000-memory.dmp

Filesize
1024KB

Download
memory/3844-6850-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3844-6854-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/3844-6846-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3844-6844-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3844-6845-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4144-9805-0x0000000075790000-0x000000007580A000-memory.dmp

Filesize
488KB

Download
memory/4144-8800-0x00000000765F0000-0x0000000076790000-memory.dmp

Filesize
1.6MB

Download
memory/4144-12492-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/4144-13404-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/4144-13405-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/4144-13406-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/4144-13407-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/4144-13410-0x0000000002D30000-0x0000000002E30000-memory.dmp

Filesize
1024KB

Download
memory/4144-6862-0x0000000075BE0000-0x0000000075DF5000-memory.dmp

Filesize
2.1MB

Download
memory/4144-13418-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/4144-13469-0x0000000002D30000-0x0000000002E30000-memory.dmp

Filesize
1024KB

Download
memory/4144-6861-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/4144-13488-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download
memory/4144-13499-0x0000000000400000-0x0000000000C64000-memory.dmp

Filesize
8.4MB

Download