92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf

Resubmissions

09-11-2024 15:52

241109-ta7ekawngt 10

09-11-2024 15:17

241109-spgxsaxbmq 10

Analysis

max time kernel
141s
max time network
132s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf.msi
Size

44.6MB
MD5

7ba3fd79c3ccfdb9f1a311a3f05a7d94
SHA1

c4115a8d08ce102bcb14ed00dad86e52e163c81c
SHA256

92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf
SHA512

f491a16cc375d6756e2debed08e76f01c090ae52b16e7b3eeed2930e0eb8e47e56aada96b54a6dfaa212354d66ca92955a4fc39434a378429f54416f5043048c
SSDEEP

786432:YIRRSEiH0Anyv1JSEyexVA6mcdbTUReEhVzC136g9lceVzgOXTBAaWTAsLBrYuJC:Y+RSnyXSNWvUReEOQg9meVkOXpWXfmMZ

Score

8^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2964	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\Saved Games	tsetup.tmp
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\Saved Games\desktop.ini	tsetup.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	Telegram.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	Telegram.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	Telegram.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	Telegram.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\SustainSleekTutor\NLGACUfhExiQgpFqVoxutQoGyuzRSw	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
File created	C:\Program Files\SustainSleekTutor\2_bFchqPntlegL.exe	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
File opened for modification	C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe	MsiExec.exe
File created	C:\Program Files\SustainSleekTutor\valibclang2d.dll	msiexec.exe
File created	C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
File created	C:\Program Files\SustainSleekTutor\NLGACUfhExiQgpFqVoxutQoGyuzRSw	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
File created	C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe	MsiExec.exe
File created	C:\Program Files\SustainSleekTutor\bFchqPntlegL.vbs	bFchqPntlegL.exe
File created	C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.xml	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
File opened for modification	C:\Program Files\SustainSleekTutor\2_bFchqPntlegL.exe	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
File opened for modification	C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
File created	C:\Program Files\SustainSleekTutor\bFchqPntlegL	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
File opened for modification	C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
File opened for modification	C:\Program Files\SustainSleekTutor\bFchqPntlegL	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
File opened for modification	C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.xml	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
File created	C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
File created	C:\Program Files\SustainSleekTutor\lBktGjuuaOaTazRwJvXXhRyefRHhOg	msiexec.exe
File created	C:\Program Files\SustainSleekTutor\tsetup.exe	msiexec.exe
File created	C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f76d2ba.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f76d2bd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76d2bb.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76d2ba.msi	msiexec.exe
File created	C:\Windows\Installer\f76d2bb.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID401.tmp	msiexec.exe

Executes dropped EXE 6 IoCs

pid	Process
2132	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
3036	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
2136	bFchqPntlegL.exe
640	tsetup.exe
848	tsetup.tmp
2960	Telegram.exe

Loads dropped DLL 7 IoCs

pid	Process
640	tsetup.exe
848	tsetup.tmp
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
2960	Telegram.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2592	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bFchqPntlegL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsetup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsetup.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2160	cmd.exe
992	PING.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Telegram.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1	tsetup.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\UninstallString = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\unins000.exe\""	tsetup.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg\shell\open\command	Telegram.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\TelegramDesktop\Capabilities\UrlAssociations\tg = "tdesktop.tg"	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Telegram.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust"	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	tsetup.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	Telegram.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 5db37eef26c6c6f456c8bacc6fd041a610f370e2fc9d86d251445c7309c40c49	tsetup.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\DisplayVersion = "5.2.3"	tsetup.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\VersionMinor = "2"	tsetup.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: Deselected Tasks	tsetup.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: Language = "english"	tsetup.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\DisplayIcon = "C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe"	tsetup.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\tg	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\QuietUninstallString = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\unins000.exe\" /SILENT"	tsetup.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10 = "System Health Authentication"	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\URLUpdateInfo = "https://desktop.telegram.org"	tsetup.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Owner = 500300008055b5a5ba32db01	tsetup.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\VersionMajor = "5"	tsetup.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c0052006f0061006d0069006e0067005c00540065006c0065006700720061006d0020004400650073006b0074006f0070005c00540065006c0065006700720061006d002e00650078006500000043003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c0052006f0061006d0069006e0067005c00540065006c0065006700720061006d0020004400650073006b0074006f0070005c0055007000640061007400650072002e00650078006500000043003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c0052006f0061006d0069006e0067005c00540065006c0065006700720061006d0020004400650073006b0074006f0070005c006d006f00640075006c00650073005c007800360034005c006400330064005c0064003300640063006f006d00700069006c00650072005f00340037002e0064006c006c0000000000	tsetup.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\MinorVersion = "2"	tsetup.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager	tsetup.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: App Path = "C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop"	tsetup.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\DisplayName = "Telegram Desktop"	tsetup.tmp
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000	tsetup.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\NoModify = "1"	tsetup.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg	Telegram.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\""	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\RegisteredApplications	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D79DD49E5C47660498C5E1D7A560895F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D79DD49E5C47660498C5E1D7A560895F\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0D716B2B7A13A72439FD62E0DFA6E582	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0D716B2B7A13A72439FD62E0DFA6E582\D79DD49E5C47660498C5E1D7A560895F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\Version = "100794368"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\PackageName = "92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\ProductName = "SustainSleekTutor"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\PackageCode = "422D740D8F2748241AF491420E7509A6"	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
992	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2960	Telegram.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
2132	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
3036	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
1332	msiexec.exe
1332	msiexec.exe
2964	powershell.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
2136	bFchqPntlegL.exe
848	tsetup.tmp
848	tsetup.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2592	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2592	msiexec.exe
Token: SeRestorePrivilege	1332	msiexec.exe
Token: SeTakeOwnershipPrivilege	1332	msiexec.exe
Token: SeSecurityPrivilege	1332	msiexec.exe
Token: SeCreateTokenPrivilege	2592	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2592	msiexec.exe
Token: SeLockMemoryPrivilege	2592	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2592	msiexec.exe
Token: SeMachineAccountPrivilege	2592	msiexec.exe
Token: SeTcbPrivilege	2592	msiexec.exe
Token: SeSecurityPrivilege	2592	msiexec.exe
Token: SeTakeOwnershipPrivilege	2592	msiexec.exe
Token: SeLoadDriverPrivilege	2592	msiexec.exe
Token: SeSystemProfilePrivilege	2592	msiexec.exe
Token: SeSystemtimePrivilege	2592	msiexec.exe
Token: SeProfSingleProcessPrivilege	2592	msiexec.exe
Token: SeIncBasePriorityPrivilege	2592	msiexec.exe
Token: SeCreatePagefilePrivilege	2592	msiexec.exe
Token: SeCreatePermanentPrivilege	2592	msiexec.exe
Token: SeBackupPrivilege	2592	msiexec.exe
Token: SeRestorePrivilege	2592	msiexec.exe
Token: SeShutdownPrivilege	2592	msiexec.exe
Token: SeDebugPrivilege	2592	msiexec.exe
Token: SeAuditPrivilege	2592	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2592	msiexec.exe
Token: SeChangeNotifyPrivilege	2592	msiexec.exe
Token: SeRemoteShutdownPrivilege	2592	msiexec.exe
Token: SeUndockPrivilege	2592	msiexec.exe
Token: SeSyncAgentPrivilege	2592	msiexec.exe
Token: SeEnableDelegationPrivilege	2592	msiexec.exe
Token: SeManageVolumePrivilege	2592	msiexec.exe
Token: SeImpersonatePrivilege	2592	msiexec.exe
Token: SeCreateGlobalPrivilege	2592	msiexec.exe
Token: SeBackupPrivilege	2396	vssvc.exe
Token: SeRestorePrivilege	2396	vssvc.exe
Token: SeAuditPrivilege	2396	vssvc.exe
Token: SeBackupPrivilege	1332	msiexec.exe
Token: SeRestorePrivilege	1332	msiexec.exe
Token: SeRestorePrivilege	2912	DrvInst.exe
Token: SeRestorePrivilege	2912	DrvInst.exe
Token: SeRestorePrivilege	2912	DrvInst.exe
Token: SeRestorePrivilege	2912	DrvInst.exe
Token: SeRestorePrivilege	2912	DrvInst.exe
Token: SeRestorePrivilege	2912	DrvInst.exe
Token: SeRestorePrivilege	2912	DrvInst.exe
Token: SeLoadDriverPrivilege	2912	DrvInst.exe
Token: SeLoadDriverPrivilege	2912	DrvInst.exe
Token: SeLoadDriverPrivilege	2912	DrvInst.exe
Token: SeRestorePrivilege	1332	msiexec.exe
Token: SeTakeOwnershipPrivilege	1332	msiexec.exe
Token: SeRestorePrivilege	1332	msiexec.exe
Token: SeTakeOwnershipPrivilege	1332	msiexec.exe
Token: SeRestorePrivilege	1332	msiexec.exe
Token: SeTakeOwnershipPrivilege	1332	msiexec.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeRestorePrivilege	2132	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
Token: 35	2132	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
Token: SeSecurityPrivilege	2132	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
Token: SeSecurityPrivilege	2132	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
Token: SeRestorePrivilege	3036	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
Token: 35	3036	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
Token: SeSecurityPrivilege	3036	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
Token: SeSecurityPrivilege	3036	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2592	msiexec.exe
2592	msiexec.exe
848	tsetup.tmp
2960	Telegram.exe
2960	Telegram.exe
2960	Telegram.exe
2960	Telegram.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2960	Telegram.exe
2960	Telegram.exe
2960	Telegram.exe
2960	Telegram.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 1288	1332	msiexec.exe	35
PID 1332 wrote to memory of 1288	1332	msiexec.exe	35
PID 1332 wrote to memory of 1288	1332	msiexec.exe	35
PID 1332 wrote to memory of 1288	1332	msiexec.exe	35
PID 1332 wrote to memory of 1288	1332	msiexec.exe	35
PID 1288 wrote to memory of 2964	1288	MsiExec.exe	37
PID 1288 wrote to memory of 2964	1288	MsiExec.exe	37
PID 1288 wrote to memory of 2964	1288	MsiExec.exe	37
PID 1288 wrote to memory of 2160	1288	MsiExec.exe	39
PID 1288 wrote to memory of 2160	1288	MsiExec.exe	39
PID 1288 wrote to memory of 2160	1288	MsiExec.exe	39
PID 2160 wrote to memory of 2132	2160	cmd.exe	41
PID 2160 wrote to memory of 2132	2160	cmd.exe	41
PID 2160 wrote to memory of 2132	2160	cmd.exe	41
PID 2160 wrote to memory of 2132	2160	cmd.exe	41
PID 2160 wrote to memory of 992	2160	cmd.exe	42
PID 2160 wrote to memory of 992	2160	cmd.exe	42
PID 2160 wrote to memory of 992	2160	cmd.exe	42
PID 2160 wrote to memory of 3036	2160	cmd.exe	44
PID 2160 wrote to memory of 3036	2160	cmd.exe	44
PID 2160 wrote to memory of 3036	2160	cmd.exe	44
PID 2160 wrote to memory of 3036	2160	cmd.exe	44
PID 1288 wrote to memory of 2136	1288	MsiExec.exe	46
PID 1288 wrote to memory of 2136	1288	MsiExec.exe	46
PID 1288 wrote to memory of 2136	1288	MsiExec.exe	46
PID 1288 wrote to memory of 2136	1288	MsiExec.exe	46
PID 1288 wrote to memory of 640	1288	MsiExec.exe	48
PID 1288 wrote to memory of 640	1288	MsiExec.exe	48
PID 1288 wrote to memory of 640	1288	MsiExec.exe	48
PID 1288 wrote to memory of 640	1288	MsiExec.exe	48
PID 1288 wrote to memory of 640	1288	MsiExec.exe	48
PID 1288 wrote to memory of 640	1288	MsiExec.exe	48
PID 1288 wrote to memory of 640	1288	MsiExec.exe	48
PID 640 wrote to memory of 848	640	tsetup.exe	49
PID 640 wrote to memory of 848	640	tsetup.exe	49
PID 640 wrote to memory of 848	640	tsetup.exe	49
PID 640 wrote to memory of 848	640	tsetup.exe	49
PID 640 wrote to memory of 848	640	tsetup.exe	49
PID 640 wrote to memory of 848	640	tsetup.exe	49
PID 640 wrote to memory of 848	640	tsetup.exe	49
PID 848 wrote to memory of 2960	848	tsetup.tmp	51
PID 848 wrote to memory of 2960	848	tsetup.tmp	51
PID 848 wrote to memory of 2960	848	tsetup.tmp	51
PID 848 wrote to memory of 2960	848	tsetup.tmp	51

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2592

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 9629F5D0995E5F15862E05B252C1310E M Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\SustainSleekTutor','C:\Program Files','C:\Program Files'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe" x "C:\Program Files\SustainSleekTutor\lBktGjuuaOaTazRwJvXXhRyefRHhOg" -o"C:\Program Files\SustainSleekTutor\" -p"10551gtm0S(>Gf#qrEw>" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe" x "C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf" -x!1_bFchqPntlegL.exe -x!sss -x!1_ZyhMwXBzCIJsXiZOsvVNAbbXEpqwBz.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\SustainSleekTutor\" -p"98858uC(.?=^~2>PRa?!" -y
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
      "C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe" x "C:\Program Files\SustainSleekTutor\lBktGjuuaOaTazRwJvXXhRyefRHhOg" -o"C:\Program Files\SustainSleekTutor\" -p"10551gtm0S(>Gf#qrEw>" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of AdjustPrivilegeToken
      PID:2132
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:992
  - - C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
      "C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe" x "C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf" -x!1_bFchqPntlegL.exe -x!sss -x!1_ZyhMwXBzCIJsXiZOsvVNAbbXEpqwBz.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\SustainSleekTutor\" -p"98858uC(.?=^~2>PRa?!" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of AdjustPrivilegeToken
      PID:3036
- - C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
    "C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe" -number 127 -file file3 -mode mode3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2136
- - C:\Program Files\SustainSleekTutor\tsetup.exe
    "C:\Program Files\SustainSleekTutor\tsetup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp" /SL5="$801FC,44246395,814592,C:\Program Files\SustainSleekTutor\tsetup.exe"
      4⤵
      Drops file in System32 directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:848
    - - C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
        
        "C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
        5⤵
        Drops file in System32 directory
        Executes dropped EXE
        Loads dropped DLL
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D0" "00000000000004C4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76d2bc.rbs

Filesize
7KB

MD5
ed46bb3d75d948aeb94df3f780265460

SHA1
c1d2151fd876707c69a7747cfebc07320398fcbb

SHA256
c9fe3c4ee09313f239dc71fd3d105544edd6b6bc2512ee6b02195177fb9ff7fe

SHA512
78209494c1f2fcf99cae3498de87807975fe32023d7773ef0de1de13a61fd0776701589f2be0d55c2970339105052cec27cf42779fbab1ec5aa0352a6a1956dd

Download Submit
C:\Program Files\SustainSleekTutor\2_bFchqPntlegL.exe

Filesize
2.1MB

MD5
90134a5b913cd5d9d993f6f58601740e

SHA1
c6fc923eae06097227dab095633a0c47beba327a

SHA256
8462d6b3f1a8037f6f60412d3f4e0ecad89aaed3c10915ffa1e602c5ae8b0942

SHA512
7385ebcce7e33efb3a9b26d9690d8a2a221bc05071bc499f313de2de8d31935dd0cdd366ac7baccd4004d9e1eb27a0471328785ad1acf325054fd036d4b9dd61

Download Submit
C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf

Filesize
1.5MB

MD5
17f3ece27717fa4a5ad13f06e6c2846e

SHA1
47b8230c0f0dd0b8a451bd378203a0ec0aaa13f6

SHA256
f0217b72add9c431299fda7983e8a7c592f6b4cd5a1df5118208c19dc7251c86

SHA512
998dcba619566edba18b2dcaefd8e86d1d6c09340c8004cf487d6944bb2a90b75231f2d3140162bcf0a161321d5febccf7d947d4752451424082f3cd06de9b7b

Download Submit
C:\Program Files\SustainSleekTutor\lBktGjuuaOaTazRwJvXXhRyefRHhOg

Filesize
1.5MB

MD5
86e0062ac9e3c38a69470a57bb619533

SHA1
7d04a283f51e145724e20a5925ee811a4645e5d9

SHA256
42a64f04499a0836946073eb7bfc1cb67a98faa58d65eeb09fb6ac8fccc7f547

SHA512
aefc23fcf566748b60de0e95268f834cef3e4cfb1754b18e9ea2e1a867a764d027d43c68aad2b7c3f4520b3232fd50430c2b7fb4494dee223ac340a8c1e67794

Download Submit
C:\Program Files\SustainSleekTutor\tsetup.exe

Filesize
43.1MB

MD5
8a53cf72375f6899082463c36422d411

SHA1
161d9d3b21bf0d9a9790b92013ec76c6d839af06

SHA256
1b31e3758c4b158143dc41c7c4617984d958760d8d7718e1e38492c67f6bbf65

SHA512
daadba04fb90002a2cb8e44c1b98d6bf702b9cfe33d3b6dc981c877e0a77c620f2538a2748f2fb4e88493e326cc45764c54dad659d8d2d018b74b24fd727a190

Download Submit
C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab850A.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll

Filesize
4.7MB

MD5
a7349236212b0e5cec2978f2cfa49a1a

SHA1
5abb08949162fd1985b89ffad40aaf5fc769017e

SHA256
a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082

SHA512
c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02

Download Submit
C:\Windows\Installer\f76d2ba.msi

Filesize
44.6MB

MD5
7ba3fd79c3ccfdb9f1a311a3f05a7d94

SHA1
c4115a8d08ce102bcb14ed00dad86e52e163c81c

SHA256
92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf

SHA512
f491a16cc375d6756e2debed08e76f01c090ae52b16e7b3eeed2930e0eb8e47e56aada96b54a6dfaa212354d66ca92955a4fc39434a378429f54416f5043048c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\Saved Games\desktop.ini

Filesize
282B

MD5
b441cf59b5a64f74ac3bed45be9fadfc

SHA1
3da72a52e451a26ca9a35611fa8716044a7c0bbc

SHA256
e6fdf8ed07b19b2a3b8eff05de7bc71152c85b377b9226f126dc54b58b930311

SHA512
fdc26609a674d36f5307fa3f1c212da1f87a5c4cd463d861ce1bd2e614533f07d943510abed0c2edeb07a55f1dccff37db7e1f5456705372d5da8e12d83f0bb3

Download Submit
\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp

Filesize
3.0MB

MD5
d90927477dbf0725af0a10e151c184c4

SHA1
4cd69b23ee9c1efe9bd539f0fef841a09a4a773e

SHA256
43182a0ae7e22cc7f9b8028dc71e82826c80e9ac265f8d2dfa08876bb41b7029

SHA512
bfbd62482e99127c1bf621a135b464b5f96b86adfcb9064660c0dc1052099643ea9485e1358a758ab466f19c97042dafccb781e157203ea51e43956e4b6f4f98

Download Submit
memory/640-78-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/640-48-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/640-122-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/848-79-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/848-81-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/848-102-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/848-119-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/1288-12-0x0000000000210000-0x0000000000220000-memory.dmp

Filesize
64KB

Download
memory/2136-65-0x000000002B0F0000-0x000000002B11F000-memory.dmp

Filesize
188KB

Download
memory/2960-114-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/2960-115-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/2960-135-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/2960-134-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/2960-193-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/2960-192-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/2960-198-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/2960-199-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/2960-213-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/2964-18-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/2964-17-0x000000001B450000-0x000000001B732000-memory.dmp

Filesize
2.9MB

Download