Malware Analysis Report

2024-12-07 14:03

Sample ID 241115-gmhkratldn
Target 0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5.msi.vir
SHA256 0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5
Tags
discovery execution persistence privilege_escalation gh0strat purplefox rat rootkit trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5

Threat Level: Known bad

The file 0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5.msi.vir was found to be: Known bad.

Malicious Activity Summary

discovery execution persistence privilege_escalation gh0strat purplefox rat rootkit trojan

Purplefox family

PurpleFox

Gh0strat family

Gh0st RAT payload

Gh0strat

Detect PurpleFox Rootkit

Command and Scripting Interpreter: PowerShell

Enumerates connected drives

Drops file in System32 directory

Executes dropped EXE

Drops file in Windows directory

Drops file in Program Files directory

Loads dropped DLL

Event Triggered Execution: Installer Packages

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Runs ping.exe

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: CmdExeWriteProcessMemorySpam

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-15 05:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-15 05:55

Reported

2024-11-15 05:57

Platform

win7-20240903-en

Max time kernel

144s

Max time network

137s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5.msi

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\Saved Games C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
File opened for modification C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
File opened for modification C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
File opened for modification C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
File opened for modification C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.vbs C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\valibclang2d.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\tsetup.exe C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f76c207.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76c208.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f76c207.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76c208.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC2D2.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76c20a.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\UpgradeValiantSupervisor\tsetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\System32\cmd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg\shell C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\RegisteredApplications C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: App Path = "C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop" C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\URLInfoAbout = "https://desktop.telegram.org" C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\TelegramDesktop\Capabilities\ApplicationDescription = "Telegram Desktop" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence = "1" C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\URLUpdateInfo = "https://desktop.telegram.org" C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: Language = "english" C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\MajorVersion = "5" C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\tg\ = "URL:Telegram Link" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a0801efd2237db01 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Owner = 9801000020582c012337db01 C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\VersionMinor = "2" C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000 C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\VersionMajor = "5" C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10 = "System Health Authentication" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\TelegramDesktop\Capabilities\UrlAssociations C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\EstimatedSize = "163980" C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\UninstallString = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\unins000.exe\"" C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg\shell\open\command C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1 C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\InstallDate = "20241115" C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\TelegramDesktop\Capabilities\ApplicationName = "Telegram Desktop" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\071CCAE94C770C94288B209269C7ED07 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\Version = "34078724" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\PackageName = "0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\071CCAE94C770C94288B209269C7ED07\ProductFeature C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\ProductName = "UpgradeValiantSupervisor" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AC14C41ED6CF2947B4F7ADE34E99984 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AC14C41ED6CF2947B4F7ADE34E99984\071CCAE94C770C94288B209269C7ED07 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\PackageCode = "B2FCB3C3AE4D29B4F88C48506EB40769" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
Token: 35 N/A C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
Token: 35 N/A C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2532 wrote to memory of 2340 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2532 wrote to memory of 2340 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2532 wrote to memory of 2340 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2532 wrote to memory of 2340 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2532 wrote to memory of 2340 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2340 wrote to memory of 1028 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 1028 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 1028 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 680 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 2340 wrote to memory of 680 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 2340 wrote to memory of 680 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 680 wrote to memory of 776 N/A C:\Windows\System32\cmd.exe C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
PID 680 wrote to memory of 776 N/A C:\Windows\System32\cmd.exe C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
PID 680 wrote to memory of 776 N/A C:\Windows\System32\cmd.exe C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
PID 680 wrote to memory of 776 N/A C:\Windows\System32\cmd.exe C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
PID 680 wrote to memory of 2804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 680 wrote to memory of 2804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 680 wrote to memory of 2804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 680 wrote to memory of 2016 N/A C:\Windows\System32\cmd.exe C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
PID 680 wrote to memory of 2016 N/A C:\Windows\System32\cmd.exe C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
PID 680 wrote to memory of 2016 N/A C:\Windows\System32\cmd.exe C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
PID 680 wrote to memory of 2016 N/A C:\Windows\System32\cmd.exe C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
PID 2340 wrote to memory of 2444 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
PID 2340 wrote to memory of 2444 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
PID 2340 wrote to memory of 2444 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
PID 2340 wrote to memory of 2444 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
PID 2340 wrote to memory of 2300 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\UpgradeValiantSupervisor\tsetup.exe
PID 2340 wrote to memory of 2300 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\UpgradeValiantSupervisor\tsetup.exe
PID 2340 wrote to memory of 2300 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\UpgradeValiantSupervisor\tsetup.exe
PID 2340 wrote to memory of 2300 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\UpgradeValiantSupervisor\tsetup.exe
PID 2340 wrote to memory of 2300 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\UpgradeValiantSupervisor\tsetup.exe
PID 2340 wrote to memory of 2300 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\UpgradeValiantSupervisor\tsetup.exe
PID 2340 wrote to memory of 2300 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\UpgradeValiantSupervisor\tsetup.exe
PID 2300 wrote to memory of 408 N/A C:\Program Files\UpgradeValiantSupervisor\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp
PID 2300 wrote to memory of 408 N/A C:\Program Files\UpgradeValiantSupervisor\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp
PID 2300 wrote to memory of 408 N/A C:\Program Files\UpgradeValiantSupervisor\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp
PID 2300 wrote to memory of 408 N/A C:\Program Files\UpgradeValiantSupervisor\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp
PID 2300 wrote to memory of 408 N/A C:\Program Files\UpgradeValiantSupervisor\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp
PID 2300 wrote to memory of 408 N/A C:\Program Files\UpgradeValiantSupervisor\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp
PID 2300 wrote to memory of 408 N/A C:\Program Files\UpgradeValiantSupervisor\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp
PID 408 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
PID 408 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
PID 408 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
PID 408 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000394" "00000000000005E0"

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding A73CE193CF33C9120F535CD0860ED9B6 M Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\UpgradeValiantSupervisor'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"35009!&EFXcU7Bzs|Z&Q" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci" -x!1_ZhObbZwOavDN.exe -o"C:\Program Files\UpgradeValiantSupervisor\" -p"40889}.;o[;I83iQKVI5" -y

C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe

"C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"35009!&EFXcU7Bzs|Z&Q" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe

"C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci" -x!1_ZhObbZwOavDN.exe -o"C:\Program Files\UpgradeValiantSupervisor\" -p"40889}.;o[;I83iQKVI5" -y

C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe

"C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 293 -file file3 -mode mode3

C:\Program Files\UpgradeValiantSupervisor\tsetup.exe

"C:\Program Files\UpgradeValiantSupervisor\tsetup.exe"

C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp" /SL5="$C01AE,44246395,814592,C:\Program Files\UpgradeValiantSupervisor\tsetup.exe"

C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 im.qq.com udp
NL 149.154.167.51:443 tcp
NL 95.161.76.100:443 tcp
NL 95.161.76.100:80 tcp
NL 149.154.167.51:443 tcp
NL 95.161.76.100:443 tcp
NL 149.154.167.51:80 149.154.167.51 tcp
NL 95.161.76.100:80 95.161.76.100 tcp
US 8.8.8.8:53 td.telegram.org udp
NL 149.154.167.99:443 td.telegram.org tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 149.154.167.99:443 td.telegram.org tcp
NL 149.154.167.91:443 tcp
NL 149.154.167.51:443 tcp
NL 95.161.76.100:443 tcp
NL 149.154.167.91:80 149.154.167.91 tcp
NL 149.154.167.51:80 149.154.167.51 tcp
NL 95.161.76.100:80 95.161.76.100 tcp
SG 149.154.171.5:443 tcp
SG 149.154.171.5:80 149.154.171.5 tcp
US 8.8.8.8:53 dns.google.com udp
US 8.8.4.4:443 dns.google.com tcp
NL 95.161.76.101:443 tcp

Files

memory/2340-12-0x0000000000200000-0x0000000000210000-memory.dmp

memory/1028-17-0x000000001B6B0000-0x000000001B992000-memory.dmp

memory/1028-18-0x0000000001D70000-0x0000000001D78000-memory.dmp

C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ

MD5 6101e66d187d929fc28c617b17d9e8ab
SHA1 0b8e6f9340cdefdd74221a9b0ad0e570e2a5af3d
SHA256 b4ba63b8872d6a4dadecef5fed82bff1ef01db274388a99d5cf358512c3c3d75
SHA512 f748b6a05f3b6fe7587218d26e969f67e4ef79313333137e77860b20e71f02fc1c8163ba62b682aadabd568a442e99ef36a75aa5e374e6ef845f7e101376cde3

C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci

MD5 5e0b75c71015883973f333fa502e8bf6
SHA1 77f442eeddd17e6815c7672c4db948cb62870dc1
SHA256 be5db62a4a38dbd19c4a223a339692e8868a88a28f1b720585bc5bf6572ec0f6
SHA512 8a85dab48d4a35998bd60212d18e56144dab4e4cacb56d86c7a16702af347dd0477421f59e5ac3f1934ba97ce05589f95f241969f73baf9d0cb5cb97ff115fc8

C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe

MD5 2a9aa3a122ff15917a565ba28e77c533
SHA1 698ba5909e1633fbd640e80c1804097a3d356628
SHA256 7dc4adf24defbc98d5bbaa7a89d30dc87dfc7a0eb8606acaf73fb845f272ccd9
SHA512 a3f6d10bc6f5652699f080a35e3af8794b315c70eb307f52a0e869d3de3f0a6302f421ce10aba34ec9fb6d2dc5a6f2460b8c97c403e75692e73f18d4b9870263

C:\Program Files\UpgradeValiantSupervisor\tsetup.exe

MD5 8a53cf72375f6899082463c36422d411
SHA1 161d9d3b21bf0d9a9790b92013ec76c6d839af06
SHA256 1b31e3758c4b158143dc41c7c4617984d958760d8d7718e1e38492c67f6bbf65
SHA512 daadba04fb90002a2cb8e44c1b98d6bf702b9cfe33d3b6dc981c877e0a77c620f2538a2748f2fb4e88493e326cc45764c54dad659d8d2d018b74b24fd727a190

memory/2300-44-0x0000000000400000-0x00000000004D4000-memory.dmp

C:\Config.Msi\f76c209.rbs

MD5 00be8c3086a7a0addf66daab8d4414ab
SHA1 830e12b0daffec8f3423302bfd2f25bbf7b4f549
SHA256 83f5cc72523b19fc16d571b6d3349c0c6b48c72be159ffbaf89d20cecd52ecc7
SHA512 637162c6598c1b861c2695813ac1650165294c9e1ad60a518de7d9622dca050434815927fc0dd72deccc4f4082ece98b7da5a699c7ab2576206aefc539c3cdaa

\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp

MD5 d90927477dbf0725af0a10e151c184c4
SHA1 4cd69b23ee9c1efe9bd539f0fef841a09a4a773e
SHA256 43182a0ae7e22cc7f9b8028dc71e82826c80e9ac265f8d2dfa08876bb41b7029
SHA512 bfbd62482e99127c1bf621a135b464b5f96b86adfcb9064660c0dc1052099643ea9485e1358a758ab466f19c97042dafccb781e157203ea51e43956e4b6f4f98

C:\Windows\Installer\f76c207.msi

MD5 a4d9f86c09bef236ea991b8801af8ebf
SHA1 dd7f0c051958471cd01005544f43a61323e7f108
SHA256 0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5
SHA512 75f31cb0b4b26b2c255f6029625928fed21170cf7e82e07b186f9978884659336d6201769d4cd345eb1c41c61eab884a16149d92bea5dec5e16dae1c4da4bb56

memory/2444-63-0x000000000A7C0000-0x000000000A7EF000-memory.dmp

memory/2300-67-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/408-68-0x0000000000400000-0x0000000000710000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\Saved Games\desktop.ini

MD5 b441cf59b5a64f74ac3bed45be9fadfc
SHA1 3da72a52e451a26ca9a35611fa8716044a7c0bbc
SHA256 e6fdf8ed07b19b2a3b8eff05de7bc71152c85b377b9226f126dc54b58b930311
SHA512 fdc26609a674d36f5307fa3f1c212da1f87a5c4cd463d861ce1bd2e614533f07d943510abed0c2edeb07a55f1dccff37db7e1f5456705372d5da8e12d83f0bb3

C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll

MD5 a7349236212b0e5cec2978f2cfa49a1a
SHA1 5abb08949162fd1985b89ffad40aaf5fc769017e
SHA256 a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082
SHA512 c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Telegram Desktop\Telegram.lnk

MD5 d87917dbb14a54190693a451515416f4
SHA1 63fab43c99cfb5cb25d396b96fda431a13e07791
SHA256 7a650d67c7407dda4b8e5e3d99b02e115a29b453da6b4af0c6ffb43310eaa448
SHA512 5742e52e7d2c5178b53d8952029313ee954c1a699c056cbdb2ce6822dc263a8fc22d8a860212471e39430517c23078e48e98b7af48802f71af6db49a681e157a

memory/2216-120-0x0000000000130000-0x000000000013A000-memory.dmp

memory/2216-119-0x0000000000130000-0x000000000013A000-memory.dmp

memory/2300-127-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/408-126-0x0000000000400000-0x0000000000710000-memory.dmp

memory/2216-139-0x00000000024B0000-0x00000000024BA000-memory.dmp

memory/2216-138-0x00000000024B0000-0x00000000024BA000-memory.dmp

memory/2216-144-0x00000000024B0000-0x00000000024BA000-memory.dmp

memory/2216-143-0x00000000024B0000-0x00000000024BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab365E.tmp

MD5 d59a6b36c5a94916241a3ead50222b6f
SHA1 e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256 a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA512 17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

memory/2216-197-0x0000000000130000-0x000000000013A000-memory.dmp

memory/2216-198-0x0000000000130000-0x000000000013A000-memory.dmp

memory/2216-207-0x00000000024B0000-0x00000000024BA000-memory.dmp

memory/2216-206-0x00000000024B0000-0x00000000024BA000-memory.dmp

memory/2216-210-0x00000000024B0000-0x00000000024BA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-15 05:55

Reported

2024-11-15 05:57

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

153s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5.msi

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
File opened (read-only) \??\S: C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
File opened (read-only) \??\V: C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
File opened (read-only) \??\M: C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
File opened (read-only) \??\P: C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
File opened (read-only) \??\O: C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
File opened (read-only) \??\X: C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
File opened (read-only) \??\N: C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
File opened (read-only) \??\R: C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
File opened (read-only) \??\Y: C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QtrVrzdIjlZB.exe.log C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\Saved Games C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
File opened for modification C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.vbs C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
File opened for modification C:\Program Files\UpgradeValiantSupervisor C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
File opened for modification C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
File opened for modification C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
File opened for modification C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
File opened for modification C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe C:\Windows\System32\MsiExec.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\valibclang2d.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
File opened for modification C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe C:\Windows\System32\MsiExec.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\tsetup.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
File opened for modification C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIA519.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57a3a4.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57a3a2.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57a3a2.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{9EACC170-77C4-49C0-82B8-0229967CDE70} C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\UpgradeValiantSupervisor\tsetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d4141155d34ac580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d4141150000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d414115000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d414115000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d41411500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\tg\ = "URL:Telegram Link" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\EstimatedSize = "163980" C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\tg\URL Protocol C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\tg\shell\open C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg\shell C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\TelegramDesktop\Capabilities\ApplicationDescription = "Telegram Desktop" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\RegisteredApplications\Telegram Desktop = "SOFTWARE\\TelegramDesktop\\Capabilities" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1" C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = a80e2ef987a029d792bf182414d851905c3dcd5707d47dbe0e20a639e16318ae C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\DisplayIcon = "C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe" C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\MinorVersion = "2" C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\VersionMinor = "2" C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg\DefaultIcon C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\TelegramDesktop\Capabilities C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\NoRepair = "1" C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: User = "SYSTEM" C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\Software\TelegramDesktop C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\VersionMajor = "5" C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: Deselected Tasks C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\System32\WScript.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AC14C41ED6CF2947B4F7ADE34E99984 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AC14C41ED6CF2947B4F7ADE34E99984\071CCAE94C770C94288B209269C7ED07 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\071CCAE94C770C94288B209269C7ED07 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\ProductName = "UpgradeValiantSupervisor" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\PackageCode = "B2FCB3C3AE4D29B4F88C48506EB40769" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\PackageName = "0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\071CCAE94C770C94288B209269C7ED07\ProductFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\Version = "34078724" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
Token: 35 N/A C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
Token: 35 N/A C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1492 wrote to memory of 1808 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1492 wrote to memory of 1808 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1492 wrote to memory of 4664 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 1492 wrote to memory of 4664 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4664 wrote to memory of 1812 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4664 wrote to memory of 1812 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4664 wrote to memory of 1980 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 4664 wrote to memory of 1980 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1980 wrote to memory of 3412 N/A C:\Windows\System32\cmd.exe C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
PID 1980 wrote to memory of 3412 N/A C:\Windows\System32\cmd.exe C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
PID 1980 wrote to memory of 3412 N/A C:\Windows\System32\cmd.exe C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
PID 1980 wrote to memory of 2240 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1980 wrote to memory of 2240 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1980 wrote to memory of 3128 N/A C:\Windows\System32\cmd.exe C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
PID 1980 wrote to memory of 3128 N/A C:\Windows\System32\cmd.exe C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
PID 1980 wrote to memory of 3128 N/A C:\Windows\System32\cmd.exe C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
PID 4664 wrote to memory of 3348 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
PID 4664 wrote to memory of 3348 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
PID 4664 wrote to memory of 3348 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
PID 4664 wrote to memory of 2296 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\UpgradeValiantSupervisor\tsetup.exe
PID 4664 wrote to memory of 2296 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\UpgradeValiantSupervisor\tsetup.exe
PID 4664 wrote to memory of 2296 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\UpgradeValiantSupervisor\tsetup.exe
PID 2296 wrote to memory of 4580 N/A C:\Program Files\UpgradeValiantSupervisor\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp
PID 2296 wrote to memory of 4580 N/A C:\Program Files\UpgradeValiantSupervisor\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp
PID 2296 wrote to memory of 4580 N/A C:\Program Files\UpgradeValiantSupervisor\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp
PID 3700 wrote to memory of 556 N/A C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
PID 3700 wrote to memory of 556 N/A C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
PID 3700 wrote to memory of 556 N/A C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
PID 556 wrote to memory of 1728 N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
PID 556 wrote to memory of 1728 N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
PID 556 wrote to memory of 1728 N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
PID 4580 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
PID 4580 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 9004D59FE2A96EDDF284D602CCDAAA5A E Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\UpgradeValiantSupervisor'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"35009!&EFXcU7Bzs|Z&Q" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci" -x!1_ZhObbZwOavDN.exe -o"C:\Program Files\UpgradeValiantSupervisor\" -p"40889}.;o[;I83iQKVI5" -y

C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe

"C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"35009!&EFXcU7Bzs|Z&Q" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe

"C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci" -x!1_ZhObbZwOavDN.exe -o"C:\Program Files\UpgradeValiantSupervisor\" -p"40889}.;o[;I83iQKVI5" -y

C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe

"C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 293 -file file3 -mode mode3

C:\Program Files\UpgradeValiantSupervisor\tsetup.exe

"C:\Program Files\UpgradeValiantSupervisor\tsetup.exe"

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.vbs"

C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe

"C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe" install

C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp" /SL5="$9016A,44246395,814592,C:\Program Files\UpgradeValiantSupervisor\tsetup.exe"

C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe

"C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe" start

C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe

"C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe"

C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe

"C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 242 -file file3 -mode mode3

C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe

"C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 62 -file file3 -mode mode3

C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 3.26.192.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 im.qq.com udp
US 8.8.8.8:53 dsfgdg5641rfe.icu udp
HK 38.47.221.100:80 dsfgdg5641rfe.icu tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 100.221.47.38.in-addr.arpa udp
HK 118.107.29.131:13000 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 131.29.107.118.in-addr.arpa udp
US 8.8.8.8:53 fgh523fg4juty.cyou udp
HK 38.47.218.35:18999 fgh523fg4juty.cyou tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
NL 149.154.167.51:443 tcp
NL 95.161.76.100:443 tcp
NL 95.161.76.100:80 95.161.76.100 tcp
NL 149.154.167.51:80 149.154.167.51 tcp
US 8.8.8.8:53 td.telegram.org udp
US 8.8.8.8:53 100.76.161.95.in-addr.arpa udp
US 8.8.8.8:53 51.167.154.149.in-addr.arpa udp
NL 149.154.167.99:443 td.telegram.org tcp
NL 149.154.167.99:443 td.telegram.org tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 149.154.167.92:443 tcp
NL 149.154.167.50:443 tcp
NL 149.154.167.41:443 tcp
NL 149.154.167.92:80 149.154.167.92 tcp
NL 149.154.167.50:80 149.154.167.50 tcp
NL 149.154.167.41:80 149.154.167.41 tcp
US 8.8.8.8:53 50.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 41.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 92.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 qdfbvccc.cyou udp
HK 38.47.218.35:18999 fgh523fg4juty.cyou tcp
HK 118.107.29.131:13000 tcp
US 8.8.8.8:53 qdfbvccc.cyou udp
HK 38.47.218.35:18999 fgh523fg4juty.cyou tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 qdfbvccc.cyou udp
HK 38.47.218.35:18999 fgh523fg4juty.cyou tcp
US 8.8.8.8:53 qdfbvccc.cyou udp
HK 38.47.218.35:18999 fgh523fg4juty.cyou tcp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

\??\Volume{1541411d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3c2b8586-62e0-4015-8e96-08d623ec8a34}_OnDiskSnapshotProp

MD5 83743d03bf637873029231bac94b57d8
SHA1 6bb16b64e6f8285f23f8c1f7227d70b5cc471424
SHA256 8562cd5aee25ae17bd79f78d64689807f41726a69a1b25986bdcad1ee0983399
SHA512 c8fbbaf7334429b749692597d2fcc9bb8ffdca070a3799b7ac132b7b245cdf9849be9919367ae7f9122937be8fd2918899ffd6ff2ca2828f75be9fd5dcc36193

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 a1e3a2ae95c90167523c9ea17bd5c60e
SHA1 23a065b41aa390587f40c730c990e4ddcabeee39
SHA256 e2b356fae4d11280da85167aa3e4a4ece17b6a1788c1c619ac973b91cd4d7e4c
SHA512 54c975306f470f42756d50c2ecd627b266f44f51e22d742da2d67bf65653e05bce9347da7ba869664b9097433980585d5e63b9ef8a8409f8019b611fd5767501

memory/1812-15-0x000002D1C6B40000-0x000002D1C6B62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gik2pb4n.pmq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ

MD5 6101e66d187d929fc28c617b17d9e8ab
SHA1 0b8e6f9340cdefdd74221a9b0ad0e570e2a5af3d
SHA256 b4ba63b8872d6a4dadecef5fed82bff1ef01db274388a99d5cf358512c3c3d75
SHA512 f748b6a05f3b6fe7587218d26e969f67e4ef79313333137e77860b20e71f02fc1c8163ba62b682aadabd568a442e99ef36a75aa5e374e6ef845f7e101376cde3

C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci

MD5 5e0b75c71015883973f333fa502e8bf6
SHA1 77f442eeddd17e6815c7672c4db948cb62870dc1
SHA256 be5db62a4a38dbd19c4a223a339692e8868a88a28f1b720585bc5bf6572ec0f6
SHA512 8a85dab48d4a35998bd60212d18e56144dab4e4cacb56d86c7a16702af347dd0477421f59e5ac3f1934ba97ce05589f95f241969f73baf9d0cb5cb97ff115fc8

C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe

MD5 2a9aa3a122ff15917a565ba28e77c533
SHA1 698ba5909e1633fbd640e80c1804097a3d356628
SHA256 7dc4adf24defbc98d5bbaa7a89d30dc87dfc7a0eb8606acaf73fb845f272ccd9
SHA512 a3f6d10bc6f5652699f080a35e3af8794b315c70eb307f52a0e869d3de3f0a6302f421ce10aba34ec9fb6d2dc5a6f2460b8c97c403e75692e73f18d4b9870263

C:\Program Files\UpgradeValiantSupervisor\tsetup.exe

MD5 8a53cf72375f6899082463c36422d411
SHA1 161d9d3b21bf0d9a9790b92013ec76c6d839af06
SHA256 1b31e3758c4b158143dc41c7c4617984d958760d8d7718e1e38492c67f6bbf65
SHA512 daadba04fb90002a2cb8e44c1b98d6bf702b9cfe33d3b6dc981c877e0a77c620f2538a2748f2fb4e88493e326cc45764c54dad659d8d2d018b74b24fd727a190

memory/3348-54-0x0000000029F40000-0x0000000029F6F000-memory.dmp

memory/2296-61-0x0000000000400000-0x00000000004D4000-memory.dmp

C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe

MD5 d305d506c0095df8af223ac7d91ca327
SHA1 679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256 923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA512 94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

C:\Config.Msi\e57a3a3.rbs

MD5 89b009b713481257a55d1673cd52752e
SHA1 e8f880240559adadd4a826a810e5fcc457ed3db1
SHA256 f8b53df266bbd5f4fb81784598827f60b00a4a5998b32da9bc28d20ea5a4eb7e
SHA512 cb10aa543ed66e942719e9db486927aef10675ab79fe5cde65078c67a2778cdd1f13e2e22072fef7bc327318799eb73e917259c3aa4bbb0807e59817cbef0ac2

C:\Windows\Installer\e57a3a2.msi

MD5 a4d9f86c09bef236ea991b8801af8ebf
SHA1 dd7f0c051958471cd01005544f43a61323e7f108
SHA256 0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5
SHA512 75f31cb0b4b26b2c255f6029625928fed21170cf7e82e07b186f9978884659336d6201769d4cd345eb1c41c61eab884a16149d92bea5dec5e16dae1c4da4bb56

C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.vbs

MD5 31cb7c228337b05b262877c9d1d31f40
SHA1 c67ef4beb96061c1bdf53334e125dde65d079e2a
SHA256 f3acc593d2324d95131363105f89f5e97a0d251a997eab95486b8f0ffe76baee
SHA512 fda05de734d8dadd6250687bdd9e74a1ee833f860ddb296faac2e7c1251cd2a346e31e68590d6694ab504982815482b888b9328ab5248a431d6ae9df30997be8

C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp

MD5 d90927477dbf0725af0a10e151c184c4
SHA1 4cd69b23ee9c1efe9bd539f0fef841a09a4a773e
SHA256 43182a0ae7e22cc7f9b8028dc71e82826c80e9ac265f8d2dfa08876bb41b7029
SHA512 bfbd62482e99127c1bf621a135b464b5f96b86adfcb9064660c0dc1052099643ea9485e1358a758ab466f19c97042dafccb781e157203ea51e43956e4b6f4f98

memory/3516-78-0x0000000000CB0000-0x0000000000D86000-memory.dmp

C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml

MD5 4ee2e5cfef0b61980880c759eebacd1c
SHA1 d338d574e5178264ffbdb2020aa909e6cea10bf1
SHA256 2a42cb86659c84a47872b40b226db56f74d6de5c3f0e83369321a6a5e2f0c383
SHA512 ed9b9c2fd43c42da14099a4c4e0cba8c92d6c525a67453ac9d6892b68386ec684f81edf68a61edfc8a94b46c3fae380afe863d545d1df52c2455e05cb985c3fa

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QtrVrzdIjlZB.exe.log

MD5 122cf3c4f3452a55a92edee78316e071
SHA1 f2caa36d483076c92d17224cf92e260516b3cbbf
SHA256 42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512 c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log

MD5 9f8647fc4e7f1c51d363d79ee6436b3e
SHA1 e86f865b34f86a6fd83fe8e0af374f7a0ae03285
SHA256 feee34168222e1363e858104e98b40bb2eb80970ef285a47c001743db7b66eac
SHA512 aabba360926fdb5215837d95694ca3c0d516c9fdbb4f7b6a098f2485006d3bcf450fd0c58648a64e877b031b38a0ca48219ec5be608d6fab993c058f68c2bc90

C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log

MD5 39cb6bb8702b3aa67cd488f9495dd641
SHA1 2ef89f56c9a1ac16ac1d6116a0dcb5232661969e
SHA256 1ec7a98489eabb15159a62af341fc6528de91711484de0313fd908039d5a8967
SHA512 3d2a4a6737d0a4349348bf53e3d116ef09f9764cce7eacf63942c849ab930ebd48484bead9a616a7faab05ae0b94848b04cd2e296e2f09841f82e8a1c9106b4b

C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log

MD5 6d5ffa724d7a510ab64b760e3ec9c19a
SHA1 fcd204705358e0e17302569083b120d6d0d59c5b
SHA256 d750bbbc03d4c407ca25622b84eee0961c8f5a7e94b6b975c8d7d170e90ad636
SHA512 23bc5dee5f0490871475c477af8c613daa694dc74e6f73361ab566321883b76f605b085efdbda20b83b32c598e7455129970970a1320b0b5670d4cc969dec8ae

C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log

MD5 acba25681de8e28d318365192250a3f7
SHA1 a1715c8689d52aabbcccc1ea208c9a29d5f1d3a2
SHA256 96ce2b09379c29edb5db2f060fec5c0fb5cfb9d5d18c339888530c895cf1f9f8
SHA512 f5771b0d9e4abb797aec802a4fe46908d29a872eeff3a6017418fc5580d93c6d2aa00ca9b4a046c74fd0aad38d1f564a344b1719d7c883b9fdaa6763751e50c2

memory/1728-109-0x000000002A140000-0x000000002A18D000-memory.dmp

memory/2296-110-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/4580-111-0x0000000000400000-0x0000000000710000-memory.dmp

memory/1728-112-0x000000002BD40000-0x000000002BEFC000-memory.dmp

memory/1728-114-0x000000002BD40000-0x000000002BEFC000-memory.dmp

memory/1728-115-0x000000002BD40000-0x000000002BEFC000-memory.dmp

memory/1728-116-0x000000002BD40000-0x000000002BEFC000-memory.dmp

memory/4580-121-0x0000000000400000-0x0000000000710000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Telegram Desktop\Telegram.lnk

MD5 91acf87684e0ffb8954255d67faec978
SHA1 d84a6532278935f560ed3492de5b32c7227d7744
SHA256 a240f260addf3b2c058b1b86bbfb1f723d8d5b41c8eeaeda08994508321e37cf
SHA512 1a4d42956417e99411be9de7d488bf93ea237f1d33a7d0acc3fe0524e25e96ca672997f7d522854b4ca32f81acd49a39e394e92946d714d4d7b08c9851a08504

C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll

MD5 a7349236212b0e5cec2978f2cfa49a1a
SHA1 5abb08949162fd1985b89ffad40aaf5fc769017e
SHA256 a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082
SHA512 c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02

memory/4580-154-0x0000000000400000-0x0000000000710000-memory.dmp

memory/2296-155-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/1728-236-0x000000002BD40000-0x000000002BEFC000-memory.dmp

memory/1728-238-0x000000002BD40000-0x000000002BEFC000-memory.dmp