Malware Analysis Report

2025-03-15 03:53

Sample ID 230822-smxkfsee6z
Target ths_lhce56.X64.exe
SHA256 9e516f58cc07569bd166ebd8688ca613e877215fc83a3d9ce0c0a765d295ca46
Tags
upx fatalrat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9e516f58cc07569bd166ebd8688ca613e877215fc83a3d9ce0c0a765d295ca46

Threat Level: Known bad

The file ths_lhce56.X64.exe was found to be: Known bad.

Malicious Activity Summary

upx fatalrat infostealer persistence rat

FatalRat

Fatal Rat payload

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

UPX packed file

Enumerates connected drives

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-22 15:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-22 15:15

Reported

2023-08-22 15:20

Platform

win7-20230712-en

Max time kernel

217s

Max time network

219s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe"

Signatures

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\die\u5.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\A7FDF864FBC10B77s C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\D877F783D5D3EF8Cs C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\prefix C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\usertag C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\4665D10F8001AA7Fs C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\countries C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\F8806DD0C461824Fs C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\key_datas C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\settingss C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\shortcuts-custom.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\shortcuts-default.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f770638.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI770.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA7F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI82C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f770639.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI25AE.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DNomb\Mpec.mbt C:\Users\Public\die\u5.exe N/A
File created C:\Windows\DNomb\PTvrst.exe C:\Users\Public\die\u5.exe N/A
File opened for modification C:\Windows\Installer\f770638.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI946.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f770639.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DNomb\spolsvt.exe C:\Users\Public\die\u5.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Public\die\u5.exe N/A
N/A N/A C:\Users\Public\die\u5.exe N/A
N/A N/A C:\Users\Public\die\u5.exe N/A
N/A N/A C:\Users\Public\die\u5.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Public\die\u5.exe N/A
N/A N/A C:\Users\Public\die\u5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 2916 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2796 wrote to memory of 2916 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2796 wrote to memory of 2916 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2796 wrote to memory of 2916 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2796 wrote to memory of 2916 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2796 wrote to memory of 2916 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2796 wrote to memory of 2916 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2916 wrote to memory of 2880 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 2916 wrote to memory of 2880 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 2916 wrote to memory of 2880 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 2916 wrote to memory of 2880 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 2916 wrote to memory of 2880 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 2916 wrote to memory of 2880 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 2916 wrote to memory of 2880 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 696 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 696 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 696 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 696 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 696 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 696 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 696 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 2796 wrote to memory of 2044 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2796 wrote to memory of 2044 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2796 wrote to memory of 2044 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2796 wrote to memory of 2044 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2796 wrote to memory of 2044 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2796 wrote to memory of 2044 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2796 wrote to memory of 2044 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2916 wrote to memory of 2884 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\die\u5.exe
PID 2916 wrote to memory of 2884 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\die\u5.exe
PID 2916 wrote to memory of 2884 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\die\u5.exe
PID 2916 wrote to memory of 2884 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\die\u5.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe

"C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 241BD9E959DDAAAD74A7D47D0E5EA851 C

C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe

"C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe" /groupsextract:100; /out:"C:\Users\Public" /callbackid:2916

C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe

"C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe" /i "C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tg.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Telegram\Telegram中文版" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Telegram中文版" SECONDSEQUENCE="1" CLIENTPROCESSID="696" CHAINERUIPROCESSID="696Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature,haixia" PRIMARYFOLDER="APPDIR" ROOTDRIVE="F:\" AI_PREREQFILES="C:\Users\Public\die\u5.exe" AI_PREREQDIRS="C:\Users\Public" AI_MISSING_PREREQS="die" AI_DETECTED_INTERNET_CONNECTION="1" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1692457904 " TARGETDIR="F:\" AI_INSTALL="1" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D0" "00000000000005D8"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 15D0715C6E17A5178E524DDF039F81A1

C:\Users\Public\die\u5.exe

"C:\Users\Public\die\u5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sidamingzhu.oss-cn-hongkong.aliyuncs.com udp
HK 47.75.19.36:443 sidamingzhu.oss-cn-hongkong.aliyuncs.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp

Files

memory/696-53-0x00000000002C0000-0x00000000002C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tg.msi

MD5 5cebd88a8f98c5868dba101c19876cac
SHA1 3bc0bb7bede560130ecfaaaee11ff5894c89ad89
SHA256 ee386eec920ea2b59f1a03901b6a1a62fd002c2eeda18c3d76f02cc49a313202
SHA512 63245cdcfddae432f926464b0c331f2a6649500db98b59662b9a5716049c3408cf6832491ef291c18b4180d7743cc11ba09130c90821aae1bec93121b8401693

C:\Users\Admin\AppData\Local\Temp\MSI8546.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI8546.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI86BE.tmp

MD5 48c25fba873a341b914652763cbc4f7b
SHA1 98b51420e26829bb96a963e4fb897db733c76fc0
SHA256 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd
SHA512 c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

\Users\Admin\AppData\Local\Temp\MSI86BE.tmp

MD5 48c25fba873a341b914652763cbc4f7b
SHA1 98b51420e26829bb96a963e4fb897db733c76fc0
SHA256 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd
SHA512 c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

C:\Users\Admin\AppData\Local\Temp\MSI87D7.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI87D7.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI8865.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI8865.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI8865.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI8911.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI8911.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_696\dialog.jpg

MD5 5f6253cff5a8b031bfb3b161079d0d86
SHA1 7645b13610583fb67247c74cf5af08ff848079e7
SHA256 36d9bab35d1e4b50045bf902f5d42b6f865488c75f6e60fc00a6cd6f69034ab0
SHA512 d1fdc364bedf931512000fbf05e854d5aceccb48abb9ec49e68476a5dc2907267490290d92acbb267ffb7bdba9b7a1c88f1eb77830cf953443f4624995dabdc3

C:\Users\Admin\AppData\Local\Temp\MSI8A3B.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI8A3B.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI8B07.tmp

MD5 48c25fba873a341b914652763cbc4f7b
SHA1 98b51420e26829bb96a963e4fb897db733c76fc0
SHA256 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd
SHA512 c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

\Users\Admin\AppData\Local\Temp\MSI8B07.tmp

MD5 48c25fba873a341b914652763cbc4f7b
SHA1 98b51420e26829bb96a963e4fb897db733c76fc0
SHA256 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd
SHA512 c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

C:\Users\Admin\AppData\Local\Temp\MSI8BC3.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI8BC3.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI8C8F.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI8C8F.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_696\banner.jpg

MD5 d5a55a78cd38f45256807c7851619b7d
SHA1 9d8269120d1d096e9ab0192348f3b8f81f5f73d9
SHA256 be83c8592906fd9651634b0823a2f45abe96aae082674568944c639b5b4a95dc
SHA512 959e7410e3006cfef9d14315e8741e34b6e81c4f9160c5d66f3abd77ce72f55f907ab3a0e500780b5c0e0e017e8639f135cc258976b4ab4b9d1aaed6242ce9f1

memory/696-129-0x00000000002C0000-0x00000000002C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSIB4F6.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSIB4F6.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIB5D2.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIB5D2.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSIB5D2.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\preB804.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tg.msi

MD5 5cebd88a8f98c5868dba101c19876cac
SHA1 3bc0bb7bede560130ecfaaaee11ff5894c89ad89
SHA256 ee386eec920ea2b59f1a03901b6a1a62fd002c2eeda18c3d76f02cc49a313202
SHA512 63245cdcfddae432f926464b0c331f2a6649500db98b59662b9a5716049c3408cf6832491ef291c18b4180d7743cc11ba09130c90821aae1bec93121b8401693

C:\Windows\Installer\MSI770.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Windows\Installer\MSI770.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSI82C.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Windows\Installer\MSI82C.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSI946.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Windows\Installer\MSI946.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSIA7F.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Windows\Installer\MSIA7F.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\4665D10F8001AA7Fs

MD5 b474444d1dd80c1bedb2e904fd856444
SHA1 7b619a221f86d8e200df24130819ab3d28530e5c
SHA256 6a6c13abed1302785aed7f3ea241edb89a0da6fb30d0b1477d6707e91d17bc65
SHA512 4a687e735c4b649b7c5f79957f837b79d934cc76e63ff6e2ca5744682e03e089058aff164dd379f9cb6bd0bcfc669634a08287f170d070b594b62104e1cab108

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\A7FDF864FBC10B77s

MD5 72339e5b4ca4743c2c1313c90fa38b27
SHA1 8123ac4d35080c0c397478845b2ab16944636bae
SHA256 6a8a6995f4f87336681017417d6ae78223cd725e1118c4e336c93e203c17a9e4
SHA512 3eb657959bdfc0b30124a7e087d44b33aa7814ee9a18a20205b5debc1b290754024d8529174f3e17646fae77339d28a02312584bd6bda7021ad5b59c67d6fa0d

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\countries

MD5 5d1f2b862acb26f8353cb1d178a2116f
SHA1 e3989f717bb652b4ee3fd18e4dc3f2e0193c75bd
SHA256 3d6d4e33dcaeff17425ea9451d37bb9c866d711d6ece51ef5c09d2fbd296e85e
SHA512 adb1ef7675a0292b236aafdd923be94705eb7ea7baf25a0d3c001fba2014b8f90473375e96739d8af43a7bd9a123f1ce38c532516da3d1a46db50bf66a0c1a73

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\D877F783D5D3EF8Cs

MD5 9e4d61d6bbe31fbdd409a4ed8bd93950
SHA1 e00825bb8e98a040376bd19ddead6d458755018c
SHA256 7158eb7756cb1a0adae0886d4819e8718be875c8ab283e3a0ab4d7d1f9b6192d
SHA512 a5f60f90df7d7b3d15b79ec6b59a6329a6de0cbb9e4c666320d4d2384276f717d42c819fef607188f18a5cc50ff7327b5c7dc1f59f76b470b67f77c1fd66df46

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\F8806DD0C461824Fs

MD5 fb9a1cbbd1b3531943eecfefa15df5de
SHA1 0295ac1bdc3a668a5f488e6c98a34ad71a53c67b
SHA256 438c768ac7851e93d1081c4291c2b14c250b7cc847050d7716626ab3948760d8
SHA512 abc104efdbf46c9ff9621e9d3c7e3be2d803208e62b63658a1a7f94c8deb823302896b0878c8d9f4962045a7d257afe51047b1ff73f64c2f8e440680a3ef1e60

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\key_datas

MD5 b1f3e48b1c9ebac1fbaf7fecc0a03e35
SHA1 057bfe7f77b2a7ff32431e6bb9d846494140e1b8
SHA256 ed7df4dac343c5934312fdb4bc9ff8f4397cdadacffcc991ee9ff88081a3bd77
SHA512 51a79b05303fd7c858f0740c1932caeef6b9174cc197ac743400b069c1449d09086cd312b5b599a016ddc811949189f0704f4569bf5167b2cd26fc64f0a5bdb7

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\prefix

MD5 3fb9de9c3edf4abc3a42deaf14dfa8d6
SHA1 d02d2382706bffb38831acfcce62e720a6d55733
SHA256 84af1d24b024a1e1670302510fc140e55eb009ed5ab8b8e89bb42fb7f184be28
SHA512 7e60951c5c5cff7f623808e1afa098faff020f000ee4a8fc9af5f848204b8c54fe13f9a32e10bfbc618e41b1be437bb08a775b4b2e10a19122c336b55d093692

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\settingss

MD5 9d6f9ca7beee6410a7ae78a2d81153fd
SHA1 c4ac94f05aa4abe67019f30ef32605f9e4d5b353
SHA256 19b844de3101ae562a3ad7d9019a1710928e96d4bbf7cf0307fbbc5efdc5608b
SHA512 7383059ed94027018df91f61f7ec0d11d5cece6fe4f5335df238e52db1ca94982f7d9cd1e005a8f6c1e2b73da46e364750cd54588ccc247f946212421682eab4

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\shortcuts-custom.json

MD5 874b930b4c2fddc8043f59113c044a14
SHA1 75b14a96fe1194f27913a096e484283b172b1749
SHA256 f4f666f4b831e84710983b0e9e905e87342b669f61109fd693688d89c12309d8
SHA512 f4b0337fba5c5f4d7e7a02aa5d4538334edd38f5df179e4f1701fa2f1c4d3d856a074fa55ea724c4e2a6c5a1ac1dbfc7e9966c814475c7cd2c65cd44fca14621

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\shortcuts-default.json

MD5 cc850fd9abce3912c944d77d8955ebc9
SHA1 71e699b4b680aad0bc339a6511afc75ebb898064
SHA256 e98e0cc330528886e469d795e74a240693968d6a88f3de214878d8f5b08d4bad
SHA512 a8d5aad5fe365d9ea261636956952f705353833456a6cf9dbb4b88d87bbdb2fd52823dad9e77932af8615f2a3e7a1c1c1bacdb5cb00e65affb2644ee3f2def80

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\usertag

MD5 87ccdff6d764416c75d4aa695f9be3e4
SHA1 d4c197cb78f5e5f62aef16af3840d3be0509020a
SHA256 e02453e232a9fdc9446885a629109231c07b35f8d2adf886e010cdf07685fdec
SHA512 0224a43341ad897613a233b9b170d4ed523ac45d8d13ab8ae023c6c0b266cb7b68abf3e365f3474045d103f6ce7682d009719592578b601edfceab31d678dca5

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\Telegram.exe

MD5 b207b753976baf91f4a1cfb6a195fd9d
SHA1 4c7a1cf450d6a96f6f9321a6407cd2d6dd50abb9
SHA256 96fbe1f018b68dc7be9b901eace3e9de00f8b6939af49153b8ebd88d868404d8
SHA512 5e8d9b3a4b78dbf495f14f0136cd891ee4f2fa6bcb4a051b73ba0f1acced17ac1abfceb94748cd10ba759c467be09b107ce1493679791715d05b65e13c5241f1

\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe

MD5 b207b753976baf91f4a1cfb6a195fd9d
SHA1 4c7a1cf450d6a96f6f9321a6407cd2d6dd50abb9
SHA256 96fbe1f018b68dc7be9b901eace3e9de00f8b6939af49153b8ebd88d868404d8
SHA512 5e8d9b3a4b78dbf495f14f0136cd891ee4f2fa6bcb4a051b73ba0f1acced17ac1abfceb94748cd10ba759c467be09b107ce1493679791715d05b65e13c5241f1

\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe

MD5 b207b753976baf91f4a1cfb6a195fd9d
SHA1 4c7a1cf450d6a96f6f9321a6407cd2d6dd50abb9
SHA256 96fbe1f018b68dc7be9b901eace3e9de00f8b6939af49153b8ebd88d868404d8
SHA512 5e8d9b3a4b78dbf495f14f0136cd891ee4f2fa6bcb4a051b73ba0f1acced17ac1abfceb94748cd10ba759c467be09b107ce1493679791715d05b65e13c5241f1

C:\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe

MD5 b207b753976baf91f4a1cfb6a195fd9d
SHA1 4c7a1cf450d6a96f6f9321a6407cd2d6dd50abb9
SHA256 96fbe1f018b68dc7be9b901eace3e9de00f8b6939af49153b8ebd88d868404d8
SHA512 5e8d9b3a4b78dbf495f14f0136cd891ee4f2fa6bcb4a051b73ba0f1acced17ac1abfceb94748cd10ba759c467be09b107ce1493679791715d05b65e13c5241f1

\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe

MD5 b207b753976baf91f4a1cfb6a195fd9d
SHA1 4c7a1cf450d6a96f6f9321a6407cd2d6dd50abb9
SHA256 96fbe1f018b68dc7be9b901eace3e9de00f8b6939af49153b8ebd88d868404d8
SHA512 5e8d9b3a4b78dbf495f14f0136cd891ee4f2fa6bcb4a051b73ba0f1acced17ac1abfceb94748cd10ba759c467be09b107ce1493679791715d05b65e13c5241f1

\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe

MD5 b207b753976baf91f4a1cfb6a195fd9d
SHA1 4c7a1cf450d6a96f6f9321a6407cd2d6dd50abb9
SHA256 96fbe1f018b68dc7be9b901eace3e9de00f8b6939af49153b8ebd88d868404d8
SHA512 5e8d9b3a4b78dbf495f14f0136cd891ee4f2fa6bcb4a051b73ba0f1acced17ac1abfceb94748cd10ba759c467be09b107ce1493679791715d05b65e13c5241f1

\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe

MD5 b207b753976baf91f4a1cfb6a195fd9d
SHA1 4c7a1cf450d6a96f6f9321a6407cd2d6dd50abb9
SHA256 96fbe1f018b68dc7be9b901eace3e9de00f8b6939af49153b8ebd88d868404d8
SHA512 5e8d9b3a4b78dbf495f14f0136cd891ee4f2fa6bcb4a051b73ba0f1acced17ac1abfceb94748cd10ba759c467be09b107ce1493679791715d05b65e13c5241f1

\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe

MD5 b207b753976baf91f4a1cfb6a195fd9d
SHA1 4c7a1cf450d6a96f6f9321a6407cd2d6dd50abb9
SHA256 96fbe1f018b68dc7be9b901eace3e9de00f8b6939af49153b8ebd88d868404d8
SHA512 5e8d9b3a4b78dbf495f14f0136cd891ee4f2fa6bcb4a051b73ba0f1acced17ac1abfceb94748cd10ba759c467be09b107ce1493679791715d05b65e13c5241f1

C:\Config.Msi\f77063a.rbs

MD5 de46f94772b9cfaa16dace8b1d753bfd
SHA1 3974a57024c613c9ef683a54ae99ea51eb068e9b
SHA256 4470ac69955f667bd505eae814087ab0dbb2fcc7649c3f9c14dd82c3bddeba61
SHA512 03f46aa010aee80da2df09d447648a6ad0cb043b9d8ed43ae55b39d21ab54448fe2e8e99fe6e7700949971c4c76fdd76fa2e659a311d0bfc1593aff3aaf7212c

\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe

MD5 b207b753976baf91f4a1cfb6a195fd9d
SHA1 4c7a1cf450d6a96f6f9321a6407cd2d6dd50abb9
SHA256 96fbe1f018b68dc7be9b901eace3e9de00f8b6939af49153b8ebd88d868404d8
SHA512 5e8d9b3a4b78dbf495f14f0136cd891ee4f2fa6bcb4a051b73ba0f1acced17ac1abfceb94748cd10ba759c467be09b107ce1493679791715d05b65e13c5241f1

C:\Users\Admin\AppData\Local\Temp\MSI31E6.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI31E6.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Public\die\u5.exe

MD5 6563e582bd4db6059b336fad0c465bca
SHA1 d731b97b1b4bf1b88b0863b70b7637d3dfec31a1
SHA256 b27cbec0ee72387bbc2e93fa001741cd181e8fc4eb4c14543c4b271372422a48
SHA512 e9187d1a814045a3c4a59842e823117ef67beabb411fddd6b2e283cdc959e5ed3d99556b005b15e1e402453c7dae0b60f26baf1671179106b6485c2060ad4b2b

C:\Users\Public\die\u5.exe

MD5 6563e582bd4db6059b336fad0c465bca
SHA1 d731b97b1b4bf1b88b0863b70b7637d3dfec31a1
SHA256 b27cbec0ee72387bbc2e93fa001741cd181e8fc4eb4c14543c4b271372422a48
SHA512 e9187d1a814045a3c4a59842e823117ef67beabb411fddd6b2e283cdc959e5ed3d99556b005b15e1e402453c7dae0b60f26baf1671179106b6485c2060ad4b2b

memory/2916-243-0x0000000002CF0000-0x0000000002F81000-memory.dmp

C:\Users\Public\die\u5.exe

MD5 6563e582bd4db6059b336fad0c465bca
SHA1 d731b97b1b4bf1b88b0863b70b7637d3dfec31a1
SHA256 b27cbec0ee72387bbc2e93fa001741cd181e8fc4eb4c14543c4b271372422a48
SHA512 e9187d1a814045a3c4a59842e823117ef67beabb411fddd6b2e283cdc959e5ed3d99556b005b15e1e402453c7dae0b60f26baf1671179106b6485c2060ad4b2b

memory/2884-245-0x0000000000400000-0x0000000000691000-memory.dmp

\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe

MD5 b207b753976baf91f4a1cfb6a195fd9d
SHA1 4c7a1cf450d6a96f6f9321a6407cd2d6dd50abb9
SHA256 96fbe1f018b68dc7be9b901eace3e9de00f8b6939af49153b8ebd88d868404d8
SHA512 5e8d9b3a4b78dbf495f14f0136cd891ee4f2fa6bcb4a051b73ba0f1acced17ac1abfceb94748cd10ba759c467be09b107ce1493679791715d05b65e13c5241f1

memory/2916-247-0x0000000002CF0000-0x0000000002F81000-memory.dmp

memory/2884-248-0x0000000000400000-0x0000000000691000-memory.dmp

memory/2884-251-0x0000000000400000-0x0000000000691000-memory.dmp

memory/2884-267-0x0000000000400000-0x0000000000691000-memory.dmp

memory/2884-280-0x0000000000400000-0x0000000000691000-memory.dmp

memory/2884-281-0x0000000000400000-0x0000000000691000-memory.dmp

memory/2884-283-0x0000000000400000-0x0000000000691000-memory.dmp

memory/2884-284-0x0000000000400000-0x0000000000691000-memory.dmp

memory/2884-285-0x0000000000400000-0x0000000000691000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSI82A5.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI82A5.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSICCB.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSICCB.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-22 15:15

Reported

2023-08-22 15:20

Platform

win10-20230703-en

Max time kernel

273s

Max time network

256s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\die\u5.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\F8806DD0C461824Fs C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\key_datas C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\prefix C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\shortcuts-default.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\4665D10F8001AA7Fs C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\A7FDF864FBC10B77s C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\countries C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\D877F783D5D3EF8Cs C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\settingss C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\shortcuts-custom.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\usertag C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI33BA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI34D5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI31B5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI32DF.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{7F1B75D6-84D3-4544-83F1-D38737C3C8F4} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4B3D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI35A1.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DNomb\Mpec.mbt C:\Users\Public\die\u5.exe N/A
File created C:\Windows\DNomb\spolsvt.exe C:\Users\Public\die\u5.exe N/A
File created C:\Windows\DNomb\PTvrst.exe C:\Users\Public\die\u5.exe N/A
File created C:\Windows\Installer\e5930ab.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5930ab.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache C:\Windows\system32\svchost.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings C:\Users\Public\die\u5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Public\die\u5.exe N/A
N/A N/A C:\Users\Public\die\u5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3732 wrote to memory of 3720 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3732 wrote to memory of 3720 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3732 wrote to memory of 3720 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3720 wrote to memory of 2868 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 3720 wrote to memory of 2868 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 3720 wrote to memory of 2868 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 4896 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 4896 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 4896 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 3732 wrote to memory of 760 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3732 wrote to memory of 760 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3732 wrote to memory of 2616 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3732 wrote to memory of 2616 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3732 wrote to memory of 2616 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3720 wrote to memory of 852 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\die\u5.exe
PID 3720 wrote to memory of 852 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\die\u5.exe
PID 3720 wrote to memory of 852 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\die\u5.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe

"C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 174E801BDDB6E14437F48F400FC85D47 C

C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe

"C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe" /groupsextract:100; /out:"C:\Users\Public" /callbackid:3720

C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe

"C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe" /i "C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tg.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Telegram\Telegram中文版" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Telegram中文版" SECONDSEQUENCE="1" CLIENTPROCESSID="4896" CHAINERUIPROCESSID="4896Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature,haixia" PRIMARYFOLDER="APPDIR" ROOTDRIVE="F:\" AI_PREREQFILES="C:\Users\Public\die\u5.exe" AI_PREREQDIRS="C:\Users\Public" AI_MISSING_PREREQS="die" AI_DETECTED_INTERNET_CONNECTION="1" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1692476684 " TARGETDIR="F:\" AI_INSTALL="1" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 848A7910F661E1C1A1229B48A6EF8BF7

C:\Users\Public\die\u5.exe

"C:\Users\Public\die\u5.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 45.147.19.2.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 sidamingzhu.oss-cn-hongkong.aliyuncs.com udp
HK 47.75.19.36:443 sidamingzhu.oss-cn-hongkong.aliyuncs.com tcp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 36.19.75.47.in-addr.arpa udp
HK 47.75.19.36:443 sidamingzhu.oss-cn-hongkong.aliyuncs.com tcp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tg.msi

MD5 5cebd88a8f98c5868dba101c19876cac
SHA1 3bc0bb7bede560130ecfaaaee11ff5894c89ad89
SHA256 ee386eec920ea2b59f1a03901b6a1a62fd002c2eeda18c3d76f02cc49a313202
SHA512 63245cdcfddae432f926464b0c331f2a6649500db98b59662b9a5716049c3408cf6832491ef291c18b4180d7743cc11ba09130c90821aae1bec93121b8401693

C:\Users\Admin\AppData\Local\Temp\MSI4FD.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI4FD.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI675.tmp

MD5 48c25fba873a341b914652763cbc4f7b
SHA1 98b51420e26829bb96a963e4fb897db733c76fc0
SHA256 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd
SHA512 c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

\Users\Admin\AppData\Local\Temp\MSI675.tmp

MD5 48c25fba873a341b914652763cbc4f7b
SHA1 98b51420e26829bb96a963e4fb897db733c76fc0
SHA256 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd
SHA512 c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

C:\Users\Admin\AppData\Local\Temp\MSI770.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI770.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI82D.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI82D.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI82D.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI937.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI937.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI9C5.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI9C5.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4896\dialog.jpg

MD5 5f6253cff5a8b031bfb3b161079d0d86
SHA1 7645b13610583fb67247c74cf5af08ff848079e7
SHA256 36d9bab35d1e4b50045bf902f5d42b6f865488c75f6e60fc00a6cd6f69034ab0
SHA512 d1fdc364bedf931512000fbf05e854d5aceccb48abb9ec49e68476a5dc2907267490290d92acbb267ffb7bdba9b7a1c88f1eb77830cf953443f4624995dabdc3

C:\Users\Admin\AppData\Local\Temp\MSIB8B.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSIB8B.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSICA5.tmp

MD5 48c25fba873a341b914652763cbc4f7b
SHA1 98b51420e26829bb96a963e4fb897db733c76fc0
SHA256 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd
SHA512 c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

\Users\Admin\AppData\Local\Temp\MSICA5.tmp

MD5 48c25fba873a341b914652763cbc4f7b
SHA1 98b51420e26829bb96a963e4fb897db733c76fc0
SHA256 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd
SHA512 c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

C:\Users\Admin\AppData\Local\Temp\MSIDA0.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSIDA0.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIE1E.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSIE1E.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4896\banner.jpg

MD5 d5a55a78cd38f45256807c7851619b7d
SHA1 9d8269120d1d096e9ab0192348f3b8f81f5f73d9
SHA256 be83c8592906fd9651634b0823a2f45abe96aae082674568944c639b5b4a95dc
SHA512 959e7410e3006cfef9d14315e8741e34b6e81c4f9160c5d66f3abd77ce72f55f907ab3a0e500780b5c0e0e017e8639f135cc258976b4ab4b9d1aaed6242ce9f1

C:\Users\Admin\AppData\Local\Temp\MSIA232.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSIA232.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIA35C.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIA35C.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSIA35C.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\preA6E7.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tg.msi

MD5 5cebd88a8f98c5868dba101c19876cac
SHA1 3bc0bb7bede560130ecfaaaee11ff5894c89ad89
SHA256 ee386eec920ea2b59f1a03901b6a1a62fd002c2eeda18c3d76f02cc49a313202
SHA512 63245cdcfddae432f926464b0c331f2a6649500db98b59662b9a5716049c3408cf6832491ef291c18b4180d7743cc11ba09130c90821aae1bec93121b8401693

C:\Users\Admin\AppData\Local\Temp\shiA9C8.tmp

MD5 032bb369103dac02606fb919f6658f3c
SHA1 60b39428ab3493aab7babf3a1c5f2a951ae853bd
SHA256 daa61c42d53be45c7709a0b0f66a51a0a47ca84eab787e0627f6da255c96ddff
SHA512 0f1fb9bb34e699ee6d4a1dc58f99514fb1df81ad0cf37b3ffe938295a70d832a5702cec3df16d30d400c77014d09228e6d02d3e65d5d6d0f1c5e34f39d55e313

C:\Windows\Installer\MSI31B5.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Windows\Installer\MSI31B5.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSI32DF.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Windows\Installer\MSI32DF.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSI33BA.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Windows\Installer\MSI33BA.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Windows\Installer\MSI34D5.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSI34D5.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSI35A1.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Windows\Installer\MSI35A1.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\Telegram.exe

MD5 b207b753976baf91f4a1cfb6a195fd9d
SHA1 4c7a1cf450d6a96f6f9321a6407cd2d6dd50abb9
SHA256 96fbe1f018b68dc7be9b901eace3e9de00f8b6939af49153b8ebd88d868404d8
SHA512 5e8d9b3a4b78dbf495f14f0136cd891ee4f2fa6bcb4a051b73ba0f1acced17ac1abfceb94748cd10ba759c467be09b107ce1493679791715d05b65e13c5241f1

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\4665D10F8001AA7Fs

MD5 b474444d1dd80c1bedb2e904fd856444
SHA1 7b619a221f86d8e200df24130819ab3d28530e5c
SHA256 6a6c13abed1302785aed7f3ea241edb89a0da6fb30d0b1477d6707e91d17bc65
SHA512 4a687e735c4b649b7c5f79957f837b79d934cc76e63ff6e2ca5744682e03e089058aff164dd379f9cb6bd0bcfc669634a08287f170d070b594b62104e1cab108

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\prefix

MD5 3fb9de9c3edf4abc3a42deaf14dfa8d6
SHA1 d02d2382706bffb38831acfcce62e720a6d55733
SHA256 84af1d24b024a1e1670302510fc140e55eb009ed5ab8b8e89bb42fb7f184be28
SHA512 7e60951c5c5cff7f623808e1afa098faff020f000ee4a8fc9af5f848204b8c54fe13f9a32e10bfbc618e41b1be437bb08a775b4b2e10a19122c336b55d093692

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\key_datas

MD5 b1f3e48b1c9ebac1fbaf7fecc0a03e35
SHA1 057bfe7f77b2a7ff32431e6bb9d846494140e1b8
SHA256 ed7df4dac343c5934312fdb4bc9ff8f4397cdadacffcc991ee9ff88081a3bd77
SHA512 51a79b05303fd7c858f0740c1932caeef6b9174cc197ac743400b069c1449d09086cd312b5b599a016ddc811949189f0704f4569bf5167b2cd26fc64f0a5bdb7

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\shortcuts-default.json

MD5 cc850fd9abce3912c944d77d8955ebc9
SHA1 71e699b4b680aad0bc339a6511afc75ebb898064
SHA256 e98e0cc330528886e469d795e74a240693968d6a88f3de214878d8f5b08d4bad
SHA512 a8d5aad5fe365d9ea261636956952f705353833456a6cf9dbb4b88d87bbdb2fd52823dad9e77932af8615f2a3e7a1c1c1bacdb5cb00e65affb2644ee3f2def80

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\D877F783D5D3EF8Cs

MD5 9e4d61d6bbe31fbdd409a4ed8bd93950
SHA1 e00825bb8e98a040376bd19ddead6d458755018c
SHA256 7158eb7756cb1a0adae0886d4819e8718be875c8ab283e3a0ab4d7d1f9b6192d
SHA512 a5f60f90df7d7b3d15b79ec6b59a6329a6de0cbb9e4c666320d4d2384276f717d42c819fef607188f18a5cc50ff7327b5c7dc1f59f76b470b67f77c1fd66df46

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\F8806DD0C461824Fs

MD5 fb9a1cbbd1b3531943eecfefa15df5de
SHA1 0295ac1bdc3a668a5f488e6c98a34ad71a53c67b
SHA256 438c768ac7851e93d1081c4291c2b14c250b7cc847050d7716626ab3948760d8
SHA512 abc104efdbf46c9ff9621e9d3c7e3be2d803208e62b63658a1a7f94c8deb823302896b0878c8d9f4962045a7d257afe51047b1ff73f64c2f8e440680a3ef1e60

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\usertag

MD5 87ccdff6d764416c75d4aa695f9be3e4
SHA1 d4c197cb78f5e5f62aef16af3840d3be0509020a
SHA256 e02453e232a9fdc9446885a629109231c07b35f8d2adf886e010cdf07685fdec
SHA512 0224a43341ad897613a233b9b170d4ed523ac45d8d13ab8ae023c6c0b266cb7b68abf3e365f3474045d103f6ce7682d009719592578b601edfceab31d678dca5

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\countries

MD5 5d1f2b862acb26f8353cb1d178a2116f
SHA1 e3989f717bb652b4ee3fd18e4dc3f2e0193c75bd
SHA256 3d6d4e33dcaeff17425ea9451d37bb9c866d711d6ece51ef5c09d2fbd296e85e
SHA512 adb1ef7675a0292b236aafdd923be94705eb7ea7baf25a0d3c001fba2014b8f90473375e96739d8af43a7bd9a123f1ce38c532516da3d1a46db50bf66a0c1a73

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\settingss

MD5 9d6f9ca7beee6410a7ae78a2d81153fd
SHA1 c4ac94f05aa4abe67019f30ef32605f9e4d5b353
SHA256 19b844de3101ae562a3ad7d9019a1710928e96d4bbf7cf0307fbbc5efdc5608b
SHA512 7383059ed94027018df91f61f7ec0d11d5cece6fe4f5335df238e52db1ca94982f7d9cd1e005a8f6c1e2b73da46e364750cd54588ccc247f946212421682eab4

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\shortcuts-custom.json

MD5 874b930b4c2fddc8043f59113c044a14
SHA1 75b14a96fe1194f27913a096e484283b172b1749
SHA256 f4f666f4b831e84710983b0e9e905e87342b669f61109fd693688d89c12309d8
SHA512 f4b0337fba5c5f4d7e7a02aa5d4538334edd38f5df179e4f1701fa2f1c4d3d856a074fa55ea724c4e2a6c5a1ac1dbfc7e9966c814475c7cd2c65cd44fca14621

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\A7FDF864FBC10B77s

MD5 72339e5b4ca4743c2c1313c90fa38b27
SHA1 8123ac4d35080c0c397478845b2ab16944636bae
SHA256 6a8a6995f4f87336681017417d6ae78223cd725e1118c4e336c93e203c17a9e4
SHA512 3eb657959bdfc0b30124a7e087d44b33aa7814ee9a18a20205b5debc1b290754024d8529174f3e17646fae77339d28a02312584bd6bda7021ad5b59c67d6fa0d

C:\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe

MD5 b207b753976baf91f4a1cfb6a195fd9d
SHA1 4c7a1cf450d6a96f6f9321a6407cd2d6dd50abb9
SHA256 96fbe1f018b68dc7be9b901eace3e9de00f8b6939af49153b8ebd88d868404d8
SHA512 5e8d9b3a4b78dbf495f14f0136cd891ee4f2fa6bcb4a051b73ba0f1acced17ac1abfceb94748cd10ba759c467be09b107ce1493679791715d05b65e13c5241f1

C:\Config.Msi\e5930ac.rbs

MD5 846e2abbddf58f48743fdaa33226c619
SHA1 664e9136e912dc6a89d1eb514c970738df4f3ef9
SHA256 362f879f402e107df0e2a8033664ec0910364fcb4342b4995e4bd7bc3a7ea6c0
SHA512 83b918d541ca6227b2cf8248c5b88e76425a249c5b54caf27dedd3916d103a90fde7a91deef9eef568f23fd6062ab860f05ce835cbaff65d54160de4195d16c8

C:\Users\Admin\AppData\Local\Temp\MSI551A.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI551A.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Public\die\u5.exe

MD5 6563e582bd4db6059b336fad0c465bca
SHA1 d731b97b1b4bf1b88b0863b70b7637d3dfec31a1
SHA256 b27cbec0ee72387bbc2e93fa001741cd181e8fc4eb4c14543c4b271372422a48
SHA512 e9187d1a814045a3c4a59842e823117ef67beabb411fddd6b2e283cdc959e5ed3d99556b005b15e1e402453c7dae0b60f26baf1671179106b6485c2060ad4b2b

C:\Users\Public\die\u5.exe

MD5 6563e582bd4db6059b336fad0c465bca
SHA1 d731b97b1b4bf1b88b0863b70b7637d3dfec31a1
SHA256 b27cbec0ee72387bbc2e93fa001741cd181e8fc4eb4c14543c4b271372422a48
SHA512 e9187d1a814045a3c4a59842e823117ef67beabb411fddd6b2e283cdc959e5ed3d99556b005b15e1e402453c7dae0b60f26baf1671179106b6485c2060ad4b2b

memory/852-322-0x0000000000400000-0x0000000000691000-memory.dmp

\??\Volume{251ba123-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bb8d9e39-450f-413f-874a-b40df43c1604}_OnDiskSnapshotProp

MD5 56c48da167b741784b33a6480188941b
SHA1 f71b545c49edf426b9da4928231b192a5d4e47dd
SHA256 2ae80e9d7156b297b03df37f66ff3611103fe0db40c625eec5eb5d6809154f8f
SHA512 8a3b524821b8b7e4fc8a127db4a0134feb43a396c83ef8e7f4ef5c7c144247f0f0f63244b67a820e1949361b8c41c610da0801e15efbcf9a6afcf80b083af6a0

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 3ba306876c8d651d09fd818de93d9649
SHA1 9433107b1d00cafff748a8316e4693855e673766
SHA256 967d4ed3bc1a1d77007a09f178da53bba12a50cd68da59e1707c1dadc0fbdf73
SHA512 24ee76d234f2f2fb0c38e4579a473e2186c20ecb0d3056724f2935a24fc860e8f3bf1e621eabc5fb39e5b876e0c22d1fdd621d398573e4020639573c0a424aca

memory/852-335-0x0000000000400000-0x0000000000691000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSI78A0.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI78A0.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI96F2.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI96F2.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Analysis: behavioral3

Detonation Overview

Submitted

2023-08-22 15:15

Reported

2023-08-22 15:20

Platform

win10v2004-20230703-en

Max time kernel

295s

Max time network

296s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe"

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\die\u5.exe N/A
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A
N/A N/A C:\WINDOWS\DNomb\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Therecontinuous = "C:\\WINDOWS\\DNomb\\PTvrst.exe" C:\Users\Public\Documents\123\PTvrst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ϵͳ×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe" C:\WINDOWS\DNomb\spolsvt.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 528 set thread context of 3864 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 3864 set thread context of 4760 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\4665D10F8001AA7Fs C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\countries C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\D877F783D5D3EF8Cs C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\key_datas C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\prefix C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\shortcuts-custom.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\shortcuts-default.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\A7FDF864FBC10B77s C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\F8806DD0C461824Fs C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\settingss C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\tdata\usertag C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\SourceHash{7F1B75D6-84D3-4544-83F1-D38737C3C8F4} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e59a01e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DNomb\Mpec.mbt C:\Users\Public\die\u5.exe N/A
File opened for modification C:\Windows\Installer\e59a01e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA2FE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA4F4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA1F3.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA38B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA67B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBE69.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DNomb\spolsvt.exe C:\Users\Public\die\u5.exe N/A
File created C:\Windows\DNomb\PTvrst.exe C:\Users\Public\die\u5.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings C:\Users\Public\die\u5.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Public\die\u5.exe N/A
N/A N/A C:\Users\Public\die\u5.exe N/A
N/A N/A C:\Users\Public\die\u5.exe N/A
N/A N/A C:\Users\Public\die\u5.exe N/A
N/A N/A C:\Users\Public\die\u5.exe N/A
N/A N/A C:\Users\Public\die\u5.exe N/A
N/A N/A C:\Users\Public\die\u5.exe N/A
N/A N/A C:\Users\Public\die\u5.exe N/A
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Public\die\u5.exe N/A
N/A N/A C:\Users\Public\die\u5.exe N/A
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A
N/A N/A C:\WINDOWS\DNomb\spolsvt.exe N/A
N/A N/A C:\WINDOWS\DNomb\spolsvt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1856 wrote to memory of 1012 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1856 wrote to memory of 1012 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1856 wrote to memory of 1012 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1012 wrote to memory of 4052 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 1012 wrote to memory of 4052 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 1012 wrote to memory of 4052 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 4492 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 4492 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 4492 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe
PID 1856 wrote to memory of 4408 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1856 wrote to memory of 4408 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1856 wrote to memory of 4464 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1856 wrote to memory of 4464 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1856 wrote to memory of 4464 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1012 wrote to memory of 2880 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\die\u5.exe
PID 1012 wrote to memory of 2880 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\die\u5.exe
PID 1012 wrote to memory of 2880 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\die\u5.exe
PID 528 wrote to memory of 3864 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 528 wrote to memory of 3864 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 528 wrote to memory of 3864 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 528 wrote to memory of 3864 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 528 wrote to memory of 3864 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 528 wrote to memory of 3864 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 528 wrote to memory of 3864 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 528 wrote to memory of 3864 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 528 wrote to memory of 3864 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 3864 wrote to memory of 4760 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 3864 wrote to memory of 4760 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 3864 wrote to memory of 4760 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 3864 wrote to memory of 4760 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 3864 wrote to memory of 4760 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 3864 wrote to memory of 4760 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 3864 wrote to memory of 4760 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 3864 wrote to memory of 4760 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe

"C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding AC7C63F25B7CA984F389D05AF11F4CA2 C

C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe

"C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe" /groupsextract:100; /out:"C:\Users\Public" /callbackid:1012

C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe

"C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe" /i "C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tg.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Telegram\Telegram中文版" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Telegram中文版" SECONDSEQUENCE="1" CLIENTPROCESSID="4492" CHAINERUIPROCESSID="4492Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature,haixia" PRIMARYFOLDER="APPDIR" ROOTDRIVE="F:\" AI_PREREQFILES="C:\Users\Public\die\u5.exe" AI_PREREQDIRS="C:\Users\Public" AI_MISSING_PREREQS="die" AI_DETECTED_INTERNET_CONNECTION="1" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1692476687 " TARGETDIR="F:\" AI_INSTALL="1" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\ths_lhce56.X64.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 18B98B23A9719AF0B8035929B0CDEE29

C:\Users\Public\die\u5.exe

"C:\Users\Public\die\u5.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Public\Documents\123\PTvrst.exe

"C:\Users\Public\Documents\123\PTvrst.exe"

C:\WINDOWS\DNomb\spolsvt.exe

C:\WINDOWS\DNomb\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 45.147.19.2.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 sidamingzhu.oss-cn-hongkong.aliyuncs.com udp
HK 47.75.19.36:443 sidamingzhu.oss-cn-hongkong.aliyuncs.com tcp
US 8.8.8.8:53 36.19.75.47.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 hu5.wccabc.com udp
HK 8.218.53.104:3927 hu5.wccabc.com tcp
US 8.8.8.8:53 104.53.218.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tg.msi

MD5 5cebd88a8f98c5868dba101c19876cac
SHA1 3bc0bb7bede560130ecfaaaee11ff5894c89ad89
SHA256 ee386eec920ea2b59f1a03901b6a1a62fd002c2eeda18c3d76f02cc49a313202
SHA512 63245cdcfddae432f926464b0c331f2a6649500db98b59662b9a5716049c3408cf6832491ef291c18b4180d7743cc11ba09130c90821aae1bec93121b8401693

C:\Users\Admin\AppData\Local\Temp\MSI694.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI694.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI84A.tmp

MD5 48c25fba873a341b914652763cbc4f7b
SHA1 98b51420e26829bb96a963e4fb897db733c76fc0
SHA256 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd
SHA512 c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

C:\Users\Admin\AppData\Local\Temp\MSI84A.tmp

MD5 48c25fba873a341b914652763cbc4f7b
SHA1 98b51420e26829bb96a963e4fb897db733c76fc0
SHA256 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd
SHA512 c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

C:\Users\Admin\AppData\Local\Temp\MSI974.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI974.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI9D3.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI9D3.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI9D3.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIA31.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIA31.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIAEE.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIAEE.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4492\dialog.jpg

MD5 5f6253cff5a8b031bfb3b161079d0d86
SHA1 7645b13610583fb67247c74cf5af08ff848079e7
SHA256 36d9bab35d1e4b50045bf902f5d42b6f865488c75f6e60fc00a6cd6f69034ab0
SHA512 d1fdc364bedf931512000fbf05e854d5aceccb48abb9ec49e68476a5dc2907267490290d92acbb267ffb7bdba9b7a1c88f1eb77830cf953443f4624995dabdc3

C:\Users\Admin\AppData\Local\Temp\MSICD3.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSICD3.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIDDE.tmp

MD5 48c25fba873a341b914652763cbc4f7b
SHA1 98b51420e26829bb96a963e4fb897db733c76fc0
SHA256 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd
SHA512 c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

C:\Users\Admin\AppData\Local\Temp\MSIDDE.tmp

MD5 48c25fba873a341b914652763cbc4f7b
SHA1 98b51420e26829bb96a963e4fb897db733c76fc0
SHA256 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd
SHA512 c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

C:\Users\Admin\AppData\Local\Temp\MSIE2D.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIE2D.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIF28.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIF28.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4492\banner.jpg

MD5 d5a55a78cd38f45256807c7851619b7d
SHA1 9d8269120d1d096e9ab0192348f3b8f81f5f73d9
SHA256 be83c8592906fd9651634b0823a2f45abe96aae082674568944c639b5b4a95dc
SHA512 959e7410e3006cfef9d14315e8741e34b6e81c4f9160c5d66f3abd77ce72f55f907ab3a0e500780b5c0e0e017e8639f135cc258976b4ab4b9d1aaed6242ce9f1

C:\Users\Admin\AppData\Local\Temp\MSIC54A.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIC54A.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIC5B8.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIC5B8.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIC5B8.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\preCC51.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tg.msi

MD5 5cebd88a8f98c5868dba101c19876cac
SHA1 3bc0bb7bede560130ecfaaaee11ff5894c89ad89
SHA256 ee386eec920ea2b59f1a03901b6a1a62fd002c2eeda18c3d76f02cc49a313202
SHA512 63245cdcfddae432f926464b0c331f2a6649500db98b59662b9a5716049c3408cf6832491ef291c18b4180d7743cc11ba09130c90821aae1bec93121b8401693

C:\Users\Admin\AppData\Local\Temp\shiCFAF.tmp

MD5 77d6c08c6448071b47f02b41fa18ed37
SHA1 e7fdb62abdb6d4131c00398f92bc72a3b9b34668
SHA256 047e2df9ccf0ce298508ee7f0db0abcb2ff9cff9916b6e8a1fbd806b7a9d064b
SHA512 e1aeb8e8b441d755a119f45a465ca5660678f4131984322252bfb6d2cec52e7ee54d65a64b98429b23915eb5707b04b5cd62a85446c60de8842314130a926dbd

C:\Windows\Installer\MSIA1F3.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSIA1F3.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSIA2FE.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSIA2FE.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSIA38B.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSIA38B.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\??\Volume{e5d54008-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3dfd1916-7b05-4a81-922d-e8aee985714b}_OnDiskSnapshotProp

MD5 926870d892c5092d803ae446b2b1372a
SHA1 e8329162a9c28e67276d79e7355d90f69870066a
SHA256 a5a22074eb9eaaa2aba0dd272fce2db7c0b76284ca3540730b55cf96f5d9415b
SHA512 f9f7b9640e05be285e4bf45469338f6d753e8550b78fb48bd316f9571a7b1b382f046c147f9fa0b561542b7e5f900206874a512b5517edb72cac3069fa269fa8

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 d33aae4e338f160d047ab6f26b3ee977
SHA1 e46550d940de173ea5ad8fcba9be84467c808fe8
SHA256 80873417f40a50269d4d3cd8c802bfbd6bec07e97952a3713fcf3a7c38fbbbb3
SHA512 7a05187daec902710f9374d58f6f3882809cadbbc69b736f61443a958f6c353c8b292ef85cfd16119a3acc38daf4ae5c946f508d442567e09a01f3afe4b19119

C:\Windows\Installer\MSIA4F4.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSIA4F4.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSIA67B.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSIA67B.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\4665D10F8001AA7Fs

MD5 b474444d1dd80c1bedb2e904fd856444
SHA1 7b619a221f86d8e200df24130819ab3d28530e5c
SHA256 6a6c13abed1302785aed7f3ea241edb89a0da6fb30d0b1477d6707e91d17bc65
SHA512 4a687e735c4b649b7c5f79957f837b79d934cc76e63ff6e2ca5744682e03e089058aff164dd379f9cb6bd0bcfc669634a08287f170d070b594b62104e1cab108

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\Telegram.exe

MD5 b207b753976baf91f4a1cfb6a195fd9d
SHA1 4c7a1cf450d6a96f6f9321a6407cd2d6dd50abb9
SHA256 96fbe1f018b68dc7be9b901eace3e9de00f8b6939af49153b8ebd88d868404d8
SHA512 5e8d9b3a4b78dbf495f14f0136cd891ee4f2fa6bcb4a051b73ba0f1acced17ac1abfceb94748cd10ba759c467be09b107ce1493679791715d05b65e13c5241f1

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\prefix

MD5 3fb9de9c3edf4abc3a42deaf14dfa8d6
SHA1 d02d2382706bffb38831acfcce62e720a6d55733
SHA256 84af1d24b024a1e1670302510fc140e55eb009ed5ab8b8e89bb42fb7f184be28
SHA512 7e60951c5c5cff7f623808e1afa098faff020f000ee4a8fc9af5f848204b8c54fe13f9a32e10bfbc618e41b1be437bb08a775b4b2e10a19122c336b55d093692

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\shortcuts-default.json

MD5 cc850fd9abce3912c944d77d8955ebc9
SHA1 71e699b4b680aad0bc339a6511afc75ebb898064
SHA256 e98e0cc330528886e469d795e74a240693968d6a88f3de214878d8f5b08d4bad
SHA512 a8d5aad5fe365d9ea261636956952f705353833456a6cf9dbb4b88d87bbdb2fd52823dad9e77932af8615f2a3e7a1c1c1bacdb5cb00e65affb2644ee3f2def80

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\D877F783D5D3EF8Cs

MD5 9e4d61d6bbe31fbdd409a4ed8bd93950
SHA1 e00825bb8e98a040376bd19ddead6d458755018c
SHA256 7158eb7756cb1a0adae0886d4819e8718be875c8ab283e3a0ab4d7d1f9b6192d
SHA512 a5f60f90df7d7b3d15b79ec6b59a6329a6de0cbb9e4c666320d4d2384276f717d42c819fef607188f18a5cc50ff7327b5c7dc1f59f76b470b67f77c1fd66df46

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\F8806DD0C461824Fs

MD5 fb9a1cbbd1b3531943eecfefa15df5de
SHA1 0295ac1bdc3a668a5f488e6c98a34ad71a53c67b
SHA256 438c768ac7851e93d1081c4291c2b14c250b7cc847050d7716626ab3948760d8
SHA512 abc104efdbf46c9ff9621e9d3c7e3be2d803208e62b63658a1a7f94c8deb823302896b0878c8d9f4962045a7d257afe51047b1ff73f64c2f8e440680a3ef1e60

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\usertag

MD5 87ccdff6d764416c75d4aa695f9be3e4
SHA1 d4c197cb78f5e5f62aef16af3840d3be0509020a
SHA256 e02453e232a9fdc9446885a629109231c07b35f8d2adf886e010cdf07685fdec
SHA512 0224a43341ad897613a233b9b170d4ed523ac45d8d13ab8ae023c6c0b266cb7b68abf3e365f3474045d103f6ce7682d009719592578b601edfceab31d678dca5

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\key_datas

MD5 b1f3e48b1c9ebac1fbaf7fecc0a03e35
SHA1 057bfe7f77b2a7ff32431e6bb9d846494140e1b8
SHA256 ed7df4dac343c5934312fdb4bc9ff8f4397cdadacffcc991ee9ff88081a3bd77
SHA512 51a79b05303fd7c858f0740c1932caeef6b9174cc197ac743400b069c1449d09086cd312b5b599a016ddc811949189f0704f4569bf5167b2cd26fc64f0a5bdb7

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\countries

MD5 5d1f2b862acb26f8353cb1d178a2116f
SHA1 e3989f717bb652b4ee3fd18e4dc3f2e0193c75bd
SHA256 3d6d4e33dcaeff17425ea9451d37bb9c866d711d6ece51ef5c09d2fbd296e85e
SHA512 adb1ef7675a0292b236aafdd923be94705eb7ea7baf25a0d3c001fba2014b8f90473375e96739d8af43a7bd9a123f1ce38c532516da3d1a46db50bf66a0c1a73

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\settingss

MD5 9d6f9ca7beee6410a7ae78a2d81153fd
SHA1 c4ac94f05aa4abe67019f30ef32605f9e4d5b353
SHA256 19b844de3101ae562a3ad7d9019a1710928e96d4bbf7cf0307fbbc5efdc5608b
SHA512 7383059ed94027018df91f61f7ec0d11d5cece6fe4f5335df238e52db1ca94982f7d9cd1e005a8f6c1e2b73da46e364750cd54588ccc247f946212421682eab4

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\A7FDF864FBC10B77s

MD5 72339e5b4ca4743c2c1313c90fa38b27
SHA1 8123ac4d35080c0c397478845b2ab16944636bae
SHA256 6a8a6995f4f87336681017417d6ae78223cd725e1118c4e336c93e203c17a9e4
SHA512 3eb657959bdfc0b30124a7e087d44b33aa7814ee9a18a20205b5debc1b290754024d8529174f3e17646fae77339d28a02312584bd6bda7021ad5b59c67d6fa0d

C:\Users\Admin\AppData\Roaming\Telegram\Telegram中文版 1.0.0\install\7C3C8F4\tdata\shortcuts-custom.json

MD5 874b930b4c2fddc8043f59113c044a14
SHA1 75b14a96fe1194f27913a096e484283b172b1749
SHA256 f4f666f4b831e84710983b0e9e905e87342b669f61109fd693688d89c12309d8
SHA512 f4b0337fba5c5f4d7e7a02aa5d4538334edd38f5df179e4f1701fa2f1c4d3d856a074fa55ea724c4e2a6c5a1ac1dbfc7e9966c814475c7cd2c65cd44fca14621

C:\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe

MD5 b207b753976baf91f4a1cfb6a195fd9d
SHA1 4c7a1cf450d6a96f6f9321a6407cd2d6dd50abb9
SHA256 96fbe1f018b68dc7be9b901eace3e9de00f8b6939af49153b8ebd88d868404d8
SHA512 5e8d9b3a4b78dbf495f14f0136cd891ee4f2fa6bcb4a051b73ba0f1acced17ac1abfceb94748cd10ba759c467be09b107ce1493679791715d05b65e13c5241f1

C:\Config.Msi\e59a01f.rbs

MD5 c5a8c659a0f1ef93302129bdf2bedd05
SHA1 5b8bb1f291ba1f222dd6e52a54a5c31709164b9b
SHA256 a8e0d625daf30f102130f62aba883d75773fea45c08f6f68cc52da61c6d4abd4
SHA512 f4798a53008c4504f3cb211f308d261ae3ea366428ab21f5ed43ae52cc4a2bfdb048d59a0ab2c4c07fda356750befd23ee186ad03f34e1e6a5e5a34e6125ea15

C:\Users\Admin\AppData\Local\Temp\MSID98C.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSID98C.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Public\die\u5.exe

MD5 6563e582bd4db6059b336fad0c465bca
SHA1 d731b97b1b4bf1b88b0863b70b7637d3dfec31a1
SHA256 b27cbec0ee72387bbc2e93fa001741cd181e8fc4eb4c14543c4b271372422a48
SHA512 e9187d1a814045a3c4a59842e823117ef67beabb411fddd6b2e283cdc959e5ed3d99556b005b15e1e402453c7dae0b60f26baf1671179106b6485c2060ad4b2b

C:\Users\Public\die\u5.exe

MD5 6563e582bd4db6059b336fad0c465bca
SHA1 d731b97b1b4bf1b88b0863b70b7637d3dfec31a1
SHA256 b27cbec0ee72387bbc2e93fa001741cd181e8fc4eb4c14543c4b271372422a48
SHA512 e9187d1a814045a3c4a59842e823117ef67beabb411fddd6b2e283cdc959e5ed3d99556b005b15e1e402453c7dae0b60f26baf1671179106b6485c2060ad4b2b

memory/2880-336-0x0000000000400000-0x0000000000691000-memory.dmp

memory/2880-346-0x0000000000400000-0x0000000000691000-memory.dmp

C:\Users\Public\Documents\123\PTvrst.exe

MD5 d22cfb5bfaeb1503b12b07e53ef0a149
SHA1 8ea2c85e363f551a159fabd65377affed4e417a1
SHA256 260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360
SHA512 151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

C:\Users\Public\Documents\123\PTvrst.exe

MD5 d22cfb5bfaeb1503b12b07e53ef0a149
SHA1 8ea2c85e363f551a159fabd65377affed4e417a1
SHA256 260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360
SHA512 151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

memory/528-350-0x0000000000400000-0x00000000006A2000-memory.dmp

memory/2880-351-0x0000000000400000-0x0000000000691000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSI2079.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI2079.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

memory/528-360-0x00000000779F4000-0x00000000779F6000-memory.dmp

memory/528-362-0x0000000004750000-0x0000000004751000-memory.dmp

memory/528-361-0x00000000047F0000-0x00000000047F1000-memory.dmp

memory/528-363-0x00000000047B0000-0x00000000047B1000-memory.dmp

memory/528-364-0x0000000004770000-0x0000000004771000-memory.dmp

memory/528-365-0x0000000004760000-0x0000000004761000-memory.dmp

memory/528-367-0x0000000004800000-0x0000000004801000-memory.dmp

memory/528-366-0x00000000047E0000-0x00000000047E2000-memory.dmp

memory/528-368-0x00000000047A0000-0x00000000047A1000-memory.dmp

memory/528-369-0x00000000047D0000-0x00000000047D1000-memory.dmp

memory/528-370-0x00000000047C0000-0x00000000047C1000-memory.dmp

memory/528-371-0x0000000004810000-0x0000000004811000-memory.dmp

memory/528-373-0x00000000048F0000-0x00000000048F1000-memory.dmp

memory/528-372-0x0000000004860000-0x0000000004861000-memory.dmp

memory/528-374-0x0000000004740000-0x0000000004741000-memory.dmp

memory/528-375-0x0000000004900000-0x0000000004901000-memory.dmp

memory/528-376-0x0000000004790000-0x0000000004791000-memory.dmp

memory/528-377-0x0000000004780000-0x0000000004781000-memory.dmp

memory/528-378-0x0000000000400000-0x00000000006A2000-memory.dmp

memory/528-380-0x0000000004870000-0x0000000004871000-memory.dmp

memory/528-379-0x00000000048D0000-0x00000000048D2000-memory.dmp

C:\WINDOWS\DNomb\Mpec.mbt

MD5 8db06e3aa4b48d0e6facc185e0a65bea
SHA1 018a92dc40d3716142ea2346dd8ad42fae1123b4
SHA256 bf25b32a67c1b78806a87939201a486cac62816e1c9e02b10788a15a1ae42ba2
SHA512 b9ffd48a4e4c76c603e588ea5a03e568dfc882ae468d2cf6b2ae9bc46665fa1d7887556eb11b4f35bfefa08d437777d696def21f187f4e107474fd9851ffef31

memory/528-381-0x0000000004840000-0x0000000004842000-memory.dmp

memory/3864-384-0x0000000000400000-0x0000000000516000-memory.dmp

memory/3864-385-0x0000000000400000-0x0000000000516000-memory.dmp

memory/3864-386-0x0000000000400000-0x0000000000516000-memory.dmp

memory/3864-387-0x0000000000400000-0x0000000000516000-memory.dmp

C:\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

C:\WINDOWS\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

memory/3864-391-0x0000000000400000-0x0000000000516000-memory.dmp

memory/3864-392-0x0000000000400000-0x0000000000516000-memory.dmp

memory/4760-397-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4760-398-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4760-399-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/4760-403-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/4760-404-0x0000000010000000-0x000000001002A000-memory.dmp

memory/528-409-0x0000000000400000-0x00000000006A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSIA8D4.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6