d84b2a0632974c30a318ca1b44f42c5dc5078c20b9ff6707c0e7892b9e3676d6

Resubmissions

25-08-2023 04:18

230825-ew69csaf3y 7

24-08-2023 04:13

230824-etjehsbd81 7

23-08-2023 14:35

230823-rxy1laeb7y 7

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2023 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tsetup-x6.msi
Size

40.1MB
MD5

5e1986968c2bd94cbdef6e874196c833
SHA1

84266c00bb29574dc93acd6b9ce8160d6ac446db
SHA256

d84b2a0632974c30a318ca1b44f42c5dc5078c20b9ff6707c0e7892b9e3676d6
SHA512

29425d1f42aeb1ac795e7af5a0965fd277befa0453efc1e81de368a9d6528e8d4e7f5a93ccdfa11413516738186e3636ad6a4188a42a207042786c1b88ec36cb
SSDEEP

786432:8aigSeDY+BFJOjSX+nhqcoiHGgLrc20pHDXRckQ1I/r2qgkG+YvwH4:8aq65nkSX+nhqcdng51DXRckQ6jFgmYh

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

Processes:

SCiP.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\LETsite_Cure.lnk	SCiP.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\LETsite_Cure.lnk	SCiP.exe

Executes dropped EXE 6 IoCs

Processes:

999.exetsetup-x64.4.8.3.exetsetup-x64.4.8.3.tmpSCiP.exeMI2L2L.exeTelegram.exe

pid process

828 999.exe
1488 tsetup-x64.4.8.3.exe
4300 tsetup-x64.4.8.3.tmp
3556 SCiP.exe
4208 MI2L2L.exe
2964 Telegram.exe

pid	process
828	999.exe
1488	tsetup-x64.4.8.3.exe
4300	tsetup-x64.4.8.3.tmp
3556	SCiP.exe
4208	MI2L2L.exe
2964	Telegram.exe

Loads dropped DLL 13 IoCs

Processes:

MsiExec.exeMsiExec.exeMI2L2L.exeTelegram.exe

pid	process
4172	MsiExec.exe
4172	MsiExec.exe
4172	MsiExec.exe
4172	MsiExec.exe
4172	MsiExec.exe
4172	MsiExec.exe
4308	MsiExec.exe
4308	MsiExec.exe
4172	MsiExec.exe
4172	MsiExec.exe
4208	MI2L2L.exe
4208	MI2L2L.exe
2964	Telegram.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

Telegram.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Telegram.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in Program Files directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File created C:\Program Files (x86)\tsetup-x6\tsetup-x6\tsetup-x64.4.8.3.exe msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\tsetup-x6\tsetup-x6\tsetup-x64.4.8.3.exe	msiexec.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\e58b87d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58b87d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB987.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB0F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7723E04B-CD41-4EED-8693-618C2BEFD194}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBE6B.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 32 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 78003100000000001857f72111004d7573696300640009000400efbe874fdb491857f7212e000000fd0500000000010000000000000000003a000000000004fded004d007500730069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380030003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 7c003100000000001857f32111005075626c69630000660009000400efbe874fdb491857f4212e000000f80500000000010000000000000000003c0000000000cbde19015000750062006c0069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003600000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7800310000000000e3568b641100557365727300640009000400efbe874f77481857ca212e000000c70500000000010000000000000000003a0000000000696eed0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Music"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 54003100000000001857f721100045787268623400003e0009000400efbe1857f7211857f7212e000000e531020000000700000000000000000000000000000004fded00450078007200680062003400000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

explorer.exeTelegram.exe

pid process

1572 explorer.exe
2964 Telegram.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msiexec.exetsetup-x64.4.8.3.tmp999.exe

pid process

772 msiexec.exe
772 msiexec.exe
4300 tsetup-x64.4.8.3.tmp
4300 tsetup-x64.4.8.3.tmp
828 999.exe
828 999.exe

pid	process
1572	explorer.exe
2964	Telegram.exe

pid	process
772	msiexec.exe
772	msiexec.exe
4300	tsetup-x64.4.8.3.tmp
4300	tsetup-x64.4.8.3.tmp
828	999.exe
828	999.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	220	msiexec.exe
Token: SeIncreaseQuotaPrivilege	220	msiexec.exe
Token: SeSecurityPrivilege	772	msiexec.exe
Token: SeCreateTokenPrivilege	220	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	220	msiexec.exe
Token: SeLockMemoryPrivilege	220	msiexec.exe
Token: SeIncreaseQuotaPrivilege	220	msiexec.exe
Token: SeMachineAccountPrivilege	220	msiexec.exe
Token: SeTcbPrivilege	220	msiexec.exe
Token: SeSecurityPrivilege	220	msiexec.exe
Token: SeTakeOwnershipPrivilege	220	msiexec.exe
Token: SeLoadDriverPrivilege	220	msiexec.exe
Token: SeSystemProfilePrivilege	220	msiexec.exe
Token: SeSystemtimePrivilege	220	msiexec.exe
Token: SeProfSingleProcessPrivilege	220	msiexec.exe
Token: SeIncBasePriorityPrivilege	220	msiexec.exe
Token: SeCreatePagefilePrivilege	220	msiexec.exe
Token: SeCreatePermanentPrivilege	220	msiexec.exe
Token: SeBackupPrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeShutdownPrivilege	220	msiexec.exe
Token: SeDebugPrivilege	220	msiexec.exe
Token: SeAuditPrivilege	220	msiexec.exe
Token: SeSystemEnvironmentPrivilege	220	msiexec.exe
Token: SeChangeNotifyPrivilege	220	msiexec.exe
Token: SeRemoteShutdownPrivilege	220	msiexec.exe
Token: SeUndockPrivilege	220	msiexec.exe
Token: SeSyncAgentPrivilege	220	msiexec.exe
Token: SeEnableDelegationPrivilege	220	msiexec.exe
Token: SeManageVolumePrivilege	220	msiexec.exe
Token: SeImpersonatePrivilege	220	msiexec.exe
Token: SeCreateGlobalPrivilege	220	msiexec.exe
Token: SeCreateTokenPrivilege	220	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	220	msiexec.exe
Token: SeLockMemoryPrivilege	220	msiexec.exe
Token: SeIncreaseQuotaPrivilege	220	msiexec.exe
Token: SeMachineAccountPrivilege	220	msiexec.exe
Token: SeTcbPrivilege	220	msiexec.exe
Token: SeSecurityPrivilege	220	msiexec.exe
Token: SeTakeOwnershipPrivilege	220	msiexec.exe
Token: SeLoadDriverPrivilege	220	msiexec.exe
Token: SeSystemProfilePrivilege	220	msiexec.exe
Token: SeSystemtimePrivilege	220	msiexec.exe
Token: SeProfSingleProcessPrivilege	220	msiexec.exe
Token: SeIncBasePriorityPrivilege	220	msiexec.exe
Token: SeCreatePagefilePrivilege	220	msiexec.exe
Token: SeCreatePermanentPrivilege	220	msiexec.exe
Token: SeBackupPrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeShutdownPrivilege	220	msiexec.exe
Token: SeDebugPrivilege	220	msiexec.exe
Token: SeAuditPrivilege	220	msiexec.exe
Token: SeSystemEnvironmentPrivilege	220	msiexec.exe
Token: SeChangeNotifyPrivilege	220	msiexec.exe
Token: SeRemoteShutdownPrivilege	220	msiexec.exe
Token: SeUndockPrivilege	220	msiexec.exe
Token: SeSyncAgentPrivilege	220	msiexec.exe
Token: SeEnableDelegationPrivilege	220	msiexec.exe
Token: SeManageVolumePrivilege	220	msiexec.exe
Token: SeImpersonatePrivilege	220	msiexec.exe
Token: SeCreateGlobalPrivilege	220	msiexec.exe
Token: SeCreateTokenPrivilege	220	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	220	msiexec.exe
Token: SeLockMemoryPrivilege	220	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

msiexec.exetsetup-x64.4.8.3.tmp999.exe

pid process

220 msiexec.exe
220 msiexec.exe
4300 tsetup-x64.4.8.3.tmp
828 999.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

999.exeexplorer.exe

pid process

828 999.exe
828 999.exe
1572 explorer.exe
1572 explorer.exe

pid	process
220	msiexec.exe
220	msiexec.exe
4300	tsetup-x64.4.8.3.tmp
828	999.exe

pid	process
828	999.exe
828	999.exe
1572	explorer.exe
1572	explorer.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

msiexec.exetsetup-x64.4.8.3.exe999.exeexplorer.exetsetup-x64.4.8.3.tmp

description	pid	process	target process
PID 772 wrote to memory of 4172	772	msiexec.exe	MsiExec.exe
PID 772 wrote to memory of 4172	772	msiexec.exe	MsiExec.exe
PID 772 wrote to memory of 4172	772	msiexec.exe	MsiExec.exe
PID 772 wrote to memory of 2164	772	msiexec.exe	srtasks.exe
PID 772 wrote to memory of 2164	772	msiexec.exe	srtasks.exe
PID 772 wrote to memory of 4308	772	msiexec.exe	MsiExec.exe
PID 772 wrote to memory of 4308	772	msiexec.exe	MsiExec.exe
PID 772 wrote to memory of 4308	772	msiexec.exe	MsiExec.exe
PID 772 wrote to memory of 828	772	msiexec.exe	999.exe
PID 772 wrote to memory of 828	772	msiexec.exe	999.exe
PID 772 wrote to memory of 828	772	msiexec.exe	999.exe
PID 1488 wrote to memory of 4300	1488	tsetup-x64.4.8.3.exe	tsetup-x64.4.8.3.tmp
PID 1488 wrote to memory of 4300	1488	tsetup-x64.4.8.3.exe	tsetup-x64.4.8.3.tmp
PID 1488 wrote to memory of 4300	1488	tsetup-x64.4.8.3.exe	tsetup-x64.4.8.3.tmp
PID 828 wrote to memory of 1404	828	999.exe	explorer.exe
PID 828 wrote to memory of 1404	828	999.exe	explorer.exe
PID 1572 wrote to memory of 3556	1572	explorer.exe	SCiP.exe
PID 1572 wrote to memory of 3556	1572	explorer.exe	SCiP.exe
PID 1572 wrote to memory of 3556	1572	explorer.exe	SCiP.exe
PID 1572 wrote to memory of 4208	1572	explorer.exe	MI2L2L.exe
PID 1572 wrote to memory of 4208	1572	explorer.exe	MI2L2L.exe
PID 1572 wrote to memory of 4208	1572	explorer.exe	MI2L2L.exe
PID 4300 wrote to memory of 2964	4300	tsetup-x64.4.8.3.tmp	Telegram.exe
PID 4300 wrote to memory of 2964	4300	tsetup-x64.4.8.3.tmp	Telegram.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\tsetup-x6.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:220

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 176DC0A8C15852C73FF3B2193173FCAE C
2⤵
- Loads dropped DLL
PID:4172

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:2164

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7A1003BFA2C4BBC4E6F42D1FDC5FA7C7
2⤵
- Loads dropped DLL
PID:4308

C:\Users\Admin\Documents\999.exe
"C:\Users\Admin\Documents\999.exe" 命令行
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\explorer.exe
C:\Windows\explorer.exe C:\Users\Public\Music\Exrhb4
3⤵
PID:1404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3656

C:\Program Files (x86)\tsetup-x6\tsetup-x6\tsetup-x64.4.8.3.exe
"C:\Program Files (x86)\tsetup-x6\tsetup-x6\tsetup-x64.4.8.3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\AppData\Local\Temp\is-V0L71.tmp\tsetup-x64.4.8.3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V0L71.tmp\tsetup-x64.4.8.3.tmp" /SL5="$40200,40001849,814592,C:\Program Files (x86)\tsetup-x6\tsetup-x6\tsetup-x64.4.8.3.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4300

C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious behavior: AddClipboardFormatListener
PID:2964

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1572

C:\Users\Admin\AppData\Roaming\TTQ9P\SCiP.exe
"C:\Users\Admin\AppData\Roaming\TTQ9P\SCiP.exe" -n C:\Users\Admin\AppData\Roaming\TTQ9P\0GD.zip -d C:\Users\Admin\AppData\Roaming
2⤵
- Drops startup file
- Executes dropped EXE
PID:3556

C:\Users\Public\Videos\6M6P5P\MI2L2L.exe
"C:\Users\Public\Videos\6M6P5P\MI2L2L.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4208

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58b87e.rbs

Filesize
1KB

MD5
50edf201cb636be1bf2673c77740f2ce

SHA1
db75587e8ecbc03d0a2ea8cacf96bed86a71723b

SHA256
4edca48d1bce29c9cb3954d76891387bec10fe2f251fda27ff6f84ce828c6f70

SHA512
e4f619367130e1c83948a86690d935134c648c22cac391ac7fa8a6edfd5eabcec92a40d50bbacbadd70cf13cc5b271b9d0026fb94dac839b46e48d6fad52062e

Download Submit
C:\Program Files (x86)\tsetup-x6\tsetup-x6\tsetup-x64.4.8.3.exe

Filesize
39.0MB

MD5
c5eea4798d424e3f5dccf04bde9be82e

SHA1
575c10e8604b51591bc492a9f7c5999e2443dffc

SHA256
46c1ddad54a00ebf0a4e486499e73ff0496569c0168d6ff56d3671a08153b4e4

SHA512
e2512abe59cdb29501031619da35e68768d9f86a05141b19dfb22ccf3fcf038fd03b5fa8be042c09abbf4b312ab8d190a54f74a552602abbe0c55bd9d0798cfc

Download Submit
C:\Program Files (x86)\tsetup-x6\tsetup-x6\tsetup-x64.4.8.3.exe

Filesize
39.0MB

MD5
c5eea4798d424e3f5dccf04bde9be82e

SHA1
575c10e8604b51591bc492a9f7c5999e2443dffc

SHA256
46c1ddad54a00ebf0a4e486499e73ff0496569c0168d6ff56d3671a08153b4e4

SHA512
e2512abe59cdb29501031619da35e68768d9f86a05141b19dfb22ccf3fcf038fd03b5fa8be042c09abbf4b312ab8d190a54f74a552602abbe0c55bd9d0798cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC4A9.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC4A9.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC527.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC527.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF0F7.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF0F7.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF3F6.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF3F6.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF407.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF407.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF407.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF427.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF427.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF62B.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF62B.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF69A.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF69A.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V0L71.tmp\tsetup-x64.4.8.3.tmp

Filesize
3.0MB

MD5
c6519ab04ac2122009b49bc5a5a286f5

SHA1
70bae0dd5d397ed8ec971e235bb1e2a8a73ab8da

SHA256
80de8002597dc3b197d28b39056b3aa815fcaad79b4333c537e0b6c77f1930f9

SHA512
f05db9a1af925ec869ee6b3dfa6aa6c024742711ffbd9710fcf8fd32d2ee7a617a34ce9e40636c0e9c7c5d9cdf951060e52d9319cab85059278cd5486277f18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V0L71.tmp\tsetup-x64.4.8.3.tmp

Filesize
3.0MB

MD5
c6519ab04ac2122009b49bc5a5a286f5

SHA1
70bae0dd5d397ed8ec971e235bb1e2a8a73ab8da

SHA256
80de8002597dc3b197d28b39056b3aa815fcaad79b4333c537e0b6c77f1930f9

SHA512
f05db9a1af925ec869ee6b3dfa6aa6c024742711ffbd9710fcf8fd32d2ee7a617a34ce9e40636c0e9c7c5d9cdf951060e52d9319cab85059278cd5486277f18e

Download Submit
C:\Users\Admin\AppData\Roaming\TTQ9P\0GD.zip

Filesize
1KB

MD5
02b57f2f244cf52ab79d7cbe403b8482

SHA1
0a767e9baad7dce3803d43d008c22ecf2a47d61b

SHA256
623198b756babaabeca247bf9b25ce6362a27318d15340ff866437e67683c59d

SHA512
e7289a1d1789610afaab4224fa5367de576592a30c301aabcb98541ceb569d44f14e0a6dce58d378cd724da698d2bb514847ea71732081d40a1222e04e87bd51

Download Submit
C:\Users\Admin\AppData\Roaming\TTQ9P\LETsite_Cure.lnk

Filesize
1KB

MD5
d57b301017ce80d271e5df9a2d4f6866

SHA1
a3bb244f7e32d269c8e9ed7b2368e68c547388da

SHA256
e158c9a4c2adb969254dbf33219d3924c160696163ef522099abea4d67b08d9b

SHA512
9e9d42635946334896ab6730015dee67e3d2ddd362801b8b09e6ded9a505df8d85a77f09daeb7d91e292b4c6795046e5ece917affef0c9a87adef030c4482c77

Download Submit
C:\Users\Admin\AppData\Roaming\TTQ9P\SCiP.exe

Filesize
123KB

MD5
d45ac76aff1438925578bbaeff0a07a9

SHA1
d2def1fdbe2e8fe91055ef8defdda431a01c80dc

SHA256
bf9eea98236e80d7726473a7cde8d9c780d5f055186934b5932c16390be711cb

SHA512
4fac746faadb83f5b96eda6e9f513b5c2f8f2c91e7d9f4666927222a9385f81a52bd52ae738644d944f7f7b9f4c30c35299593630a94807119f830db26992fb3

Download Submit
C:\Users\Admin\AppData\Roaming\TTQ9P\SCiP.exe

Filesize
123KB

MD5
d45ac76aff1438925578bbaeff0a07a9

SHA1
d2def1fdbe2e8fe91055ef8defdda431a01c80dc

SHA256
bf9eea98236e80d7726473a7cde8d9c780d5f055186934b5932c16390be711cb

SHA512
4fac746faadb83f5b96eda6e9f513b5c2f8f2c91e7d9f4666927222a9385f81a52bd52ae738644d944f7f7b9f4c30c35299593630a94807119f830db26992fb3

Download Submit
C:\Users\Admin\AppData\Roaming\TTQ9P\SCiP.exe

Filesize
123KB

MD5
d45ac76aff1438925578bbaeff0a07a9

SHA1
d2def1fdbe2e8fe91055ef8defdda431a01c80dc

SHA256
bf9eea98236e80d7726473a7cde8d9c780d5f055186934b5932c16390be711cb

SHA512
4fac746faadb83f5b96eda6e9f513b5c2f8f2c91e7d9f4666927222a9385f81a52bd52ae738644d944f7f7b9f4c30c35299593630a94807119f830db26992fb3

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
126.7MB

MD5
b207b753976baf91f4a1cfb6a195fd9d

SHA1
4c7a1cf450d6a96f6f9321a6407cd2d6dd50abb9

SHA256
96fbe1f018b68dc7be9b901eace3e9de00f8b6939af49153b8ebd88d868404d8

SHA512
5e8d9b3a4b78dbf495f14f0136cd891ee4f2fa6bcb4a051b73ba0f1acced17ac1abfceb94748cd10ba759c467be09b107ce1493679791715d05b65e13c5241f1

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
81.1MB

MD5
8907347f5fda6138816ce31024a2c813

SHA1
5b682b669bcb8485a292fc31c77bb57ebb928c92

SHA256
8b06de068ff8374aa91d4f98ebb4c68d9d1f8557ed9b18f035821b6daf34c558

SHA512
e29d3872321244c338a48ffd1d2107a8ac31a3bc1eadfd50036596ed00956d3abfe6184765d0eb4a386469b38bb74771a391531040aed178a50edceaacce579e

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
82.3MB

MD5
fc1dabcd8f5ea869580e49207f175f54

SHA1
b130a8f772ad5ba0ae017cce885e88bbc860cfe8

SHA256
c70813e7634816078d0a1b71f6375d5fe79711877a215b42d9bc4da18180428b

SHA512
8c66fdabd33dff8fb32d796c53130c3cd4f1fc1ebf1d7396a7fdea6782ff20bd52db00dc94014e84e31ce86026127b63d1255be58a63f6b2041b6a3261248c0a

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll

Filesize
4.7MB

MD5
62a89e7867d853fee9ad07b7c9d64379

SHA1
944a53602492187308352103d80ff27af1093abf

SHA256
d412909f1b597045b856caecedfc677eb4708af00e5b70788a01fa6af49c09d9

SHA512
7f66bf278222bf1079a3695ad55086ccc7d8b05d7db4f9a5bcbfe4ac8d82bc1a618b1c6dc675da61d47f48fce2b0670ce6f66db63e79e232604304cfc629d6d0

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll

Filesize
4.7MB

MD5
62a89e7867d853fee9ad07b7c9d64379

SHA1
944a53602492187308352103d80ff27af1093abf

SHA256
d412909f1b597045b856caecedfc677eb4708af00e5b70788a01fa6af49c09d9

SHA512
7f66bf278222bf1079a3695ad55086ccc7d8b05d7db4f9a5bcbfe4ac8d82bc1a618b1c6dc675da61d47f48fce2b0670ce6f66db63e79e232604304cfc629d6d0

Download Submit
C:\Users\Admin\Documents\999.exe

Filesize
792KB

MD5
cb072093838a0215803d0185df4a9af1

SHA1
4c345e5b50ce52abed5842e70f99e0032c87eaf5

SHA256
96d0806e438b5508a4bc0c85670325201e5e0abbf3b338d5ffbff601b05017af

SHA512
03ab19eba3febab68ce3636d6081016cd69e82b40277eea50a9aeb29a6c47033c245a471ef91500fdc09375a19b379dfe226bcc3585d40856684a5c23d626133

Download Submit
C:\Users\Admin\Documents\999.exe

Filesize
792KB

MD5
cb072093838a0215803d0185df4a9af1

SHA1
4c345e5b50ce52abed5842e70f99e0032c87eaf5

SHA256
96d0806e438b5508a4bc0c85670325201e5e0abbf3b338d5ffbff601b05017af

SHA512
03ab19eba3febab68ce3636d6081016cd69e82b40277eea50a9aeb29a6c47033c245a471ef91500fdc09375a19b379dfe226bcc3585d40856684a5c23d626133

Download Submit
C:\Users\Public\0K0K0J

Filesize
1.4MB

MD5
70a1467f0cf443eaf202708c1883469c

SHA1
e66f3a3201a1ca32b5d0e7e4aee63d9d56d17297

SHA256
e51892bef88e77d77cef2324c17266756e33a0ffa17bc171bc3683045bbbf6c8

SHA512
4149d412277a13161382d93e14a7ec568eead624addc3608ccfd9b299cf6a4c0a0d2f5a7f308b01a1981789a12507c22a71c605df823af80d05284addd24477f

Download Submit
C:\Users\Public\Music\Exrhb4\2JCj3T.url

Filesize
74B

MD5
46f21e1ddf50ec4b5d530f0907397b52

SHA1
f43ee4037603b9cd6b0595079fe8a35714c0cf2c

SHA256
e57fb81a3382bd292c9e34a68be13f7e3aaf9080a19618c4feb8956aa2d69fe2

SHA512
10e0e43606dc3d4abfe392bee731b1baa06c10006db2354f08b37a557c94c38c0c820aeafe30ad30bbec6b91305c87802ffaaa2d865274ea4ffaed2f0fa233cc

Download Submit
C:\Users\Public\Music\Exrhb4\2VCi2S.lnk

Filesize
1006B

MD5
3742df4bef8207c0d91c6e086c9cf1b6

SHA1
827ccdf8eb6340f9d07445513e6ff0091ea7aae3

SHA256
2ce673447df9ac6bbdd8618207cf472128aa89b64f62bf76e4948b6e140592cb

SHA512
693ff42c62f665fff3faf7be58494379a6bcd4dfe19c645221b4c39664c2e997524a6fe0c05335e8ec8c2c9403c1dd4cfe2520870bea3caf461b1c4913fc10ac

Download Submit
C:\Users\Public\Music\Exrhb4\Ag60TA.lnk

Filesize
1006B

MD5
0c90c1b0489842b706cea14fd715dea1

SHA1
3f46e86b8f7898f2313319ed30f607a7c5aa34c8

SHA256
999885baf3e02145aa1a59df948af19a1433bf1bbb86bdba252f478a119e6a36

SHA512
85a688fabe938187d4afc2e65bac7fb6d7495c2fb02c33e4726b8f1ce93a8d98d0399e6f1560a2ae252a3bebde2d0ef7fac0df3bbd82152a4841b9847978406a

Download Submit
C:\Users\Public\Music\Exrhb4\Fvo5YP.lnk

Filesize
1006B

MD5
29d2a189d457017c3bace8e20fe8bcb8

SHA1
10f1e43a42a74fc67d428142cba62ae73292f69f

SHA256
77601e90c46bb14ae9cae9a63223ebe1142c7aa837a58c5207b6d2d2b400e1a5

SHA512
4a3ce3d113a1e10cfffe7a3abf77e53caa80703d1e8f026fbb102d3d64473c5cf2997e6a559f4dfeefd863426acdb5e7b334b3d399a570cc367d9eb6e02723f4

Download Submit
C:\Users\Public\Music\Exrhb4\Lsc2VC.url

Filesize
74B

MD5
46f21e1ddf50ec4b5d530f0907397b52

SHA1
f43ee4037603b9cd6b0595079fe8a35714c0cf2c

SHA256
e57fb81a3382bd292c9e34a68be13f7e3aaf9080a19618c4feb8956aa2d69fe2

SHA512
10e0e43606dc3d4abfe392bee731b1baa06c10006db2354f08b37a557c94c38c0c820aeafe30ad30bbec6b91305c87802ffaaa2d865274ea4ffaed2f0fa233cc

Download Submit
C:\Users\Public\Music\Exrhb4\MGwqj9.lnk

Filesize
1006B

MD5
35c3a4c5477b2b3c3e6ae6ae94b39cbe

SHA1
2307994fdb67db71e22a2c201b2953cccbe9d514

SHA256
dd23e4480685c14f4acf55de0c81fa19db8fafe28ed65cfc07810a2ad449bb6f

SHA512
0a903aaa468440c2c520dc9434cb639864eb2eb7ff1c190b847fc7e6921eae0045b17322d0739e51155916b39bccd3dde230fe64efae7676d6fa47500092e800

Download Submit
C:\Users\Public\Music\Exrhb4\NtaUKE.lnk

Filesize
1006B

MD5
7193442bc941814c2b8e8d4964700dc7

SHA1
97f757286e9d0a5275423639ffad63a74b9091d5

SHA256
46d07aa83b2ad97bf523bfad56de27774007123086a98c223d84060258321efe

SHA512
cd438358cc316bc202332b27050cc8f14b6d2c052f89b7a7a505c92ba296ae791f23cc3590d009fe544e8b28476f51f88c742ad6100f269ca7ee248940438c4c

Download Submit
C:\Users\Public\Music\Exrhb4\TAtkd7.lnk

Filesize
1006B

MD5
f32211fea3e48506acb667400ca4270e

SHA1
2d2a67241ee06af168a543817352c70e57c0ee0b

SHA256
df48570fee7a58d94994b54dd3c68e7c53a9e177de071750e965e7278c66805e

SHA512
e403d2a6a309c90262a61900f85eade6940126460a952ae93f06aa0d13571e1df20cc9eb6042ed585ba5daba0504d69c6b7609ae51e95c9055633c08f14ad0cb

Download Submit
C:\Users\Public\Music\Exrhb4\UDka4X.url

Filesize
74B

MD5
46f21e1ddf50ec4b5d530f0907397b52

SHA1
f43ee4037603b9cd6b0595079fe8a35714c0cf2c

SHA256
e57fb81a3382bd292c9e34a68be13f7e3aaf9080a19618c4feb8956aa2d69fe2

SHA512
10e0e43606dc3d4abfe392bee731b1baa06c10006db2354f08b37a557c94c38c0c820aeafe30ad30bbec6b91305c87802ffaaa2d865274ea4ffaed2f0fa233cc

Download Submit
C:\Users\Public\Music\Exrhb4\WCwcTz.lnk

Filesize
1006B

MD5
7e5bbe66359baddd30743892d622e3bd

SHA1
dd10009e747232a358e955d144a3807d49331bb5

SHA256
5592f5f46d422f8b8f47f3fba0e07b53e253baec865c4271a655b1c81266e45a

SHA512
30f5f0d8e4ef5cf955c7e4a74bff47dec291139d9694a794e40fd77a92b2846f76dfb64aacbba193b4c58db9c2e4f175c17068864d2a144848693641717d5f6a

Download Submit
C:\Users\Public\Music\Exrhb4\_Sz5MF.url

Filesize
74B

MD5
46f21e1ddf50ec4b5d530f0907397b52

SHA1
f43ee4037603b9cd6b0595079fe8a35714c0cf2c

SHA256
e57fb81a3382bd292c9e34a68be13f7e3aaf9080a19618c4feb8956aa2d69fe2

SHA512
10e0e43606dc3d4abfe392bee731b1baa06c10006db2354f08b37a557c94c38c0c820aeafe30ad30bbec6b91305c87802ffaaa2d865274ea4ffaed2f0fa233cc

Download Submit
C:\Users\Public\Music\Exrhb4\g9QJgX.url

Filesize
74B

MD5
46f21e1ddf50ec4b5d530f0907397b52

SHA1
f43ee4037603b9cd6b0595079fe8a35714c0cf2c

SHA256
e57fb81a3382bd292c9e34a68be13f7e3aaf9080a19618c4feb8956aa2d69fe2

SHA512
10e0e43606dc3d4abfe392bee731b1baa06c10006db2354f08b37a557c94c38c0c820aeafe30ad30bbec6b91305c87802ffaaa2d865274ea4ffaed2f0fa233cc

Download Submit
C:\Users\Public\Music\Exrhb4\k1UKEk.url

Filesize
74B

MD5
46f21e1ddf50ec4b5d530f0907397b52

SHA1
f43ee4037603b9cd6b0595079fe8a35714c0cf2c

SHA256
e57fb81a3382bd292c9e34a68be13f7e3aaf9080a19618c4feb8956aa2d69fe2

SHA512
10e0e43606dc3d4abfe392bee731b1baa06c10006db2354f08b37a557c94c38c0c820aeafe30ad30bbec6b91305c87802ffaaa2d865274ea4ffaed2f0fa233cc

Download Submit
C:\Users\Public\Music\Exrhb4\kd7XDx.url

Filesize
74B

MD5
46f21e1ddf50ec4b5d530f0907397b52

SHA1
f43ee4037603b9cd6b0595079fe8a35714c0cf2c

SHA256
e57fb81a3382bd292c9e34a68be13f7e3aaf9080a19618c4feb8956aa2d69fe2

SHA512
10e0e43606dc3d4abfe392bee731b1baa06c10006db2354f08b37a557c94c38c0c820aeafe30ad30bbec6b91305c87802ffaaa2d865274ea4ffaed2f0fa233cc

Download Submit
C:\Users\Public\Music\Exrhb4\kd7XDx.url

Filesize
74B

MD5
46f21e1ddf50ec4b5d530f0907397b52

SHA1
f43ee4037603b9cd6b0595079fe8a35714c0cf2c

SHA256
e57fb81a3382bd292c9e34a68be13f7e3aaf9080a19618c4feb8956aa2d69fe2

SHA512
10e0e43606dc3d4abfe392bee731b1baa06c10006db2354f08b37a557c94c38c0c820aeafe30ad30bbec6b91305c87802ffaaa2d865274ea4ffaed2f0fa233cc

Download Submit
C:\Users\Public\Videos\6M6P5P\MI2L2L.exe

Filesize
188KB

MD5
d05c2a2f2a02419f1dbfcda9497e10ba

SHA1
3cfb4351767f5fd8c5bc078d037d0e0e5e7f2cb5

SHA256
d9914af5dfbc0813de5570a3d2fcb8fe848d232a71cdcd424672e9cc8406382b

SHA512
cd336acce69c0d878d2cf352adc5c2c242bdcd9ad2ceb5f917987f8e76421b38c691b9fcefc88962789f97d447cd8e6a2f3fe83f1440a998ed9876253040a2ca

Download Submit
C:\Users\Public\Videos\6M6P5P\MI2L2L.exe

Filesize
188KB

MD5
d05c2a2f2a02419f1dbfcda9497e10ba

SHA1
3cfb4351767f5fd8c5bc078d037d0e0e5e7f2cb5

SHA256
d9914af5dfbc0813de5570a3d2fcb8fe848d232a71cdcd424672e9cc8406382b

SHA512
cd336acce69c0d878d2cf352adc5c2c242bdcd9ad2ceb5f917987f8e76421b38c691b9fcefc88962789f97d447cd8e6a2f3fe83f1440a998ed9876253040a2ca

Download Submit
C:\Users\Public\Videos\6M6P5P\MI2L2L.exe

Filesize
188KB

MD5
d05c2a2f2a02419f1dbfcda9497e10ba

SHA1
3cfb4351767f5fd8c5bc078d037d0e0e5e7f2cb5

SHA256
d9914af5dfbc0813de5570a3d2fcb8fe848d232a71cdcd424672e9cc8406382b

SHA512
cd336acce69c0d878d2cf352adc5c2c242bdcd9ad2ceb5f917987f8e76421b38c691b9fcefc88962789f97d447cd8e6a2f3fe83f1440a998ed9876253040a2ca

Download Submit
C:\Users\Public\Videos\6M6P5P\pbvm125.dll

Filesize
2.6MB

MD5
6d63bd639adf4fb6d0f6ec3c1cf894bb

SHA1
59fb6d0dbbb435be22cf0e11af5fcff60e4ba7e5

SHA256
fb0e6c973a39328a9fbb15f79d64281559a673b0c7f60860990437457a8f8ec7

SHA512
4ab02b311f9fc8931c0555760fea8d55a82071d6f4005770e293bc6239acece1236abb51763d956b065c44628a6f184dc6f3a565b3c252bfc9d1805b60db7dc5

Download Submit
C:\Users\Public\Videos\6M6P5P\pbvm125.dll

Filesize
2.6MB

MD5
6d63bd639adf4fb6d0f6ec3c1cf894bb

SHA1
59fb6d0dbbb435be22cf0e11af5fcff60e4ba7e5

SHA256
fb0e6c973a39328a9fbb15f79d64281559a673b0c7f60860990437457a8f8ec7

SHA512
4ab02b311f9fc8931c0555760fea8d55a82071d6f4005770e293bc6239acece1236abb51763d956b065c44628a6f184dc6f3a565b3c252bfc9d1805b60db7dc5

Download Submit
C:\Windows\Installer\MSIB987.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Windows\Installer\MSIB987.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Windows\Installer\MSIBB0F.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Windows\Installer\MSIBB0F.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
229f17cc1e46a554057a89d880c2e174

SHA1
f906509c03a7f0d77cfa187a5619fda177811883

SHA256
c7acca55281292e28ee05ab213b44d80503ac6feff584dc3c1566e52b6ea4366

SHA512
9a0fb44b4adcd2617b3b8e04dd91cb5ff42626577176aa8d979cfa701e404aef66d0e81620e83f8e5d3dc171ce84529d329e4627d8edbd41e0eaade49572f632

Download Submit
\??\Volume{dca10565-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b6125c25-7809-4e7d-9fd2-dbfee105a0b8}_OnDiskSnapshotProp

Filesize
5KB

MD5
0a07ef0f9951933bbe51f2e80cfc8b50

SHA1
ad2f0764523b65b4d28cf46c928c40ee215168b3

SHA256
a89f4482d00e00ff8e4d31ff72c54f63a2a088cbe70dee4272919923a9f27e6e

SHA512
75f615c810a530564841b0b3773e632524349df951a6c7d4beb9e45787c146a69cb881d81f1f989f350e9cf4cfe7657b829b184520867e1b9249dee35ca71813

Download Submit
memory/828-108-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/1488-84-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1488-67-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1488-251-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2964-243-0x00000189C6FC0000-0x00000189C6FD0000-memory.dmp

Filesize
64KB

Download
memory/4208-213-0x0000000000770000-0x0000000000AE1000-memory.dmp

Filesize
3.4MB

Download
memory/4208-214-0x0000000000770000-0x0000000000AE1000-memory.dmp

Filesize
3.4MB

Download
memory/4208-223-0x0000000000770000-0x0000000000AE1000-memory.dmp

Filesize
3.4MB

Download
memory/4300-85-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4300-139-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4300-250-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4300-93-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/4300-202-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4300-81-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download