Analysis Overview
SHA256
0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5
Threat Level: Known bad
The file 0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5.msi.vir was found to be: Known bad.
Malicious Activity Summary
Purplefox family
PurpleFox
Gh0strat family
Gh0st RAT payload
Gh0strat
Detect PurpleFox Rootkit
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Drops file in System32 directory
Executes dropped EXE
Drops file in Windows directory
Drops file in Program Files directory
Loads dropped DLL
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Runs ping.exe
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: CmdExeWriteProcessMemorySpam
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Uses Volume Shadow Copy service COM API
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-15 05:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-15 05:55
Reported
2024-11-15 05:57
Platform
win7-20240903-en
Max time kernel
144s
Max time network
137s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\Saved Games | C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| File opened for modification | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe | C:\Windows\system32\MsiExec.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| File opened for modification | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| File opened for modification | C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| File opened for modification | C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.vbs | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\valibclang2d.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe | C:\Windows\system32\MsiExec.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\tsetup.exe | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76c207.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76c208.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f76c207.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76c208.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC2D2.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76c20a.msi | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| N/A | N/A | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| N/A | N/A | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe | N/A |
| N/A | N/A | C:\Program Files\UpgradeValiantSupervisor\tsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\UpgradeValiantSupervisor\tsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\UpgradeValiantSupervisor\tsetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg\shell | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\RegisteredApplications | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: App Path = "C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop" | C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\URLInfoAbout = "https://desktop.telegram.org" | C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\TelegramDesktop\Capabilities\ApplicationDescription = "Telegram Desktop" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 | C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence = "1" | C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\URLUpdateInfo = "https://desktop.telegram.org" | C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: Language = "english" | C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\MajorVersion = "5" | C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\tg\ = "URL:Telegram Link" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a0801efd2237db01 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Owner = 9801000020582c012337db01 | C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\VersionMinor = "2" | C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000 | C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\VersionMajor = "5" | C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10 = "System Health Authentication" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\TelegramDesktop\Capabilities\UrlAssociations | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\EstimatedSize = "163980" | C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\UninstallString = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\unins000.exe\"" | C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg\shell\open\command | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1 | C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\InstallDate = "20241115" | C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\TelegramDesktop\Capabilities\ApplicationName = "Telegram Desktop" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\071CCAE94C770C94288B209269C7ED07 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\Version = "34078724" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\PackageName = "0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\071CCAE94C770C94288B209269C7ED07\ProductFeature | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\ProductName = "UpgradeValiantSupervisor" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AC14C41ED6CF2947B4F7ADE34E99984 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AC14C41ED6CF2947B4F7ADE34E99984\071CCAE94C770C94288B209269C7ED07 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\PackageCode = "B2FCB3C3AE4D29B4F88C48506EB40769" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| N/A | N/A | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| Token: 35 | N/A | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| Token: 35 | N/A | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000394" "00000000000005E0"
C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding A73CE193CF33C9120F535CD0860ED9B6 M Global\MSI0000
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\UpgradeValiantSupervisor'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"35009!&EFXcU7Bzs|Z&Q" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci" -x!1_ZhObbZwOavDN.exe -o"C:\Program Files\UpgradeValiantSupervisor\" -p"40889}.;o[;I83iQKVI5" -y
C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
"C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"35009!&EFXcU7Bzs|Z&Q" -y
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 2
C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
"C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci" -x!1_ZhObbZwOavDN.exe -o"C:\Program Files\UpgradeValiantSupervisor\" -p"40889}.;o[;I83iQKVI5" -y
C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
"C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 293 -file file3 -mode mode3
C:\Program Files\UpgradeValiantSupervisor\tsetup.exe
"C:\Program Files\UpgradeValiantSupervisor\tsetup.exe"
C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp" /SL5="$C01AE,44246395,814592,C:\Program Files\UpgradeValiantSupervisor\tsetup.exe"
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | im.qq.com | udp |
| NL | 149.154.167.51:443 | tcp | |
| NL | 95.161.76.100:443 | tcp | |
| NL | 95.161.76.100:80 | tcp | |
| NL | 149.154.167.51:443 | tcp | |
| NL | 95.161.76.100:443 | tcp | |
| NL | 149.154.167.51:80 | 149.154.167.51 | tcp |
| NL | 95.161.76.100:80 | 95.161.76.100 | tcp |
| US | 8.8.8.8:53 | td.telegram.org | udp |
| NL | 149.154.167.99:443 | td.telegram.org | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 149.154.167.99:443 | td.telegram.org | tcp |
| NL | 149.154.167.91:443 | tcp | |
| NL | 149.154.167.51:443 | tcp | |
| NL | 95.161.76.100:443 | tcp | |
| NL | 149.154.167.91:80 | 149.154.167.91 | tcp |
| NL | 149.154.167.51:80 | 149.154.167.51 | tcp |
| NL | 95.161.76.100:80 | 95.161.76.100 | tcp |
| SG | 149.154.171.5:443 | tcp | |
| SG | 149.154.171.5:80 | 149.154.171.5 | tcp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.4.4:443 | dns.google.com | tcp |
| NL | 95.161.76.101:443 | tcp |
Files
memory/2340-12-0x0000000000200000-0x0000000000210000-memory.dmp
memory/1028-17-0x000000001B6B0000-0x000000001B992000-memory.dmp
memory/1028-18-0x0000000001D70000-0x0000000001D78000-memory.dmp
C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
| MD5 | c31c4b04558396c6fabab64dcf366534 |
| SHA1 | fa836d92edc577d6a17ded47641ba1938589b09a |
| SHA256 | 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3 |
| SHA512 | 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99 |
C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ
| MD5 | 6101e66d187d929fc28c617b17d9e8ab |
| SHA1 | 0b8e6f9340cdefdd74221a9b0ad0e570e2a5af3d |
| SHA256 | b4ba63b8872d6a4dadecef5fed82bff1ef01db274388a99d5cf358512c3c3d75 |
| SHA512 | f748b6a05f3b6fe7587218d26e969f67e4ef79313333137e77860b20e71f02fc1c8163ba62b682aadabd568a442e99ef36a75aa5e374e6ef845f7e101376cde3 |
C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci
| MD5 | 5e0b75c71015883973f333fa502e8bf6 |
| SHA1 | 77f442eeddd17e6815c7672c4db948cb62870dc1 |
| SHA256 | be5db62a4a38dbd19c4a223a339692e8868a88a28f1b720585bc5bf6572ec0f6 |
| SHA512 | 8a85dab48d4a35998bd60212d18e56144dab4e4cacb56d86c7a16702af347dd0477421f59e5ac3f1934ba97ce05589f95f241969f73baf9d0cb5cb97ff115fc8 |
C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe
| MD5 | 2a9aa3a122ff15917a565ba28e77c533 |
| SHA1 | 698ba5909e1633fbd640e80c1804097a3d356628 |
| SHA256 | 7dc4adf24defbc98d5bbaa7a89d30dc87dfc7a0eb8606acaf73fb845f272ccd9 |
| SHA512 | a3f6d10bc6f5652699f080a35e3af8794b315c70eb307f52a0e869d3de3f0a6302f421ce10aba34ec9fb6d2dc5a6f2460b8c97c403e75692e73f18d4b9870263 |
C:\Program Files\UpgradeValiantSupervisor\tsetup.exe
| MD5 | 8a53cf72375f6899082463c36422d411 |
| SHA1 | 161d9d3b21bf0d9a9790b92013ec76c6d839af06 |
| SHA256 | 1b31e3758c4b158143dc41c7c4617984d958760d8d7718e1e38492c67f6bbf65 |
| SHA512 | daadba04fb90002a2cb8e44c1b98d6bf702b9cfe33d3b6dc981c877e0a77c620f2538a2748f2fb4e88493e326cc45764c54dad659d8d2d018b74b24fd727a190 |
memory/2300-44-0x0000000000400000-0x00000000004D4000-memory.dmp
C:\Config.Msi\f76c209.rbs
| MD5 | 00be8c3086a7a0addf66daab8d4414ab |
| SHA1 | 830e12b0daffec8f3423302bfd2f25bbf7b4f549 |
| SHA256 | 83f5cc72523b19fc16d571b6d3349c0c6b48c72be159ffbaf89d20cecd52ecc7 |
| SHA512 | 637162c6598c1b861c2695813ac1650165294c9e1ad60a518de7d9622dca050434815927fc0dd72deccc4f4082ece98b7da5a699c7ab2576206aefc539c3cdaa |
\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp
| MD5 | d90927477dbf0725af0a10e151c184c4 |
| SHA1 | 4cd69b23ee9c1efe9bd539f0fef841a09a4a773e |
| SHA256 | 43182a0ae7e22cc7f9b8028dc71e82826c80e9ac265f8d2dfa08876bb41b7029 |
| SHA512 | bfbd62482e99127c1bf621a135b464b5f96b86adfcb9064660c0dc1052099643ea9485e1358a758ab466f19c97042dafccb781e157203ea51e43956e4b6f4f98 |
C:\Windows\Installer\f76c207.msi
| MD5 | a4d9f86c09bef236ea991b8801af8ebf |
| SHA1 | dd7f0c051958471cd01005544f43a61323e7f108 |
| SHA256 | 0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5 |
| SHA512 | 75f31cb0b4b26b2c255f6029625928fed21170cf7e82e07b186f9978884659336d6201769d4cd345eb1c41c61eab884a16149d92bea5dec5e16dae1c4da4bb56 |
memory/2444-63-0x000000000A7C0000-0x000000000A7EF000-memory.dmp
memory/2300-67-0x0000000000400000-0x00000000004D4000-memory.dmp
memory/408-68-0x0000000000400000-0x0000000000710000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\Saved Games\desktop.ini
| MD5 | b441cf59b5a64f74ac3bed45be9fadfc |
| SHA1 | 3da72a52e451a26ca9a35611fa8716044a7c0bbc |
| SHA256 | e6fdf8ed07b19b2a3b8eff05de7bc71152c85b377b9226f126dc54b58b930311 |
| SHA512 | fdc26609a674d36f5307fa3f1c212da1f87a5c4cd463d861ce1bd2e614533f07d943510abed0c2edeb07a55f1dccff37db7e1f5456705372d5da8e12d83f0bb3 |
C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll
| MD5 | a7349236212b0e5cec2978f2cfa49a1a |
| SHA1 | 5abb08949162fd1985b89ffad40aaf5fc769017e |
| SHA256 | a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082 |
| SHA512 | c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Telegram Desktop\Telegram.lnk
| MD5 | d87917dbb14a54190693a451515416f4 |
| SHA1 | 63fab43c99cfb5cb25d396b96fda431a13e07791 |
| SHA256 | 7a650d67c7407dda4b8e5e3d99b02e115a29b453da6b4af0c6ffb43310eaa448 |
| SHA512 | 5742e52e7d2c5178b53d8952029313ee954c1a699c056cbdb2ce6822dc263a8fc22d8a860212471e39430517c23078e48e98b7af48802f71af6db49a681e157a |
memory/2216-120-0x0000000000130000-0x000000000013A000-memory.dmp
memory/2216-119-0x0000000000130000-0x000000000013A000-memory.dmp
memory/2300-127-0x0000000000400000-0x00000000004D4000-memory.dmp
memory/408-126-0x0000000000400000-0x0000000000710000-memory.dmp
memory/2216-139-0x00000000024B0000-0x00000000024BA000-memory.dmp
memory/2216-138-0x00000000024B0000-0x00000000024BA000-memory.dmp
memory/2216-144-0x00000000024B0000-0x00000000024BA000-memory.dmp
memory/2216-143-0x00000000024B0000-0x00000000024BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab365E.tmp
| MD5 | d59a6b36c5a94916241a3ead50222b6f |
| SHA1 | e274e9486d318c383bc4b9812844ba56f0cff3c6 |
| SHA256 | a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53 |
| SHA512 | 17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489 |
memory/2216-197-0x0000000000130000-0x000000000013A000-memory.dmp
memory/2216-198-0x0000000000130000-0x000000000013A000-memory.dmp
memory/2216-207-0x00000000024B0000-0x00000000024BA000-memory.dmp
memory/2216-206-0x00000000024B0000-0x00000000024BA000-memory.dmp
memory/2216-210-0x00000000024B0000-0x00000000024BA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-15 05:55
Reported
2024-11-15 05:57
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
PurpleFox
Purplefox family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QtrVrzdIjlZB.exe.log | C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\Saved Games | C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| File opened for modification | C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log | C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.vbs | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe | N/A |
| File opened for modification | C:\Program Files\UpgradeValiantSupervisor | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe | N/A |
| File opened for modification | C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log | C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| File opened for modification | C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| File opened for modification | C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| File opened for modification | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\valibclang2d.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| File opened for modification | C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\tsetup.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| File opened for modification | C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log | C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSIA519.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57a3a4.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57a3a2.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e57a3a2.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{9EACC170-77C4-49C0-82B8-0229967CDE70} | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| N/A | N/A | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| N/A | N/A | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe | N/A |
| N/A | N/A | C:\Program Files\UpgradeValiantSupervisor\tsetup.exe | N/A |
| N/A | N/A | C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp | N/A |
| N/A | N/A | C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe | N/A |
| N/A | N/A | C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe | N/A |
| N/A | N/A | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe | N/A |
| N/A | N/A | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\UpgradeValiantSupervisor\tsetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d4141155d34ac580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d4141150000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d414115000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d414115000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d41411500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager | C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\tg\ = "URL:Telegram Link" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\EstimatedSize = "163980" | C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\tg\URL Protocol | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\tg\shell\open | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg\shell | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\TelegramDesktop\Capabilities\ApplicationDescription = "Telegram Desktop" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\RegisteredApplications\Telegram Desktop = "SOFTWARE\\TelegramDesktop\\Capabilities" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1" | C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = a80e2ef987a029d792bf182414d851905c3dcd5707d47dbe0e20a639e16318ae | C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\DisplayIcon = "C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe" | C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\MinorVersion = "2" | C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\VersionMinor = "2" | C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg\DefaultIcon | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\TelegramDesktop\Capabilities | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\NoRepair = "1" | C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: User = "SYSTEM" | C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\TelegramDesktop | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\VersionMajor = "5" | C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: Deselected Tasks | C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\System32\WScript.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AC14C41ED6CF2947B4F7ADE34E99984 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AC14C41ED6CF2947B4F7ADE34E99984\071CCAE94C770C94288B209269C7ED07 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\071CCAE94C770C94288B209269C7ED07 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\ProductName = "UpgradeValiantSupervisor" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\PackageCode = "B2FCB3C3AE4D29B4F88C48506EB40769" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\PackageName = "0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\071CCAE94C770C94288B209269C7ED07\ProductFeature | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\Version = "34078724" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| Token: 35 | N/A | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| Token: 35 | N/A | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 9004D59FE2A96EDDF284D602CCDAAA5A E Global\MSI0000
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\UpgradeValiantSupervisor'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"35009!&EFXcU7Bzs|Z&Q" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci" -x!1_ZhObbZwOavDN.exe -o"C:\Program Files\UpgradeValiantSupervisor\" -p"40889}.;o[;I83iQKVI5" -y
C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
"C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"35009!&EFXcU7Bzs|Z&Q" -y
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 2
C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
"C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci" -x!1_ZhObbZwOavDN.exe -o"C:\Program Files\UpgradeValiantSupervisor\" -p"40889}.;o[;I83iQKVI5" -y
C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
"C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 293 -file file3 -mode mode3
C:\Program Files\UpgradeValiantSupervisor\tsetup.exe
"C:\Program Files\UpgradeValiantSupervisor\tsetup.exe"
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.vbs"
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe
"C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe" install
C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp" /SL5="$9016A,44246395,814592,C:\Program Files\UpgradeValiantSupervisor\tsetup.exe"
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe
"C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe" start
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe
"C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe"
C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
"C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 242 -file file3 -mode mode3
C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
"C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 62 -file file3 -mode mode3
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.26.192.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | im.qq.com | udp |
| US | 8.8.8.8:53 | dsfgdg5641rfe.icu | udp |
| HK | 38.47.221.100:80 | dsfgdg5641rfe.icu | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.221.47.38.in-addr.arpa | udp |
| HK | 118.107.29.131:13000 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.29.107.118.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fgh523fg4juty.cyou | udp |
| HK | 38.47.218.35:18999 | fgh523fg4juty.cyou | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| NL | 149.154.167.51:443 | tcp | |
| NL | 95.161.76.100:443 | tcp | |
| NL | 95.161.76.100:80 | 95.161.76.100 | tcp |
| NL | 149.154.167.51:80 | 149.154.167.51 | tcp |
| US | 8.8.8.8:53 | td.telegram.org | udp |
| US | 8.8.8.8:53 | 100.76.161.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.167.154.149.in-addr.arpa | udp |
| NL | 149.154.167.99:443 | td.telegram.org | tcp |
| NL | 149.154.167.99:443 | td.telegram.org | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 149.154.167.92:443 | tcp | |
| NL | 149.154.167.50:443 | tcp | |
| NL | 149.154.167.41:443 | tcp | |
| NL | 149.154.167.92:80 | 149.154.167.92 | tcp |
| NL | 149.154.167.50:80 | 149.154.167.50 | tcp |
| NL | 149.154.167.41:80 | 149.154.167.41 | tcp |
| US | 8.8.8.8:53 | 50.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qdfbvccc.cyou | udp |
| HK | 38.47.218.35:18999 | fgh523fg4juty.cyou | tcp |
| HK | 118.107.29.131:13000 | tcp | |
| US | 8.8.8.8:53 | qdfbvccc.cyou | udp |
| HK | 38.47.218.35:18999 | fgh523fg4juty.cyou | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qdfbvccc.cyou | udp |
| HK | 38.47.218.35:18999 | fgh523fg4juty.cyou | tcp |
| US | 8.8.8.8:53 | qdfbvccc.cyou | udp |
| HK | 38.47.218.35:18999 | fgh523fg4juty.cyou | tcp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
\??\Volume{1541411d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3c2b8586-62e0-4015-8e96-08d623ec8a34}_OnDiskSnapshotProp
| MD5 | 83743d03bf637873029231bac94b57d8 |
| SHA1 | 6bb16b64e6f8285f23f8c1f7227d70b5cc471424 |
| SHA256 | 8562cd5aee25ae17bd79f78d64689807f41726a69a1b25986bdcad1ee0983399 |
| SHA512 | c8fbbaf7334429b749692597d2fcc9bb8ffdca070a3799b7ac132b7b245cdf9849be9919367ae7f9122937be8fd2918899ffd6ff2ca2828f75be9fd5dcc36193 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | a1e3a2ae95c90167523c9ea17bd5c60e |
| SHA1 | 23a065b41aa390587f40c730c990e4ddcabeee39 |
| SHA256 | e2b356fae4d11280da85167aa3e4a4ece17b6a1788c1c619ac973b91cd4d7e4c |
| SHA512 | 54c975306f470f42756d50c2ecd627b266f44f51e22d742da2d67bf65653e05bce9347da7ba869664b9097433980585d5e63b9ef8a8409f8019b611fd5767501 |
memory/1812-15-0x000002D1C6B40000-0x000002D1C6B62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gik2pb4n.pmq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
| MD5 | c31c4b04558396c6fabab64dcf366534 |
| SHA1 | fa836d92edc577d6a17ded47641ba1938589b09a |
| SHA256 | 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3 |
| SHA512 | 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99 |
C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ
| MD5 | 6101e66d187d929fc28c617b17d9e8ab |
| SHA1 | 0b8e6f9340cdefdd74221a9b0ad0e570e2a5af3d |
| SHA256 | b4ba63b8872d6a4dadecef5fed82bff1ef01db274388a99d5cf358512c3c3d75 |
| SHA512 | f748b6a05f3b6fe7587218d26e969f67e4ef79313333137e77860b20e71f02fc1c8163ba62b682aadabd568a442e99ef36a75aa5e374e6ef845f7e101376cde3 |
C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci
| MD5 | 5e0b75c71015883973f333fa502e8bf6 |
| SHA1 | 77f442eeddd17e6815c7672c4db948cb62870dc1 |
| SHA256 | be5db62a4a38dbd19c4a223a339692e8868a88a28f1b720585bc5bf6572ec0f6 |
| SHA512 | 8a85dab48d4a35998bd60212d18e56144dab4e4cacb56d86c7a16702af347dd0477421f59e5ac3f1934ba97ce05589f95f241969f73baf9d0cb5cb97ff115fc8 |
C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe
| MD5 | 2a9aa3a122ff15917a565ba28e77c533 |
| SHA1 | 698ba5909e1633fbd640e80c1804097a3d356628 |
| SHA256 | 7dc4adf24defbc98d5bbaa7a89d30dc87dfc7a0eb8606acaf73fb845f272ccd9 |
| SHA512 | a3f6d10bc6f5652699f080a35e3af8794b315c70eb307f52a0e869d3de3f0a6302f421ce10aba34ec9fb6d2dc5a6f2460b8c97c403e75692e73f18d4b9870263 |
C:\Program Files\UpgradeValiantSupervisor\tsetup.exe
| MD5 | 8a53cf72375f6899082463c36422d411 |
| SHA1 | 161d9d3b21bf0d9a9790b92013ec76c6d839af06 |
| SHA256 | 1b31e3758c4b158143dc41c7c4617984d958760d8d7718e1e38492c67f6bbf65 |
| SHA512 | daadba04fb90002a2cb8e44c1b98d6bf702b9cfe33d3b6dc981c877e0a77c620f2538a2748f2fb4e88493e326cc45764c54dad659d8d2d018b74b24fd727a190 |
memory/3348-54-0x0000000029F40000-0x0000000029F6F000-memory.dmp
memory/2296-61-0x0000000000400000-0x00000000004D4000-memory.dmp
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe
| MD5 | d305d506c0095df8af223ac7d91ca327 |
| SHA1 | 679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a |
| SHA256 | 923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66 |
| SHA512 | 94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796 |
C:\Config.Msi\e57a3a3.rbs
| MD5 | 89b009b713481257a55d1673cd52752e |
| SHA1 | e8f880240559adadd4a826a810e5fcc457ed3db1 |
| SHA256 | f8b53df266bbd5f4fb81784598827f60b00a4a5998b32da9bc28d20ea5a4eb7e |
| SHA512 | cb10aa543ed66e942719e9db486927aef10675ab79fe5cde65078c67a2778cdd1f13e2e22072fef7bc327318799eb73e917259c3aa4bbb0807e59817cbef0ac2 |
C:\Windows\Installer\e57a3a2.msi
| MD5 | a4d9f86c09bef236ea991b8801af8ebf |
| SHA1 | dd7f0c051958471cd01005544f43a61323e7f108 |
| SHA256 | 0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5 |
| SHA512 | 75f31cb0b4b26b2c255f6029625928fed21170cf7e82e07b186f9978884659336d6201769d4cd345eb1c41c61eab884a16149d92bea5dec5e16dae1c4da4bb56 |
C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.vbs
| MD5 | 31cb7c228337b05b262877c9d1d31f40 |
| SHA1 | c67ef4beb96061c1bdf53334e125dde65d079e2a |
| SHA256 | f3acc593d2324d95131363105f89f5e97a0d251a997eab95486b8f0ffe76baee |
| SHA512 | fda05de734d8dadd6250687bdd9e74a1ee833f860ddb296faac2e7c1251cd2a346e31e68590d6694ab504982815482b888b9328ab5248a431d6ae9df30997be8 |
C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp
| MD5 | d90927477dbf0725af0a10e151c184c4 |
| SHA1 | 4cd69b23ee9c1efe9bd539f0fef841a09a4a773e |
| SHA256 | 43182a0ae7e22cc7f9b8028dc71e82826c80e9ac265f8d2dfa08876bb41b7029 |
| SHA512 | bfbd62482e99127c1bf621a135b464b5f96b86adfcb9064660c0dc1052099643ea9485e1358a758ab466f19c97042dafccb781e157203ea51e43956e4b6f4f98 |
memory/3516-78-0x0000000000CB0000-0x0000000000D86000-memory.dmp
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml
| MD5 | 4ee2e5cfef0b61980880c759eebacd1c |
| SHA1 | d338d574e5178264ffbdb2020aa909e6cea10bf1 |
| SHA256 | 2a42cb86659c84a47872b40b226db56f74d6de5c3f0e83369321a6a5e2f0c383 |
| SHA512 | ed9b9c2fd43c42da14099a4c4e0cba8c92d6c525a67453ac9d6892b68386ec684f81edf68a61edfc8a94b46c3fae380afe863d545d1df52c2455e05cb985c3fa |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QtrVrzdIjlZB.exe.log
| MD5 | 122cf3c4f3452a55a92edee78316e071 |
| SHA1 | f2caa36d483076c92d17224cf92e260516b3cbbf |
| SHA256 | 42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0 |
| SHA512 | c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c |
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log
| MD5 | 9f8647fc4e7f1c51d363d79ee6436b3e |
| SHA1 | e86f865b34f86a6fd83fe8e0af374f7a0ae03285 |
| SHA256 | feee34168222e1363e858104e98b40bb2eb80970ef285a47c001743db7b66eac |
| SHA512 | aabba360926fdb5215837d95694ca3c0d516c9fdbb4f7b6a098f2485006d3bcf450fd0c58648a64e877b031b38a0ca48219ec5be608d6fab993c058f68c2bc90 |
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log
| MD5 | 39cb6bb8702b3aa67cd488f9495dd641 |
| SHA1 | 2ef89f56c9a1ac16ac1d6116a0dcb5232661969e |
| SHA256 | 1ec7a98489eabb15159a62af341fc6528de91711484de0313fd908039d5a8967 |
| SHA512 | 3d2a4a6737d0a4349348bf53e3d116ef09f9764cce7eacf63942c849ab930ebd48484bead9a616a7faab05ae0b94848b04cd2e296e2f09841f82e8a1c9106b4b |
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log
| MD5 | 6d5ffa724d7a510ab64b760e3ec9c19a |
| SHA1 | fcd204705358e0e17302569083b120d6d0d59c5b |
| SHA256 | d750bbbc03d4c407ca25622b84eee0961c8f5a7e94b6b975c8d7d170e90ad636 |
| SHA512 | 23bc5dee5f0490871475c477af8c613daa694dc74e6f73361ab566321883b76f605b085efdbda20b83b32c598e7455129970970a1320b0b5670d4cc969dec8ae |
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log
| MD5 | acba25681de8e28d318365192250a3f7 |
| SHA1 | a1715c8689d52aabbcccc1ea208c9a29d5f1d3a2 |
| SHA256 | 96ce2b09379c29edb5db2f060fec5c0fb5cfb9d5d18c339888530c895cf1f9f8 |
| SHA512 | f5771b0d9e4abb797aec802a4fe46908d29a872eeff3a6017418fc5580d93c6d2aa00ca9b4a046c74fd0aad38d1f564a344b1719d7c883b9fdaa6763751e50c2 |
memory/1728-109-0x000000002A140000-0x000000002A18D000-memory.dmp
memory/2296-110-0x0000000000400000-0x00000000004D4000-memory.dmp
memory/4580-111-0x0000000000400000-0x0000000000710000-memory.dmp
memory/1728-112-0x000000002BD40000-0x000000002BEFC000-memory.dmp
memory/1728-114-0x000000002BD40000-0x000000002BEFC000-memory.dmp
memory/1728-115-0x000000002BD40000-0x000000002BEFC000-memory.dmp
memory/1728-116-0x000000002BD40000-0x000000002BEFC000-memory.dmp
memory/4580-121-0x0000000000400000-0x0000000000710000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Telegram Desktop\Telegram.lnk
| MD5 | 91acf87684e0ffb8954255d67faec978 |
| SHA1 | d84a6532278935f560ed3492de5b32c7227d7744 |
| SHA256 | a240f260addf3b2c058b1b86bbfb1f723d8d5b41c8eeaeda08994508321e37cf |
| SHA512 | 1a4d42956417e99411be9de7d488bf93ea237f1d33a7d0acc3fe0524e25e96ca672997f7d522854b4ca32f81acd49a39e394e92946d714d4d7b08c9851a08504 |
C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll
| MD5 | a7349236212b0e5cec2978f2cfa49a1a |
| SHA1 | 5abb08949162fd1985b89ffad40aaf5fc769017e |
| SHA256 | a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082 |
| SHA512 | c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02 |
memory/4580-154-0x0000000000400000-0x0000000000710000-memory.dmp
memory/2296-155-0x0000000000400000-0x00000000004D4000-memory.dmp
memory/1728-236-0x000000002BD40000-0x000000002BEFC000-memory.dmp
memory/1728-238-0x000000002BD40000-0x000000002BEFC000-memory.dmp