9e516f58cc07569bd166ebd8688ca613e877215fc83a3d9ce0c0a765d295ca46

Analysis

max time kernel
217s
max time network
219s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
22-08-2023 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ths_lhce56.X64.exe
Size

41.8MB
MD5

cc287f6bf940bc8b77cd20facc011943
SHA1

837786b139a785894d4390c10fa4693b69c93e91
SHA256

9e516f58cc07569bd166ebd8688ca613e877215fc83a3d9ce0c0a765d295ca46
SHA512

12baf4c9d2c2efaaf3c838033ce28b705c664718d2ad30fc7812ff6bd8e8a41eb88ef7bf125e2927225912d97c3a7d196d33a8d34004be995622a75af79656d9
SSDEEP

786432:9KTs0hBwd++d/URZtmaDhTM67840M+J5JwBSPEzUuhuhrsbFpbsynA:9UphBD+NURbmaNM67+RJ5JzXnYxlA

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

u5.exe

pid process

2884 u5.exe

pid	process
2884	u5.exe

Loads dropped DLL 28 IoCs

Processes:

MsiExec.exeths_lhce56.X64.exeMsiExec.exemsiexec.exe

pid	process
2916	MsiExec.exe
2916	MsiExec.exe
2916	MsiExec.exe
2916	MsiExec.exe
2916	MsiExec.exe
2916	MsiExec.exe
2916	MsiExec.exe
2916	MsiExec.exe
2916	MsiExec.exe
2916	MsiExec.exe
2916	MsiExec.exe
696	ths_lhce56.X64.exe
2044	MsiExec.exe
2044	MsiExec.exe
2044	MsiExec.exe
2044	MsiExec.exe
2796	msiexec.exe
2796	msiexec.exe
1208
1208
1208
1208
1208
2916	MsiExec.exe
2916	MsiExec.exe
1208
2916	MsiExec.exe
2916	MsiExec.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Public\die\u5.exe	upx
C:\Users\Public\die\u5.exe	upx
C:\Users\Public\die\u5.exe	upx
behavioral1/memory/2884-245-0x0000000000400000-0x0000000000691000-memory.dmp	upx
behavioral1/memory/2884-248-0x0000000000400000-0x0000000000691000-memory.dmp	upx
behavioral1/memory/2884-251-0x0000000000400000-0x0000000000691000-memory.dmp	upx
behavioral1/memory/2884-267-0x0000000000400000-0x0000000000691000-memory.dmp	upx
behavioral1/memory/2884-280-0x0000000000400000-0x0000000000691000-memory.dmp	upx
behavioral1/memory/2884-281-0x0000000000400000-0x0000000000691000-memory.dmp	upx
behavioral1/memory/2884-283-0x0000000000400000-0x0000000000691000-memory.dmp	upx
behavioral1/memory/2884-284-0x0000000000400000-0x0000000000691000-memory.dmp	upx
behavioral1/memory/2884-285-0x0000000000400000-0x0000000000691000-memory.dmp	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exeths_lhce56.X64.exeths_lhce56.X64.exe

description	ioc	process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	ths_lhce56.X64.exe
File opened (read-only)	\??\M:	ths_lhce56.X64.exe
File opened (read-only)	\??\N:	ths_lhce56.X64.exe
File opened (read-only)	\??\W:	ths_lhce56.X64.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	ths_lhce56.X64.exe
File opened (read-only)	\??\T:	ths_lhce56.X64.exe
File opened (read-only)	\??\H:	ths_lhce56.X64.exe
File opened (read-only)	\??\Y:	ths_lhce56.X64.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	ths_lhce56.X64.exe
File opened (read-only)	\??\P:	ths_lhce56.X64.exe
File opened (read-only)	\??\V:	ths_lhce56.X64.exe
File opened (read-only)	\??\N:	ths_lhce56.X64.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	ths_lhce56.X64.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	ths_lhce56.X64.exe
File opened (read-only)	\??\W:	ths_lhce56.X64.exe
File opened (read-only)	\??\G:	ths_lhce56.X64.exe
File opened (read-only)	\??\J:	ths_lhce56.X64.exe
File opened (read-only)	\??\X:	ths_lhce56.X64.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	ths_lhce56.X64.exe
File opened (read-only)	\??\V:	ths_lhce56.X64.exe
File opened (read-only)	\??\A:	ths_lhce56.X64.exe
File opened (read-only)	\??\I:	ths_lhce56.X64.exe
File opened (read-only)	\??\H:	ths_lhce56.X64.exe
File opened (read-only)	\??\B:	ths_lhce56.X64.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	ths_lhce56.X64.exe
File opened (read-only)	\??\G:	ths_lhce56.X64.exe
File opened (read-only)	\??\S:	ths_lhce56.X64.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	ths_lhce56.X64.exe
File opened (read-only)	\??\T:	ths_lhce56.X64.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	ths_lhce56.X64.exe
File opened (read-only)	\??\P:	ths_lhce56.X64.exe
File opened (read-only)	\??\O:	ths_lhce56.X64.exe
File opened (read-only)	\??\Q:	ths_lhce56.X64.exe
File opened (read-only)	\??\U:	ths_lhce56.X64.exe
File opened (read-only)	\??\X:	ths_lhce56.X64.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	ths_lhce56.X64.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	ths_lhce56.X64.exe
File opened (read-only)	\??\L:	ths_lhce56.X64.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	ths_lhce56.X64.exe
File opened (read-only)	\??\O:	ths_lhce56.X64.exe
File opened (read-only)	\??\Z:	ths_lhce56.X64.exe
File opened (read-only)	\??\E:	ths_lhce56.X64.exe
File opened (read-only)	\??\M:	ths_lhce56.X64.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	ths_lhce56.X64.exe
File opened (read-only)	\??\K:	ths_lhce56.X64.exe

Drops file in Program Files directory 12 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Telegram\Telegram中文版\tdata\A7FDF864FBC10B77s	msiexec.exe
File created	C:\Program Files (x86)\Telegram\Telegram中文版\tdata\D877F783D5D3EF8Cs	msiexec.exe
File created	C:\Program Files (x86)\Telegram\Telegram中文版\tdata\prefix	msiexec.exe
File created	C:\Program Files (x86)\Telegram\Telegram中文版\tdata\usertag	msiexec.exe
File created	C:\Program Files (x86)\Telegram\Telegram中文版\tdata\4665D10F8001AA7Fs	msiexec.exe
File created	C:\Program Files (x86)\Telegram\Telegram中文版\tdata\countries	msiexec.exe
File created	C:\Program Files (x86)\Telegram\Telegram中文版\tdata\F8806DD0C461824Fs	msiexec.exe
File created	C:\Program Files (x86)\Telegram\Telegram中文版\tdata\key_datas	msiexec.exe
File created	C:\Program Files (x86)\Telegram\Telegram中文版\tdata\settingss	msiexec.exe
File created	C:\Program Files (x86)\Telegram\Telegram中文版\tdata\shortcuts-custom.json	msiexec.exe
File created	C:\Program Files (x86)\Telegram\Telegram中文版\tdata\shortcuts-default.json	msiexec.exe
File created	C:\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe	msiexec.exe

Drops file in Windows directory 16 IoCs

Processes:

msiexec.exeDrvInst.exeu5.exe

description	ioc	process
File created	C:\Windows\Installer\f770638.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI770.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA7F.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI82C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f770639.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI25AE.tmp	msiexec.exe
File created	C:\Windows\DNomb\Mpec.mbt	u5.exe
File created	C:\Windows\DNomb\PTvrst.exe	u5.exe
File opened for modification	C:\Windows\Installer\f770638.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI946.tmp	msiexec.exe
File created	C:\Windows\Installer\f770639.ipi	msiexec.exe
File created	C:\Windows\DNomb\spolsvt.exe	u5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 46 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msiexec.exeu5.exe

pid process

2796 msiexec.exe
2796 msiexec.exe
2884 u5.exe
2884 u5.exe
2884 u5.exe
2884 u5.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ths_lhce56.X64.exe

pid process

696 ths_lhce56.X64.exe

pid	process
2796	msiexec.exe
2796	msiexec.exe
2884	u5.exe
2884	u5.exe
2884	u5.exe
2884	u5.exe

pid	process
696	ths_lhce56.X64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeths_lhce56.X64.exe

description	pid	process
Token: SeRestorePrivilege	2796	msiexec.exe
Token: SeTakeOwnershipPrivilege	2796	msiexec.exe
Token: SeSecurityPrivilege	2796	msiexec.exe
Token: SeCreateTokenPrivilege	696	ths_lhce56.X64.exe
Token: SeAssignPrimaryTokenPrivilege	696	ths_lhce56.X64.exe
Token: SeLockMemoryPrivilege	696	ths_lhce56.X64.exe
Token: SeIncreaseQuotaPrivilege	696	ths_lhce56.X64.exe
Token: SeMachineAccountPrivilege	696	ths_lhce56.X64.exe
Token: SeTcbPrivilege	696	ths_lhce56.X64.exe
Token: SeSecurityPrivilege	696	ths_lhce56.X64.exe
Token: SeTakeOwnershipPrivilege	696	ths_lhce56.X64.exe
Token: SeLoadDriverPrivilege	696	ths_lhce56.X64.exe
Token: SeSystemProfilePrivilege	696	ths_lhce56.X64.exe
Token: SeSystemtimePrivilege	696	ths_lhce56.X64.exe
Token: SeProfSingleProcessPrivilege	696	ths_lhce56.X64.exe
Token: SeIncBasePriorityPrivilege	696	ths_lhce56.X64.exe
Token: SeCreatePagefilePrivilege	696	ths_lhce56.X64.exe
Token: SeCreatePermanentPrivilege	696	ths_lhce56.X64.exe
Token: SeBackupPrivilege	696	ths_lhce56.X64.exe
Token: SeRestorePrivilege	696	ths_lhce56.X64.exe
Token: SeShutdownPrivilege	696	ths_lhce56.X64.exe
Token: SeDebugPrivilege	696	ths_lhce56.X64.exe
Token: SeAuditPrivilege	696	ths_lhce56.X64.exe
Token: SeSystemEnvironmentPrivilege	696	ths_lhce56.X64.exe
Token: SeChangeNotifyPrivilege	696	ths_lhce56.X64.exe
Token: SeRemoteShutdownPrivilege	696	ths_lhce56.X64.exe
Token: SeUndockPrivilege	696	ths_lhce56.X64.exe
Token: SeSyncAgentPrivilege	696	ths_lhce56.X64.exe
Token: SeEnableDelegationPrivilege	696	ths_lhce56.X64.exe
Token: SeManageVolumePrivilege	696	ths_lhce56.X64.exe
Token: SeImpersonatePrivilege	696	ths_lhce56.X64.exe
Token: SeCreateGlobalPrivilege	696	ths_lhce56.X64.exe
Token: SeCreateTokenPrivilege	696	ths_lhce56.X64.exe
Token: SeAssignPrimaryTokenPrivilege	696	ths_lhce56.X64.exe
Token: SeLockMemoryPrivilege	696	ths_lhce56.X64.exe
Token: SeIncreaseQuotaPrivilege	696	ths_lhce56.X64.exe
Token: SeMachineAccountPrivilege	696	ths_lhce56.X64.exe
Token: SeTcbPrivilege	696	ths_lhce56.X64.exe
Token: SeSecurityPrivilege	696	ths_lhce56.X64.exe
Token: SeTakeOwnershipPrivilege	696	ths_lhce56.X64.exe
Token: SeLoadDriverPrivilege	696	ths_lhce56.X64.exe
Token: SeSystemProfilePrivilege	696	ths_lhce56.X64.exe
Token: SeSystemtimePrivilege	696	ths_lhce56.X64.exe
Token: SeProfSingleProcessPrivilege	696	ths_lhce56.X64.exe
Token: SeIncBasePriorityPrivilege	696	ths_lhce56.X64.exe
Token: SeCreatePagefilePrivilege	696	ths_lhce56.X64.exe
Token: SeCreatePermanentPrivilege	696	ths_lhce56.X64.exe
Token: SeBackupPrivilege	696	ths_lhce56.X64.exe
Token: SeRestorePrivilege	696	ths_lhce56.X64.exe
Token: SeShutdownPrivilege	696	ths_lhce56.X64.exe
Token: SeDebugPrivilege	696	ths_lhce56.X64.exe
Token: SeAuditPrivilege	696	ths_lhce56.X64.exe
Token: SeSystemEnvironmentPrivilege	696	ths_lhce56.X64.exe
Token: SeChangeNotifyPrivilege	696	ths_lhce56.X64.exe
Token: SeRemoteShutdownPrivilege	696	ths_lhce56.X64.exe
Token: SeUndockPrivilege	696	ths_lhce56.X64.exe
Token: SeSyncAgentPrivilege	696	ths_lhce56.X64.exe
Token: SeEnableDelegationPrivilege	696	ths_lhce56.X64.exe
Token: SeManageVolumePrivilege	696	ths_lhce56.X64.exe
Token: SeImpersonatePrivilege	696	ths_lhce56.X64.exe
Token: SeCreateGlobalPrivilege	696	ths_lhce56.X64.exe
Token: SeCreateTokenPrivilege	696	ths_lhce56.X64.exe
Token: SeAssignPrimaryTokenPrivilege	696	ths_lhce56.X64.exe
Token: SeLockMemoryPrivilege	696	ths_lhce56.X64.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

ths_lhce56.X64.exe

pid process

696 ths_lhce56.X64.exe
696 ths_lhce56.X64.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

u5.exe

pid process

2884 u5.exe
2884 u5.exe

pid	process
696	ths_lhce56.X64.exe
696	ths_lhce56.X64.exe

pid	process
2884	u5.exe
2884	u5.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

msiexec.exeMsiExec.exeths_lhce56.X64.exe

description	pid	process	target process
PID 2796 wrote to memory of 2916	2796	msiexec.exe	MsiExec.exe
PID 2796 wrote to memory of 2916	2796	msiexec.exe	MsiExec.exe
PID 2796 wrote to memory of 2916	2796	msiexec.exe	MsiExec.exe
PID 2796 wrote to memory of 2916	2796	msiexec.exe	MsiExec.exe
PID 2796 wrote to memory of 2916	2796	msiexec.exe	MsiExec.exe
PID 2796 wrote to memory of 2916	2796	msiexec.exe	MsiExec.exe
PID 2796 wrote to memory of 2916	2796	msiexec.exe	MsiExec.exe
PID 2916 wrote to memory of 2880	2916	MsiExec.exe	ths_lhce56.X64.exe
PID 2916 wrote to memory of 2880	2916	MsiExec.exe	ths_lhce56.X64.exe
PID 2916 wrote to memory of 2880	2916	MsiExec.exe	ths_lhce56.X64.exe
PID 2916 wrote to memory of 2880	2916	MsiExec.exe	ths_lhce56.X64.exe
PID 2916 wrote to memory of 2880	2916	MsiExec.exe	ths_lhce56.X64.exe
PID 2916 wrote to memory of 2880	2916	MsiExec.exe	ths_lhce56.X64.exe
PID 2916 wrote to memory of 2880	2916	MsiExec.exe	ths_lhce56.X64.exe
PID 696 wrote to memory of 2036	696	ths_lhce56.X64.exe	ths_lhce56.X64.exe
PID 696 wrote to memory of 2036	696	ths_lhce56.X64.exe	ths_lhce56.X64.exe
PID 696 wrote to memory of 2036	696	ths_lhce56.X64.exe	ths_lhce56.X64.exe
PID 696 wrote to memory of 2036	696	ths_lhce56.X64.exe	ths_lhce56.X64.exe
PID 696 wrote to memory of 2036	696	ths_lhce56.X64.exe	ths_lhce56.X64.exe
PID 696 wrote to memory of 2036	696	ths_lhce56.X64.exe	ths_lhce56.X64.exe
PID 696 wrote to memory of 2036	696	ths_lhce56.X64.exe	ths_lhce56.X64.exe
PID 2796 wrote to memory of 2044	2796	msiexec.exe	MsiExec.exe
PID 2796 wrote to memory of 2044	2796	msiexec.exe	MsiExec.exe
PID 2796 wrote to memory of 2044	2796	msiexec.exe	MsiExec.exe
PID 2796 wrote to memory of 2044	2796	msiexec.exe	MsiExec.exe
PID 2796 wrote to memory of 2044	2796	msiexec.exe	MsiExec.exe
PID 2796 wrote to memory of 2044	2796	msiexec.exe	MsiExec.exe
PID 2796 wrote to memory of 2044	2796	msiexec.exe	MsiExec.exe
PID 2916 wrote to memory of 2884	2916	MsiExec.exe	u5.exe
PID 2916 wrote to memory of 2884	2916	MsiExec.exe	u5.exe
PID 2916 wrote to memory of 2884	2916	MsiExec.exe	u5.exe
PID 2916 wrote to memory of 2884	2916	MsiExec.exe	u5.exe

C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
"C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:696

C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
"C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe" /i "C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tg.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Telegram\Telegram中文版" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Telegram中文版" SECONDSEQUENCE="1" CLIENTPROCESSID="696" CHAINERUIPROCESSID="696Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature,haixia" PRIMARYFOLDER="APPDIR" ROOTDRIVE="F:\" AI_PREREQFILES="C:\Users\Public\die\u5.exe" AI_PREREQDIRS="C:\Users\Public" AI_MISSING_PREREQS="die" AI_DETECTED_INTERNET_CONNECTION="1" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1692457904 " TARGETDIR="F:\" AI_INSTALL="1" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe"
2⤵
- Enumerates connected drives
PID:2036

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 241BD9E959DDAAAD74A7D47D0E5EA851 C
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916

C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
"C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe" /groupsextract:100; /out:"C:\Users\Public" /callbackid:2916
3⤵
PID:2880

C:\Users\Public\die\u5.exe
"C:\Users\Public\die\u5.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2884

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 15D0715C6E17A5178E524DDF039F81A1
2⤵
- Loads dropped DLL
PID:2044

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1644

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D0" "00000000000005D8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f77063a.rbs

Filesize
3KB

MD5
de46f94772b9cfaa16dace8b1d753bfd

SHA1
3974a57024c613c9ef683a54ae99ea51eb068e9b

SHA256
4470ac69955f667bd505eae814087ab0dbb2fcc7649c3f9c14dd82c3bddeba61

SHA512
03f46aa010aee80da2df09d447648a6ad0cb043b9d8ed43ae55b39d21ab54448fe2e8e99fe6e7700949971c4c76fdd76fa2e659a311d0bfc1593aff3aaf7212c

Download Submit
C:\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe

Filesize
126.7MB

MD5
b207b753976baf91f4a1cfb6a195fd9d

SHA1
4c7a1cf450d6a96f6f9321a6407cd2d6dd50abb9

SHA256
96fbe1f018b68dc7be9b901eace3e9de00f8b6939af49153b8ebd88d868404d8

SHA512
5e8d9b3a4b78dbf495f14f0136cd891ee4f2fa6bcb4a051b73ba0f1acced17ac1abfceb94748cd10ba759c467be09b107ce1493679791715d05b65e13c5241f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_696\banner.jpg

Filesize
4KB

MD5
d5a55a78cd38f45256807c7851619b7d

SHA1
9d8269120d1d096e9ab0192348f3b8f81f5f73d9

SHA256
be83c8592906fd9651634b0823a2f45abe96aae082674568944c639b5b4a95dc

SHA512
959e7410e3006cfef9d14315e8741e34b6e81c4f9160c5d66f3abd77ce72f55f907ab3a0e500780b5c0e0e017e8639f135cc258976b4ab4b9d1aaed6242ce9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_696\dialog.jpg

Filesize
12KB

MD5
5f6253cff5a8b031bfb3b161079d0d86

SHA1
7645b13610583fb67247c74cf5af08ff848079e7

SHA256
36d9bab35d1e4b50045bf902f5d42b6f865488c75f6e60fc00a6cd6f69034ab0

SHA512
d1fdc364bedf931512000fbf05e854d5aceccb48abb9ec49e68476a5dc2907267490290d92acbb267ffb7bdba9b7a1c88f1eb77830cf953443f4624995dabdc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI31E6.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI82A5.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8546.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI86BE.tmp

Filesize
1.1MB

MD5
48c25fba873a341b914652763cbc4f7b

SHA1
98b51420e26829bb96a963e4fb897db733c76fc0

SHA256
4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd

SHA512
c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI87D7.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8865.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8865.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8911.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8A3B.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8B07.tmp

Filesize
1.1MB

MD5
48c25fba873a341b914652763cbc4f7b

SHA1
98b51420e26829bb96a963e4fb897db733c76fc0

SHA256
4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd

SHA512
c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8BC3.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8C8F.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB4F6.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB5D2.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB5D2.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICCB.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\Telegram.exe

Filesize
126.7MB

MD5
b207b753976baf91f4a1cfb6a195fd9d

SHA1
4c7a1cf450d6a96f6f9321a6407cd2d6dd50abb9

SHA256
96fbe1f018b68dc7be9b901eace3e9de00f8b6939af49153b8ebd88d868404d8

SHA512
5e8d9b3a4b78dbf495f14f0136cd891ee4f2fa6bcb4a051b73ba0f1acced17ac1abfceb94748cd10ba759c467be09b107ce1493679791715d05b65e13c5241f1

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\4665D10F8001AA7Fs

Filesize
140B

MD5
b474444d1dd80c1bedb2e904fd856444

SHA1
7b619a221f86d8e200df24130819ab3d28530e5c

SHA256
6a6c13abed1302785aed7f3ea241edb89a0da6fb30d0b1477d6707e91d17bc65

SHA512
4a687e735c4b649b7c5f79957f837b79d934cc76e63ff6e2ca5744682e03e089058aff164dd379f9cb6bd0bcfc669634a08287f170d070b594b62104e1cab108

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\A7FDF864FBC10B77s

Filesize
1KB

MD5
72339e5b4ca4743c2c1313c90fa38b27

SHA1
8123ac4d35080c0c397478845b2ab16944636bae

SHA256
6a8a6995f4f87336681017417d6ae78223cd725e1118c4e336c93e203c17a9e4

SHA512
3eb657959bdfc0b30124a7e087d44b33aa7814ee9a18a20205b5debc1b290754024d8529174f3e17646fae77339d28a02312584bd6bda7021ad5b59c67d6fa0d

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\D877F783D5D3EF8Cs

Filesize
348B

MD5
9e4d61d6bbe31fbdd409a4ed8bd93950

SHA1
e00825bb8e98a040376bd19ddead6d458755018c

SHA256
7158eb7756cb1a0adae0886d4819e8718be875c8ab283e3a0ab4d7d1f9b6192d

SHA512
a5f60f90df7d7b3d15b79ec6b59a6329a6de0cbb9e4c666320d4d2384276f717d42c819fef607188f18a5cc50ff7327b5c7dc1f59f76b470b67f77c1fd66df46

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\F8806DD0C461824Fs

Filesize
1KB

MD5
fb9a1cbbd1b3531943eecfefa15df5de

SHA1
0295ac1bdc3a668a5f488e6c98a34ad71a53c67b

SHA256
438c768ac7851e93d1081c4291c2b14c250b7cc847050d7716626ab3948760d8

SHA512
abc104efdbf46c9ff9621e9d3c7e3be2d803208e62b63658a1a7f94c8deb823302896b0878c8d9f4962045a7d257afe51047b1ff73f64c2f8e440680a3ef1e60

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\countries

Filesize
20KB

MD5
5d1f2b862acb26f8353cb1d178a2116f

SHA1
e3989f717bb652b4ee3fd18e4dc3f2e0193c75bd

SHA256
3d6d4e33dcaeff17425ea9451d37bb9c866d711d6ece51ef5c09d2fbd296e85e

SHA512
adb1ef7675a0292b236aafdd923be94705eb7ea7baf25a0d3c001fba2014b8f90473375e96739d8af43a7bd9a123f1ce38c532516da3d1a46db50bf66a0c1a73

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\key_datas

Filesize
388B

MD5
b1f3e48b1c9ebac1fbaf7fecc0a03e35

SHA1
057bfe7f77b2a7ff32431e6bb9d846494140e1b8

SHA256
ed7df4dac343c5934312fdb4bc9ff8f4397cdadacffcc991ee9ff88081a3bd77

SHA512
51a79b05303fd7c858f0740c1932caeef6b9174cc197ac743400b069c1449d09086cd312b5b599a016ddc811949189f0704f4569bf5167b2cd26fc64f0a5bdb7

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\prefix

Filesize
24B

MD5
3fb9de9c3edf4abc3a42deaf14dfa8d6

SHA1
d02d2382706bffb38831acfcce62e720a6d55733

SHA256
84af1d24b024a1e1670302510fc140e55eb009ed5ab8b8e89bb42fb7f184be28

SHA512
7e60951c5c5cff7f623808e1afa098faff020f000ee4a8fc9af5f848204b8c54fe13f9a32e10bfbc618e41b1be437bb08a775b4b2e10a19122c336b55d093692

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\settingss

Filesize
2KB

MD5
9d6f9ca7beee6410a7ae78a2d81153fd

SHA1
c4ac94f05aa4abe67019f30ef32605f9e4d5b353

SHA256
19b844de3101ae562a3ad7d9019a1710928e96d4bbf7cf0307fbbc5efdc5608b

SHA512
7383059ed94027018df91f61f7ec0d11d5cece6fe4f5335df238e52db1ca94982f7d9cd1e005a8f6c1e2b73da46e364750cd54588ccc247f946212421682eab4

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\shortcuts-custom.json

Filesize
404B

MD5
874b930b4c2fddc8043f59113c044a14

SHA1
75b14a96fe1194f27913a096e484283b172b1749

SHA256
f4f666f4b831e84710983b0e9e905e87342b669f61109fd693688d89c12309d8

SHA512
f4b0337fba5c5f4d7e7a02aa5d4538334edd38f5df179e4f1701fa2f1c4d3d856a074fa55ea724c4e2a6c5a1ac1dbfc7e9966c814475c7cd2c65cd44fca14621

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\shortcuts-default.json

Filesize
2KB

MD5
cc850fd9abce3912c944d77d8955ebc9

SHA1
71e699b4b680aad0bc339a6511afc75ebb898064

SHA256
e98e0cc330528886e469d795e74a240693968d6a88f3de214878d8f5b08d4bad

SHA512
a8d5aad5fe365d9ea261636956952f705353833456a6cf9dbb4b88d87bbdb2fd52823dad9e77932af8615f2a3e7a1c1c1bacdb5cb00e65affb2644ee3f2def80

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\usertag

Filesize
8B

MD5
87ccdff6d764416c75d4aa695f9be3e4

SHA1
d4c197cb78f5e5f62aef16af3840d3be0509020a

SHA256
e02453e232a9fdc9446885a629109231c07b35f8d2adf886e010cdf07685fdec

SHA512
0224a43341ad897613a233b9b170d4ed523ac45d8d13ab8ae023c6c0b266cb7b68abf3e365f3474045d103f6ce7682d009719592578b601edfceab31d678dca5

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tg.msi

Filesize
2.8MB

MD5
5cebd88a8f98c5868dba101c19876cac

SHA1
3bc0bb7bede560130ecfaaaee11ff5894c89ad89

SHA256
ee386eec920ea2b59f1a03901b6a1a62fd002c2eeda18c3d76f02cc49a313202

SHA512
63245cdcfddae432f926464b0c331f2a6649500db98b59662b9a5716049c3408cf6832491ef291c18b4180d7743cc11ba09130c90821aae1bec93121b8401693

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tg.msi

Filesize
2.8MB

MD5
5cebd88a8f98c5868dba101c19876cac

SHA1
3bc0bb7bede560130ecfaaaee11ff5894c89ad89

SHA256
ee386eec920ea2b59f1a03901b6a1a62fd002c2eeda18c3d76f02cc49a313202

SHA512
63245cdcfddae432f926464b0c331f2a6649500db98b59662b9a5716049c3408cf6832491ef291c18b4180d7743cc11ba09130c90821aae1bec93121b8401693

Download Submit
C:\Users\Public\die\u5.exe

Filesize
1.3MB

MD5
6563e582bd4db6059b336fad0c465bca

SHA1
d731b97b1b4bf1b88b0863b70b7637d3dfec31a1

SHA256
b27cbec0ee72387bbc2e93fa001741cd181e8fc4eb4c14543c4b271372422a48

SHA512
e9187d1a814045a3c4a59842e823117ef67beabb411fddd6b2e283cdc959e5ed3d99556b005b15e1e402453c7dae0b60f26baf1671179106b6485c2060ad4b2b

Download Submit
C:\Users\Public\die\u5.exe

Filesize
1.3MB

MD5
6563e582bd4db6059b336fad0c465bca

SHA1
d731b97b1b4bf1b88b0863b70b7637d3dfec31a1

SHA256
b27cbec0ee72387bbc2e93fa001741cd181e8fc4eb4c14543c4b271372422a48

SHA512
e9187d1a814045a3c4a59842e823117ef67beabb411fddd6b2e283cdc959e5ed3d99556b005b15e1e402453c7dae0b60f26baf1671179106b6485c2060ad4b2b

Download Submit
C:\Windows\Installer\MSI770.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Windows\Installer\MSI82C.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Windows\Installer\MSI946.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Windows\Installer\MSIA7F.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe

Filesize
126.7MB

MD5
b207b753976baf91f4a1cfb6a195fd9d

SHA1
4c7a1cf450d6a96f6f9321a6407cd2d6dd50abb9

SHA256
96fbe1f018b68dc7be9b901eace3e9de00f8b6939af49153b8ebd88d868404d8

SHA512
5e8d9b3a4b78dbf495f14f0136cd891ee4f2fa6bcb4a051b73ba0f1acced17ac1abfceb94748cd10ba759c467be09b107ce1493679791715d05b65e13c5241f1

Download Submit
\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe

Filesize
126.7MB

MD5
b207b753976baf91f4a1cfb6a195fd9d

SHA1
4c7a1cf450d6a96f6f9321a6407cd2d6dd50abb9

SHA256
96fbe1f018b68dc7be9b901eace3e9de00f8b6939af49153b8ebd88d868404d8

SHA512
5e8d9b3a4b78dbf495f14f0136cd891ee4f2fa6bcb4a051b73ba0f1acced17ac1abfceb94748cd10ba759c467be09b107ce1493679791715d05b65e13c5241f1

Download Submit
\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe

Filesize
126.7MB

MD5
b207b753976baf91f4a1cfb6a195fd9d

SHA1
4c7a1cf450d6a96f6f9321a6407cd2d6dd50abb9

SHA256
96fbe1f018b68dc7be9b901eace3e9de00f8b6939af49153b8ebd88d868404d8

SHA512
5e8d9b3a4b78dbf495f14f0136cd891ee4f2fa6bcb4a051b73ba0f1acced17ac1abfceb94748cd10ba759c467be09b107ce1493679791715d05b65e13c5241f1

Download Submit
\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe

Filesize
126.7MB

MD5
b207b753976baf91f4a1cfb6a195fd9d

SHA1
4c7a1cf450d6a96f6f9321a6407cd2d6dd50abb9

SHA256
96fbe1f018b68dc7be9b901eace3e9de00f8b6939af49153b8ebd88d868404d8

SHA512
5e8d9b3a4b78dbf495f14f0136cd891ee4f2fa6bcb4a051b73ba0f1acced17ac1abfceb94748cd10ba759c467be09b107ce1493679791715d05b65e13c5241f1

Download Submit
\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe

Filesize
126.7MB

MD5
b207b753976baf91f4a1cfb6a195fd9d

SHA1
4c7a1cf450d6a96f6f9321a6407cd2d6dd50abb9

SHA256
96fbe1f018b68dc7be9b901eace3e9de00f8b6939af49153b8ebd88d868404d8

SHA512
5e8d9b3a4b78dbf495f14f0136cd891ee4f2fa6bcb4a051b73ba0f1acced17ac1abfceb94748cd10ba759c467be09b107ce1493679791715d05b65e13c5241f1

Download Submit
\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe

Filesize
126.7MB

MD5
b207b753976baf91f4a1cfb6a195fd9d

SHA1
4c7a1cf450d6a96f6f9321a6407cd2d6dd50abb9

SHA256
96fbe1f018b68dc7be9b901eace3e9de00f8b6939af49153b8ebd88d868404d8

SHA512
5e8d9b3a4b78dbf495f14f0136cd891ee4f2fa6bcb4a051b73ba0f1acced17ac1abfceb94748cd10ba759c467be09b107ce1493679791715d05b65e13c5241f1

Download Submit
\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe

Filesize
126.7MB

MD5
b207b753976baf91f4a1cfb6a195fd9d

SHA1
4c7a1cf450d6a96f6f9321a6407cd2d6dd50abb9

SHA256
96fbe1f018b68dc7be9b901eace3e9de00f8b6939af49153b8ebd88d868404d8

SHA512
5e8d9b3a4b78dbf495f14f0136cd891ee4f2fa6bcb4a051b73ba0f1acced17ac1abfceb94748cd10ba759c467be09b107ce1493679791715d05b65e13c5241f1

Download Submit
\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe

Filesize
126.7MB

MD5
b207b753976baf91f4a1cfb6a195fd9d

SHA1
4c7a1cf450d6a96f6f9321a6407cd2d6dd50abb9

SHA256
96fbe1f018b68dc7be9b901eace3e9de00f8b6939af49153b8ebd88d868404d8

SHA512
5e8d9b3a4b78dbf495f14f0136cd891ee4f2fa6bcb4a051b73ba0f1acced17ac1abfceb94748cd10ba759c467be09b107ce1493679791715d05b65e13c5241f1

Download Submit
\Users\Admin\AppData\Local\Temp\MSI31E6.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
\Users\Admin\AppData\Local\Temp\MSI82A5.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
\Users\Admin\AppData\Local\Temp\MSI8546.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
\Users\Admin\AppData\Local\Temp\MSI86BE.tmp

Filesize
1.1MB

MD5
48c25fba873a341b914652763cbc4f7b

SHA1
98b51420e26829bb96a963e4fb897db733c76fc0

SHA256
4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd

SHA512
c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

Download Submit
\Users\Admin\AppData\Local\Temp\MSI87D7.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
\Users\Admin\AppData\Local\Temp\MSI8865.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
\Users\Admin\AppData\Local\Temp\MSI8911.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
\Users\Admin\AppData\Local\Temp\MSI8A3B.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
\Users\Admin\AppData\Local\Temp\MSI8B07.tmp

Filesize
1.1MB

MD5
48c25fba873a341b914652763cbc4f7b

SHA1
98b51420e26829bb96a963e4fb897db733c76fc0

SHA256
4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd

SHA512
c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

Download Submit
\Users\Admin\AppData\Local\Temp\MSI8BC3.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
\Users\Admin\AppData\Local\Temp\MSI8C8F.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
\Users\Admin\AppData\Local\Temp\MSIB4F6.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
\Users\Admin\AppData\Local\Temp\MSIB5D2.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
\Users\Admin\AppData\Local\Temp\MSICCB.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
\Users\Admin\AppData\Local\Temp\preB804.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
\Users\Public\die\u5.exe

Filesize
1.3MB

MD5
6563e582bd4db6059b336fad0c465bca

SHA1
d731b97b1b4bf1b88b0863b70b7637d3dfec31a1

SHA256
b27cbec0ee72387bbc2e93fa001741cd181e8fc4eb4c14543c4b271372422a48

SHA512
e9187d1a814045a3c4a59842e823117ef67beabb411fddd6b2e283cdc959e5ed3d99556b005b15e1e402453c7dae0b60f26baf1671179106b6485c2060ad4b2b

Download Submit
\Windows\Installer\MSI770.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
\Windows\Installer\MSI82C.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
\Windows\Installer\MSI946.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
\Windows\Installer\MSIA7F.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
memory/696-53-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/696-129-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2884-283-0x0000000000400000-0x0000000000691000-memory.dmp

Filesize
2.6MB

Download
memory/2884-267-0x0000000000400000-0x0000000000691000-memory.dmp

Filesize
2.6MB

Download
memory/2884-280-0x0000000000400000-0x0000000000691000-memory.dmp

Filesize
2.6MB

Download
memory/2884-281-0x0000000000400000-0x0000000000691000-memory.dmp

Filesize
2.6MB

Download
memory/2884-251-0x0000000000400000-0x0000000000691000-memory.dmp

Filesize
2.6MB

Download
memory/2884-284-0x0000000000400000-0x0000000000691000-memory.dmp

Filesize
2.6MB

Download
memory/2884-285-0x0000000000400000-0x0000000000691000-memory.dmp

Filesize
2.6MB

Download
memory/2884-248-0x0000000000400000-0x0000000000691000-memory.dmp

Filesize
2.6MB

Download
memory/2884-245-0x0000000000400000-0x0000000000691000-memory.dmp

Filesize
2.6MB

Download
memory/2916-247-0x0000000002CF0000-0x0000000002F81000-memory.dmp

Filesize
2.6MB

Download
memory/2916-243-0x0000000002CF0000-0x0000000002F81000-memory.dmp

Filesize
2.6MB

Download