cd1d744dc39adf50bc17b587d203d5fce77995c4c51cc0438187dfc9eabbd948

Analysis

max time kernel
145s
max time network
139s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02-09-2023 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TseFDup.msi
Size

58.0MB
MD5

e8e3c51ef44a0a264ccd99bb030fc6f0
SHA1

4ab03b01955a49eda038aacf54fd293f9cf1b176
SHA256

52abefced6db7a813b8890fe315e7375b65d096ebc25eeb2a573c2ccb99fa217
SHA512

af25f1bad6a3af735c787367392da251c9a3c054b7fc24fe859de1afa81bac074b469f0b4081869bdff0c3f8464ee6c41dea8a20a83640a721d64a9501c445c1
SSDEEP

1572864:Z1fOC74Fczd0leo69+omjTKahIfCCAWmyEt57UyUxbsCSV:Z1fa4+YXtIKC5EDyUth

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dxpwjwrrwd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dxpwjwrrwd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dxpwjwrrwd = "C:\\ProgramData\\wbvkahfcsysrutfhat\\dxpwjwrrwd.exe"	dxpwjwrrwd.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\ProgramData\wbvkahfcsysrutfhat\Rainmeter.dll	acprotect
\ProgramData\wbvkahfcsysrutfhat\rainmeter.dll	acprotect

Executes dropped EXE 4 IoCs

Processes:

MSIF2F9.tmpTelegram.exe137.exedxpwjwrrwd.exe

pid process

2188 MSIF2F9.tmp
1700 Telegram.exe
636 137.exe
2628 dxpwjwrrwd.exe

pid	process
2188	MSIF2F9.tmp
1700	Telegram.exe
636	137.exe
2628	dxpwjwrrwd.exe

Loads dropped DLL 12 IoCs

Processes:

MsiExec.exeMsiExec.exemsiexec.exe137.exedxpwjwrrwd.exe

pid	process
1632	MsiExec.exe
1632	MsiExec.exe
1632	MsiExec.exe
1632	MsiExec.exe
1632	MsiExec.exe
2500	MsiExec.exe
2388	msiexec.exe
1280
2388	msiexec.exe
1632	MsiExec.exe
636	137.exe
2628	dxpwjwrrwd.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exeTelegram.exe

description	ioc	process
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\usertag	msiexec.exe
File opened for modification	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\settingss.mhEXBb	Telegram.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\settingss.Dvqcns	Telegram.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\F7F081C6E7020D19s.zeHQHd	Telegram.exe
File opened for modification	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\F7F081C6E7020D19s.zeHQHd	Telegram.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\settingss.LWxlUh	Telegram.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_24_1	msiexec.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\settingss	msiexec.exe
File opened for modification	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tupdates\temp\Updater.exe	Telegram.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\D877F783D5D3EF8C\configs.NqkfEE	Telegram.exe
File opened for modification	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\D877F783D5D3EF8Cs.Ajsqid	Telegram.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\F7F081C6E7020D19s.yqJhLB	Telegram.exe
File opened for modification	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\F7F081C6E7020D19s.yqJhLB	Telegram.exe
File opened for modification	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\F7F081C6E7020D19s.VeDpQt	Telegram.exe
File opened for modification	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tupdates\temp\Telegram.exe	Telegram.exe
File opened for modification	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tupdates\temp\modules\x64\d3d\d3dcompiler_47.dll	Telegram.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\spoiler\text	msiexec.exe
File opened for modification	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\settings0	Telegram.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\06C7C450EB1FDB8Fs.IuHNsM	Telegram.exe
File opened for modification	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\06C7C450EB1FDB8Fs.IuHNsM	Telegram.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_24_0	msiexec.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\shortcuts-default.json	msiexec.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\D877F783D5D3EF8Cs.EYVpwM	Telegram.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_18_6	msiexec.exe
File opened for modification	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\F7F081C6E7020D19s.rCPrss	Telegram.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\working	Telegram.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\settingss.mhEXBb	Telegram.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\137.exe	msiexec.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_18_3	msiexec.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_24_6	msiexec.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\Telegram.exe	msiexec.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\key_datas.ZYoCmm	Telegram.exe
File opened for modification	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\settingss.LWxlUh	Telegram.exe
File opened for modification	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tupdates\temp\tdata\version	Telegram.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_18_2	msiexec.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_18_4	msiexec.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\F7F081C6E7020D19s.VeDpQt	Telegram.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\D877F783D5D3EF8C\configs.nsJLkj	Telegram.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\shortcuts-custom.json	msiexec.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\D877F783D5D3EF8Cs.smOAkB	Telegram.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\settingss.BVPJwZ	Telegram.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_18_5	msiexec.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_24_2	msiexec.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\log.txt	Telegram.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\D877F783D5D3EF8Cs.Ajsqid	Telegram.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\settingss.SnUWZu	Telegram.exe
File opened for modification	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tupdates\tx64upd4009004	Telegram.exe
File opened for modification	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\countries	Telegram.exe
File opened for modification	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\log.txt	Telegram.exe
File opened for modification	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\prefix	Telegram.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_24_4	msiexec.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\F7F081C6E7020D19s.rCPrss	Telegram.exe
File opened for modification	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\settingss.SnUWZu	Telegram.exe
File opened for modification	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\settingss.BVPJwZ	Telegram.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_24_3	msiexec.exe
File opened for modification	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\D877F783D5D3EF8Cs.EYVpwM	Telegram.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\06C7C450EB1FDB8Fs	msiexec.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_18_1	msiexec.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\F7F081C6E7020D19s.GTxJGM	Telegram.exe
File opened for modification	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\	Telegram.exe
File opened for modification	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\log_start0.txt	Telegram.exe
File created	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_24_5	msiexec.exe
File opened for modification	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tupdates\temp\ready	Telegram.exe
File opened for modification	C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\settingss.BdsYOk	Telegram.exe

Drops file in Windows directory 13 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIE908.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEB98.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{276020FC-F711-4ABC-B554-0C5C62B64EA6}\Telegram.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f76e82e.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f76e82d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76e82d.msi	msiexec.exe
File created	C:\Windows\Installer\f76e82e.ipi	msiexec.exe
File created	C:\Windows\Installer\{276020FC-F711-4ABC-B554-0C5C62B64EA6}\Telegram.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF2F9.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Telegram.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Telegram.exe

pid process

1700 Telegram.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msiexec.exedxpwjwrrwd.exe

pid process

2388 msiexec.exe
2388 msiexec.exe
2628 dxpwjwrrwd.exe
2628 dxpwjwrrwd.exe
2628 dxpwjwrrwd.exe
2628 dxpwjwrrwd.exe

pid	process
1700	Telegram.exe

pid	process
2388	msiexec.exe
2388	msiexec.exe
2628	dxpwjwrrwd.exe
2628	dxpwjwrrwd.exe
2628	dxpwjwrrwd.exe
2628	dxpwjwrrwd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2244	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2244	msiexec.exe
Token: SeRestorePrivilege	2388	msiexec.exe
Token: SeTakeOwnershipPrivilege	2388	msiexec.exe
Token: SeSecurityPrivilege	2388	msiexec.exe
Token: SeCreateTokenPrivilege	2244	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2244	msiexec.exe
Token: SeLockMemoryPrivilege	2244	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2244	msiexec.exe
Token: SeMachineAccountPrivilege	2244	msiexec.exe
Token: SeTcbPrivilege	2244	msiexec.exe
Token: SeSecurityPrivilege	2244	msiexec.exe
Token: SeTakeOwnershipPrivilege	2244	msiexec.exe
Token: SeLoadDriverPrivilege	2244	msiexec.exe
Token: SeSystemProfilePrivilege	2244	msiexec.exe
Token: SeSystemtimePrivilege	2244	msiexec.exe
Token: SeProfSingleProcessPrivilege	2244	msiexec.exe
Token: SeIncBasePriorityPrivilege	2244	msiexec.exe
Token: SeCreatePagefilePrivilege	2244	msiexec.exe
Token: SeCreatePermanentPrivilege	2244	msiexec.exe
Token: SeBackupPrivilege	2244	msiexec.exe
Token: SeRestorePrivilege	2244	msiexec.exe
Token: SeShutdownPrivilege	2244	msiexec.exe
Token: SeDebugPrivilege	2244	msiexec.exe
Token: SeAuditPrivilege	2244	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2244	msiexec.exe
Token: SeChangeNotifyPrivilege	2244	msiexec.exe
Token: SeRemoteShutdownPrivilege	2244	msiexec.exe
Token: SeUndockPrivilege	2244	msiexec.exe
Token: SeSyncAgentPrivilege	2244	msiexec.exe
Token: SeEnableDelegationPrivilege	2244	msiexec.exe
Token: SeManageVolumePrivilege	2244	msiexec.exe
Token: SeImpersonatePrivilege	2244	msiexec.exe
Token: SeCreateGlobalPrivilege	2244	msiexec.exe
Token: SeCreateTokenPrivilege	2244	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2244	msiexec.exe
Token: SeLockMemoryPrivilege	2244	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2244	msiexec.exe
Token: SeMachineAccountPrivilege	2244	msiexec.exe
Token: SeTcbPrivilege	2244	msiexec.exe
Token: SeSecurityPrivilege	2244	msiexec.exe
Token: SeTakeOwnershipPrivilege	2244	msiexec.exe
Token: SeLoadDriverPrivilege	2244	msiexec.exe
Token: SeSystemProfilePrivilege	2244	msiexec.exe
Token: SeSystemtimePrivilege	2244	msiexec.exe
Token: SeProfSingleProcessPrivilege	2244	msiexec.exe
Token: SeIncBasePriorityPrivilege	2244	msiexec.exe
Token: SeCreatePagefilePrivilege	2244	msiexec.exe
Token: SeCreatePermanentPrivilege	2244	msiexec.exe
Token: SeBackupPrivilege	2244	msiexec.exe
Token: SeRestorePrivilege	2244	msiexec.exe
Token: SeShutdownPrivilege	2244	msiexec.exe
Token: SeDebugPrivilege	2244	msiexec.exe
Token: SeAuditPrivilege	2244	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2244	msiexec.exe
Token: SeChangeNotifyPrivilege	2244	msiexec.exe
Token: SeRemoteShutdownPrivilege	2244	msiexec.exe
Token: SeUndockPrivilege	2244	msiexec.exe
Token: SeSyncAgentPrivilege	2244	msiexec.exe
Token: SeEnableDelegationPrivilege	2244	msiexec.exe
Token: SeManageVolumePrivilege	2244	msiexec.exe
Token: SeImpersonatePrivilege	2244	msiexec.exe
Token: SeCreateGlobalPrivilege	2244	msiexec.exe
Token: SeCreateTokenPrivilege	2244	msiexec.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

msiexec.exeTelegram.exe

pid process

2244 msiexec.exe
1700 Telegram.exe
1700 Telegram.exe
1700 Telegram.exe
1700 Telegram.exe
2244 msiexec.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Telegram.exe

pid process

1700 Telegram.exe
1700 Telegram.exe
1700 Telegram.exe
1700 Telegram.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

137.exedxpwjwrrwd.exe

pid process

636 137.exe
636 137.exe
2628 dxpwjwrrwd.exe
2628 dxpwjwrrwd.exe
2628 dxpwjwrrwd.exe
2628 dxpwjwrrwd.exe
2628 dxpwjwrrwd.exe

pid	process
2244	msiexec.exe
1700	Telegram.exe
1700	Telegram.exe
1700	Telegram.exe
1700	Telegram.exe
2244	msiexec.exe

pid	process
1700	Telegram.exe
1700	Telegram.exe
1700	Telegram.exe
1700	Telegram.exe

pid	process
636	137.exe
636	137.exe
2628	dxpwjwrrwd.exe
2628	dxpwjwrrwd.exe
2628	dxpwjwrrwd.exe
2628	dxpwjwrrwd.exe
2628	dxpwjwrrwd.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

msiexec.exe137.exe

description	pid	process	target process
PID 2388 wrote to memory of 1632	2388	msiexec.exe	MsiExec.exe
PID 2388 wrote to memory of 1632	2388	msiexec.exe	MsiExec.exe
PID 2388 wrote to memory of 1632	2388	msiexec.exe	MsiExec.exe
PID 2388 wrote to memory of 1632	2388	msiexec.exe	MsiExec.exe
PID 2388 wrote to memory of 1632	2388	msiexec.exe	MsiExec.exe
PID 2388 wrote to memory of 1632	2388	msiexec.exe	MsiExec.exe
PID 2388 wrote to memory of 1632	2388	msiexec.exe	MsiExec.exe
PID 2388 wrote to memory of 2500	2388	msiexec.exe	MsiExec.exe
PID 2388 wrote to memory of 2500	2388	msiexec.exe	MsiExec.exe
PID 2388 wrote to memory of 2500	2388	msiexec.exe	MsiExec.exe
PID 2388 wrote to memory of 2500	2388	msiexec.exe	MsiExec.exe
PID 2388 wrote to memory of 2500	2388	msiexec.exe	MsiExec.exe
PID 2388 wrote to memory of 2500	2388	msiexec.exe	MsiExec.exe
PID 2388 wrote to memory of 2500	2388	msiexec.exe	MsiExec.exe
PID 2388 wrote to memory of 2188	2388	msiexec.exe	MSIF2F9.tmp
PID 2388 wrote to memory of 2188	2388	msiexec.exe	MSIF2F9.tmp
PID 2388 wrote to memory of 2188	2388	msiexec.exe	MSIF2F9.tmp
PID 636 wrote to memory of 2628	636	137.exe	dxpwjwrrwd.exe
PID 636 wrote to memory of 2628	636	137.exe	dxpwjwrrwd.exe
PID 636 wrote to memory of 2628	636	137.exe	dxpwjwrrwd.exe
PID 636 wrote to memory of 2628	636	137.exe	dxpwjwrrwd.exe
PID 636 wrote to memory of 2628	636	137.exe	dxpwjwrrwd.exe
PID 636 wrote to memory of 2628	636	137.exe	dxpwjwrrwd.exe
PID 636 wrote to memory of 2628	636	137.exe	dxpwjwrrwd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\TseFDup.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2244

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding AD8E492096BBA41B537DC2DE6F6EC112 C
2⤵
- Loads dropped DLL
PID:1632

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 71C02281ADAA81C803E90ADF03A5D796
2⤵
- Loads dropped DLL
PID:2500

C:\Windows\Installer\MSIF2F9.tmp
"C:\Windows\Installer\MSIF2F9.tmp" /DontWait "C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\Telegram.exe"
2⤵
- Executes dropped EXE
PID:2188

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1676

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003A4" "0000000000000554"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3012

C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\Telegram.exe
"C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\Telegram.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1700

C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\137.exe
"C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\137.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:636

C:\ProgramData\wbvkahfcsysrutfhat\dxpwjwrrwd.exe
"C:\ProgramData\wbvkahfcsysrutfhat\dxpwjwrrwd.exe"
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76e82f.rbs

Filesize
562KB

MD5
923fb2e409b244a9c9bbf129a5e72510

SHA1
5e2c73bbf1406355b2a9401f5072a425ccbe8d25

SHA256
656c458b8f5cdbffd3547731dce3b230182559fb1aa54545307b6b3aa7d634e4

SHA512
8abc4f0e4fbe98eed380383735f2b36068364b88349fb7cd34dba5643e7554b32ac11489edffe118a2d2af66ca4ab6a4639abbe05571a2c57aabc4efa76af4ca

Download Submit
C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\137.exe

Filesize
1.7MB

MD5
f1183364b392c61af725e8495f99474b

SHA1
2039d2ced2dd2183263301b077a690a06cb0962f

SHA256
2ac1b4a6df920c45fd7a100e0ae9f79683ba38d08a82c71027b71eb4601eef1b

SHA512
4a1aefc33fed854898f3816faa98ce53d7578905ee831fccb9e988623be4af3ee9cc5e364a6ec7cbe61b10a0382a756486c497a15765a7275cc805101d853930

Download Submit
C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\Telegram.exe

Filesize
130.1MB

MD5
3df5bcea0ca91ab9fc317bcc6d9ea15f

SHA1
843a46a3a2495ec3b25eac11ae24b4c4988e7b36

SHA256
4e5cfb0d2ad36e4bd55b02cbad768b979f712d780ffde9b055f0fcabb1919ff4

SHA512
490f4840a83ba49295abd14c815973822af0de18ab34f525318a6075c3cba23fcfcd56d006e9d13df91fa32569d0f740d183d7d9c8a764a69f54d70760a58911

Download Submit
C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\06C7C450EB1FDB8Fs

Filesize
507KB

MD5
7db2ae6f4c2d1b848ecd38ae6021d837

SHA1
2f3107f07814f681425524c7be2b97964db91594

SHA256
3c256903fde10f504ead3794ea6ecfcea968a2450aa64236721a406b92331481

SHA512
50b6534494e5028a706304a66c3df88d9e301d94d37b107e769e5b4b7cc80a284fe6b007736376f3707011ef0de4522dbcc2bc99684b3e4f48168f0e91e177be

Download Submit
C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_18_0

Filesize
648KB

MD5
a9d5fcb4edadcf53399f1c5f9ae5d9ae

SHA1
210377216a6869a40655c75f47a392b4600f6f44

SHA256
a917a5dcf7e329dfb760ece674de96a01ab5e2f51751de95d032c4bb5e2a1f0e

SHA512
7a47a64e1dacc0b3c621b13d9d0cc60bf98d58d2a93add9beb87ce476cce296029f028feea1970bfacbbbaae6b143e24f8245ac32bfdf6cee65089b568bf6ec4

Download Submit
C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_18_1

Filesize
648KB

MD5
28c7a651b3411fff0be43767457541f3

SHA1
64cc0c0474f72deb03459a47e91e6f1b5cc5a867

SHA256
0f1d63de6e20766acc95159db99724d5babbabbb9adb1506dc1337163ec61338

SHA512
bc3a5492c72293bf0dcfa1883e586e17dd16afce06817d466c6672e9ac6c04a1c74bddaedd0753b1ddfff20bd88ab36d055643369416725be95bfb7a72f37070

Download Submit
C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_18_2

Filesize
648KB

MD5
8bae1c34285e15fae092ef5afb4bdb9a

SHA1
ce7098ffafa1a0150de43e390f4489bd0a35bfd1

SHA256
48d4c29de7c7e13c65856da6963a20f41f9001dab80bb72b68d61cab7fee1d33

SHA512
927581328052659a0e65df5499b5e16624145ff61512255c64770194384d7ea5b469c3b1301e63146de7b5fc01bf6acf6e81e567806cdfed3a4b306b98e18ca4

Download Submit
C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_18_3

Filesize
648KB

MD5
28dc94bc2f0fd3ce3a70f5207ec35bde

SHA1
96cd2a1b1237270b857b72ac0b4f90c7111d0099

SHA256
0b2cb32c6eda76598f5ef427a7ef9309bf3d6c2cb206ca1e37f164636ff25bc3

SHA512
8eea266f16f517bbb2908738c5d027375b3452bae4032f187094e56c6830c05487acfb781182e02aa9dbdcb9c0e8d58fb28b5d7f9aca9ed7000488cbe0029fe0

Download Submit
C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_18_4

Filesize
648KB

MD5
fa7909ed2d3e1d9a593ab5fa0d66958b

SHA1
8b1baf1bbf8ecb8d34fd155746f84e6887665dc6

SHA256
8935d03aa7c5c253c92ebf8fac42aaac5f0aa04b531ad3196954e45ee2b3a389

SHA512
d43a6b169a6e2c60e63e71e3aefd05f8e8c4b691672536943ed81dc342eff372aab51e8b25e6e17d4dabe9166f3520850bef8cc03604d003c0ec01b382691748

Download Submit
C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_18_5

Filesize
648KB

MD5
7076344b06be17207948f79de741e3e7

SHA1
338e2311f944087807be80dd2fb2e8584e9bdd65

SHA256
43c24b430152745f6fb61fd27d2598489e21d60ae2f0e0c89bb264f484afe899

SHA512
9a518ad991a3263117c122b7cff14e6191ee91a40c5daa75e77fd854edbe7dac2c46a4a80fe0d91d5fda1ebf9d4ef0091b3d543c8abb52900584e0f0bdabc9dd

Download Submit
C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_18_6

Filesize
648KB

MD5
677eaf4328bfa07263b0518d7a538c68

SHA1
2daabe657291c7088e45d09125c10247f52b81e6

SHA256
9522b74b926f4c3989e962f815ff7f1cb93e26f68522457e4f2e3dede4a64aeb

SHA512
87b5eb241f7f854ffc2b49d83b3c40be73693dd1a6c900d2d07c047f8e689d9fc44d6198a168372a4df53532d910d045c4141b321a5f2b33e36081399362fa4b

Download Submit
C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_24_0

Filesize
1.1MB

MD5
e0d699a63ecfb007d72bf4a158a1dea6

SHA1
15bae81866f8dc89d256bf6aa6fe29e6ae1099f2

SHA256
89e572bbce672b25b93c9f95b4ae3e1295da308f79c7ed0342ad40e184b5a6e4

SHA512
a397a0a64c5fe734e98ef911d929897f0fa6b4d272956d0c5eca170a7e226783b52f4eb7871bd73bbf6517a98c6ba5e93608b1f8d807b320ab97e8555719ae94

Download Submit
C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_24_1

Filesize
1.1MB

MD5
bb05e538eb0fd043124c1dbd7a54f6a0

SHA1
c44c550a754d87880e3413cfa0cb3bcbe7523edb

SHA256
0255d50c8fc8f036794a3cebdf2937a94821c6cf07caee1be90cf11fbf4f4c47

SHA512
ff6a9b0862307ebe85d72a62eefc09054290995c373f3c5b248bb6f04a6246d68160f6227873bc11649b894cd011f263c0d258796dffa09afb31412d78a8be69

Download Submit
C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_24_2

Filesize
1.1MB

MD5
92cf692ec1350a03271cf7241d696852

SHA1
7af420c4564b67485bb6ea043a242f366fedef12

SHA256
ebd8b64b606c941b14c0b2a20d308672ecb0bae4e7bab5bf3180c820276f1355

SHA512
f3955b98ecef489e35274f7eef8d37c0650c078e651ac167c3ced8b0109536e0b3479cbe65d5c4b71aba0b0a8cccd531e6448740f638729159c70455d104a851

Download Submit
C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_24_3

Filesize
1.1MB

MD5
cf672c2191ad9aabd4c380a95bf426e0

SHA1
e0c8d175e98483242f61efcb9885a8369051a9e8

SHA256
88e08b41b3470b4c1438f95d8e72164c5d8d9471f956d4545489e4f3ebd683d2

SHA512
ec68dd9a0d7292d9a570500d3e119db2056869814f0195f2d0b69d043a50a6031a0b122c016229a92015d2b3f34cba8f9939888fb469f1f73592f004d59af351

Download Submit
C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_24_4

Filesize
1.1MB

MD5
eeea43d3974ad7c693bc76ecd2f687da

SHA1
939720d7aaf86ca815d75f08bea4cdb5d588f4bd

SHA256
64caf40aea1b4605b064f7aea7bce2eb745ec6ff1bea5621fc8d0e401e804f4f

SHA512
15a2396e3b06253add6b9e117540e65a63a1acc6c48b6a52c1f9b8929aacba3addb8e11bb879b3b7d8a75278c626886877cbe0ae4ae0ba498e1b4c2c76ba4618

Download Submit
C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_24_5

Filesize
1.1MB

MD5
30692e87e6b0f97e6277ede297df9e84

SHA1
9184fe68950608bf81e706bb93f8f5b6dec26030

SHA256
b9e6942fcb22fd19400980b3fe0ce66cb1b90cae0f0a3d9e263f84265c6cb371

SHA512
07c7bd39596ca10ad8e3496eed24ed6b843a1dad3ef758c0a2a12993207b281e218f88dd71a8b73e7b78fd1c0c0686864a8cb79f5f1181e5bab41d5edf927b59

Download Submit
C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\cache_24_6

Filesize
1.1MB

MD5
45da064a83b06d0619b45025a0607c79

SHA1
3cd0336619073a14ef2daef249a600ca1784af54

SHA256
9247ad81f3ce766c45a6393fc0aec29b60f351e629f6a19f7fc040241a34b07f

SHA512
0626c8625cbe2ea74d96e615db5b96eb72859e2b3eb26df6f381bb25f81ac5b1379ed690475b45eeef283c22ecb0ad95cfe39c0bc631676c669def06df523a0f

Download Submit
C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\emoji\spoiler\text

Filesize
308KB

MD5
6647ba514d530f27ce1c84a6e450ae4d

SHA1
2d0e79fea69229c2e3327ce64bdc57623620a224

SHA256
b5e82d8037bb83a1e365fb06a4bd1928a4fc3277f7ffa65d3e4d21d732d773bf

SHA512
058946a464e8d227b3ec65f35300a4beca98a751e85e658fd982a7dde62074465d33a7956bc2ddbfd92cc895ea914aa508a98924e919bbc7bdbb98cd61bff5ab

Download Submit
C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\settingss

Filesize
1KB

MD5
912ce58886c710f51e77c603b576e695

SHA1
f60889c32e3fad4ffebb038d8a345b38e619b001

SHA256
abc8efe424b451496426e17c123575d6fc1a7be29c46ed22c634344ce3a15459

SHA512
37b5e124f937584f591df0e990cc81616cf1857513e493d24d8ebd7565bf4807446a35a792c1b3c0d1ea58725bb7bc72595476967ecb9c9894b263b4a4f097cb

Download Submit
C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\shortcuts-custom.json

Filesize
404B

MD5
874b930b4c2fddc8043f59113c044a14

SHA1
75b14a96fe1194f27913a096e484283b172b1749

SHA256
f4f666f4b831e84710983b0e9e905e87342b669f61109fd693688d89c12309d8

SHA512
f4b0337fba5c5f4d7e7a02aa5d4538334edd38f5df179e4f1701fa2f1c4d3d856a074fa55ea724c4e2a6c5a1ac1dbfc7e9966c814475c7cd2c65cd44fca14621

Download Submit
C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\shortcuts-default.json

Filesize
2KB

MD5
a2c2a57e2be968174d3b90997e245033

SHA1
df430fc0290aa88be828426c7117cab75e81f559

SHA256
1e46bb20f4a6b3733e5968d9b765d0ecf1557ac229c61a78d565100767f31889

SHA512
759e7b2b73404a0a68cdf9d0b7d65aecf4134e786909c32f9fbdfb9460c25796ec114b9da355b175fa12a46f0b8cda0bce90511587d62c768da404d16be458a0

Download Submit
C:\Program Files (x86)\纸飞机中文版\纸飞机中文版\tdata\usertag

Filesize
8B

MD5
736e78c1b0665e56195b8e743e249eb2

SHA1
4d4b2b2963c9a7595c0650bebb976fd45181d590

SHA256
eef0a9b0ae843f1c6759a61ae5b42e88f66580825382e4d603bab6c2874a9c75

SHA512
15e4ab625dbf499b397ec6b0e6324a912b6a269db21f31d2e3455e3216bb77ea0a1a4350c34d918c74521c1d13eabc484fb81f6ed34766c2299dadea3353a676

Download Submit
C:\ProgramData\wbvkahfcsysrutfhat\Rainmeter.dll

Filesize
567KB

MD5
a2e818e0e424de8b55c7a2536529750b

SHA1
4e5534a2cb1a11d776615bd76de5ebcc9f99fe1f

SHA256
1605ca7b5278e5beb2cd1118404f9f2306628d037f24bc4809d5db9e798fff82

SHA512
11df2c6d55cc58d31e3308d79e3ded73994c4714c0f98f521f312bd43feea7b91dd197905c905e58bd857c8d1d8902a272ab7375e5c78be2003c3629e389b895

Download Submit
C:\ProgramData\wbvkahfcsysrutfhat\dxpwjwrrwd.exe

Filesize
461KB

MD5
3a8288e169d73d8f037c57627414e1d4

SHA1
2f396cb33be5eb25c49fc3ea096c8c48a337bf40

SHA256
7747b8ee1d103441a78953ab55017cb692491a54de31b22e2a6e093e2c2e7a6d

SHA512
044b1f5420070ea0676a2880b9baec0e7e897466d49d37b412541b10085c416065a7cb435e8aea67b7e2ad9a1b3f0e12723440e8c9e2f0b184877d72d39ff5bd

Download Submit
C:\ProgramData\wbvkahfcsysrutfhat\dxpwjwrrwd.exe

Filesize
461KB

MD5
3a8288e169d73d8f037c57627414e1d4

SHA1
2f396cb33be5eb25c49fc3ea096c8c48a337bf40

SHA256
7747b8ee1d103441a78953ab55017cb692491a54de31b22e2a6e093e2c2e7a6d

SHA512
044b1f5420070ea0676a2880b9baec0e7e897466d49d37b412541b10085c416065a7cb435e8aea67b7e2ad9a1b3f0e12723440e8c9e2f0b184877d72d39ff5bd

Download Submit
C:\ProgramData\wbvkahfcsysrutfhat\dxpwjwrrwd.txt

Filesize
244B

MD5
7a06858afb4ed8b1c3cf9d72c86fd016

SHA1
ea0c7df7688290cf84c3f301624e20d43746cd97

SHA256
abf6c4ec2d83a3e89974b5b381c65d6d64a1511bd23280c9b38cd1a767adba6e

SHA512
ad272a7b0eff25acabb9a1d5ca66cf6a6630925946f56204aa4c47c182a07d1940242e0842b03f9e19b465a6c6e84f4cd629114a62300f0c789d31c9f273454f

Download Submit
C:\ProgramData\wbvkahfcsysrutfhat\dxpwjwrrwd.txt

Filesize
244B

MD5
7a06858afb4ed8b1c3cf9d72c86fd016

SHA1
ea0c7df7688290cf84c3f301624e20d43746cd97

SHA256
abf6c4ec2d83a3e89974b5b381c65d6d64a1511bd23280c9b38cd1a767adba6e

SHA512
ad272a7b0eff25acabb9a1d5ca66cf6a6630925946f56204aa4c47c182a07d1940242e0842b03f9e19b465a6c6e84f4cd629114a62300f0c789d31c9f273454f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5EB5.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6D97.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8259.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI847C.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI850A.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI850A.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8633.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI86B1.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
C:\Windows\Installer\MSIE908.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
C:\Windows\Installer\MSIF2F9.tmp

Filesize
557KB

MD5
e02b7bb05df2b3f0c258fbdc4bcf7c75

SHA1
b998e4ec7b5d656556e298f07f7172c122cc712c

SHA256
2c659881346332a3f172a9beafbdb2e9c9559a9426374aee750338035dd17a5f

SHA512
647feb03b1ba496126986ab33d8e41827667e53e868149ca5aea6c0d8828c9bc4f2a35e9575ee26044305221423850e8607fa988b28740e9ef23082348c72bc7

Download Submit
\Program Files (x86)\纸飞机中文版\纸飞机中文版\Telegram.exe

Filesize
130.1MB

MD5
3df5bcea0ca91ab9fc317bcc6d9ea15f

SHA1
843a46a3a2495ec3b25eac11ae24b4c4988e7b36

SHA256
4e5cfb0d2ad36e4bd55b02cbad768b979f712d780ffde9b055f0fcabb1919ff4

SHA512
490f4840a83ba49295abd14c815973822af0de18ab34f525318a6075c3cba23fcfcd56d006e9d13df91fa32569d0f740d183d7d9c8a764a69f54d70760a58911

Download Submit
\Program Files (x86)\纸飞机中文版\纸飞机中文版\Telegram.exe

Filesize
130.1MB

MD5
3df5bcea0ca91ab9fc317bcc6d9ea15f

SHA1
843a46a3a2495ec3b25eac11ae24b4c4988e7b36

SHA256
4e5cfb0d2ad36e4bd55b02cbad768b979f712d780ffde9b055f0fcabb1919ff4

SHA512
490f4840a83ba49295abd14c815973822af0de18ab34f525318a6075c3cba23fcfcd56d006e9d13df91fa32569d0f740d183d7d9c8a764a69f54d70760a58911

Download Submit
\ProgramData\wbvkahfcsysrutfhat\dxpwjwrrwd.exe

Filesize
461KB

MD5
3a8288e169d73d8f037c57627414e1d4

SHA1
2f396cb33be5eb25c49fc3ea096c8c48a337bf40

SHA256
7747b8ee1d103441a78953ab55017cb692491a54de31b22e2a6e093e2c2e7a6d

SHA512
044b1f5420070ea0676a2880b9baec0e7e897466d49d37b412541b10085c416065a7cb435e8aea67b7e2ad9a1b3f0e12723440e8c9e2f0b184877d72d39ff5bd

Download Submit
\ProgramData\wbvkahfcsysrutfhat\rainmeter.dll

Filesize
567KB

MD5
a2e818e0e424de8b55c7a2536529750b

SHA1
4e5534a2cb1a11d776615bd76de5ebcc9f99fe1f

SHA256
1605ca7b5278e5beb2cd1118404f9f2306628d037f24bc4809d5db9e798fff82

SHA512
11df2c6d55cc58d31e3308d79e3ded73994c4714c0f98f521f312bd43feea7b91dd197905c905e58bd857c8d1d8902a272ab7375e5c78be2003c3629e389b895

Download Submit
\Users\Admin\AppData\Local\Temp\MSI6D97.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
\Users\Admin\AppData\Local\Temp\MSI8259.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
\Users\Admin\AppData\Local\Temp\MSI847C.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
\Users\Admin\AppData\Local\Temp\MSI850A.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
\Users\Admin\AppData\Local\Temp\MSI8633.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
\Users\Admin\AppData\Local\Temp\MSI86B1.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
\Windows\Installer\MSIE908.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
\Windows\Installer\MSIF2F9.tmp

Filesize
557KB

MD5
e02b7bb05df2b3f0c258fbdc4bcf7c75

SHA1
b998e4ec7b5d656556e298f07f7172c122cc712c

SHA256
2c659881346332a3f172a9beafbdb2e9c9559a9426374aee750338035dd17a5f

SHA512
647feb03b1ba496126986ab33d8e41827667e53e868149ca5aea6c0d8828c9bc4f2a35e9575ee26044305221423850e8607fa988b28740e9ef23082348c72bc7

Download Submit
memory/1632-178-0x0000000000290000-0x0000000000292000-memory.dmp

Filesize
8KB

Download
memory/1700-79-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1700-193-0x0000000002430000-0x000000000243A000-memory.dmp

Filesize
40KB

Download
memory/1700-128-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1700-127-0x0000000002430000-0x000000000243A000-memory.dmp

Filesize
40KB

Download
memory/1700-86-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download
memory/1700-126-0x0000000002430000-0x000000000243A000-memory.dmp

Filesize
40KB

Download
memory/1700-129-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download
memory/1700-85-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download
memory/2188-73-0x0000000000100000-0x0000000000110000-memory.dmp

Filesize
64KB

Download
memory/2628-217-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/2628-227-0x0000000004730000-0x00000000048AB000-memory.dmp

Filesize
1.5MB

Download
memory/2628-195-0x0000000000B40000-0x0000000000C29000-memory.dmp

Filesize
932KB

Download
memory/2628-201-0x0000000000B40000-0x0000000000C29000-memory.dmp

Filesize
932KB

Download
memory/2628-212-0x0000000010000000-0x000000001011A000-memory.dmp

Filesize
1.1MB

Download
memory/2628-214-0x0000000000B40000-0x0000000000C29000-memory.dmp

Filesize
932KB

Download
memory/2628-215-0x00000000036E0000-0x000000000390B000-memory.dmp

Filesize
2.2MB

Download
memory/2628-218-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2628-192-0x0000000000B40000-0x0000000000C29000-memory.dmp

Filesize
932KB

Download
memory/2628-190-0x0000000000B40000-0x0000000000C29000-memory.dmp

Filesize
932KB

Download
memory/2628-223-0x00000000040B0000-0x00000000041A4000-memory.dmp

Filesize
976KB

Download
memory/2628-222-0x0000000001070000-0x00000000010D4000-memory.dmp

Filesize
400KB

Download
memory/2628-224-0x00000000040B0000-0x00000000041A4000-memory.dmp

Filesize
976KB

Download
memory/2628-194-0x0000000000B40000-0x0000000000C29000-memory.dmp

Filesize
932KB

Download
memory/2628-229-0x00000000032F0000-0x00000000033AF000-memory.dmp

Filesize
764KB

Download
memory/2628-230-0x0000000002850000-0x00000000028A2000-memory.dmp

Filesize
328KB

Download
memory/2628-231-0x00000000036E0000-0x000000000390B000-memory.dmp

Filesize
2.2MB

Download
memory/2628-233-0x00000000036E0000-0x000000000390B000-memory.dmp

Filesize
2.2MB

Download
memory/2628-189-0x0000000010000000-0x000000001011A000-memory.dmp

Filesize
1.1MB

Download
memory/2628-242-0x00000000040B0000-0x00000000041A4000-memory.dmp

Filesize
976KB

Download
memory/2628-243-0x0000000004730000-0x00000000048AB000-memory.dmp

Filesize
1.5MB

Download
memory/2628-245-0x0000000001070000-0x00000000010D4000-memory.dmp

Filesize
400KB

Download
memory/2628-247-0x00000000032F0000-0x00000000033AF000-memory.dmp

Filesize
764KB

Download
memory/2628-248-0x0000000002850000-0x00000000028A2000-memory.dmp

Filesize
328KB

Download
memory/2628-252-0x0000000002850000-0x00000000028A2000-memory.dmp

Filesize
328KB

Download