Malware Analysis Report

2024-09-11 12:59

Sample ID 240613-tc67kszaml
Target RoGhoul.msi
SHA256 54da67354ca45596f98a3cea115bf32a8d2c252a0473080f25fe1d7bd9bfa153
Tags
evasion trojan
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

54da67354ca45596f98a3cea115bf32a8d2c252a0473080f25fe1d7bd9bfa153

Threat Level: Shows suspicious behavior

The file RoGhoul.msi was found to be: Shows suspicious behavior.

Malicious Activity Summary

evasion trojan

Checks whether UAC is enabled

Enumerates connected drives

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Drops file in Windows directory

Executes dropped EXE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of SendNotifyMessage

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 15:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 15:55

Reported

2024-06-13 15:58

Platform

win7-20240611-en

Max time kernel

118s

Max time network

130s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\RoGhoul.msi

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Installer\MSI20FC.tmp N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI1EC5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1F24.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI207C.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f761b91.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI20FC.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f761b8c.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f761b8c.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1DBA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1E86.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f761b8f.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f761b8f.ipi C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Installer\MSI20FC.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a0390500000000020000000000106600000001000020000000ed169913355de1b7a5468ff743f8b4540fc7e72f801bd5d27387c473f79dbda3000000000e8000000002000020000000b02c278420a8a6b48b2ec30148fc910c190d293bf8e1fb4fb43020f7e4d56b8620000000f9e0cb72e7d4346c86b04603a49d249e635e21f3ab80f94c6127c828e94bc7284000000039657d8efcc0b95475d0629ef9385b872f98cf51c76b78c8c5d8e59a47e730613abf86031d6c98ced4d36ecfc120c189ebc088aea9a9a07fbc3effcf7417402b C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424456035" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7273D9B1-299D-11EF-A13C-DEB4B2C1951C} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90cc2048aabdda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a0390500000000020000000000106600000001000020000000ddbc39acf664cce521b82e3d93cea82ce957c8add2929e6d14b9a0bb963527ba000000000e8000000002000020000000d5c31c38d2769e4273ad2114a0b92c8cfee73649a23d6c461efe65755f21f9ab9000000090e9303e5365114494e1830cc84c67c18f68a9e0143b442b1ffbf7b4e95eb1e7e1ad99462bb677098a43a9c46ed14b3dab4b9aa8966cc04f38616c3c63574abc8375c560b7256fd45e7af75f584dcd9f5b67841bf24ded36bf5ddca56ba866d13b2aecac8a6e11116ffa5b536320d97609ddcd115ebcbd78b570ad3f942616208a6f04b7461dd4b957fecafdfdf5167140000000765ba98f7375fc9aa17ffe90a00d5e8bf0706780ce0900085a26a1cf98ced54d543da36599019a0bcc61948ee00788e4e6bce518adbc2c88cd0e0c09a6fb0447 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CE315C105C859B54A8A9FB99D8F5C90C\96B150D8852E30E418B3B54B26D727B4 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\SourceList\PackageName = "RoGhoul.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\ProductName = "Guard" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\PackageCode = "2088ACF133F0AF54BBD3C7A4AF2F2121" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\Version = "16777216" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CE315C105C859B54A8A9FB99D8F5C90C C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96B150D8852E30E418B3B54B26D727B4 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96B150D8852E30E418B3B54B26D727B4\MainFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\SourceList\Net C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 2344 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2732 wrote to memory of 2344 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2732 wrote to memory of 2344 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2732 wrote to memory of 2344 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2732 wrote to memory of 2344 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2732 wrote to memory of 2344 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2732 wrote to memory of 2344 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2732 wrote to memory of 2768 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI20FC.tmp
PID 2732 wrote to memory of 2768 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI20FC.tmp
PID 2732 wrote to memory of 2768 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI20FC.tmp
PID 2732 wrote to memory of 2768 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI20FC.tmp
PID 2732 wrote to memory of 2768 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI20FC.tmp
PID 2732 wrote to memory of 2768 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI20FC.tmp
PID 2732 wrote to memory of 2768 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI20FC.tmp
PID 2224 wrote to memory of 532 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2224 wrote to memory of 532 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2224 wrote to memory of 532 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2224 wrote to memory of 532 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\RoGhoul.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 33A00E4285E1D0DEB791DC3218CF1D17

C:\Windows\Installer\MSI20FC.tmp

"C:\Windows\Installer\MSI20FC.tmp" https://telixsearch.com/tyy

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2224 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 repository.certum.pl udp
BE 2.17.197.138:80 repository.certum.pl tcp
US 8.8.8.8:53 telixsearch.com udp
US 172.67.142.97:443 telixsearch.com tcp
US 172.67.142.97:443 telixsearch.com tcp
US 8.8.8.8:53 2ly.link udp
US 35.226.132.161:443 2ly.link tcp
US 35.226.132.161:443 2ly.link tcp
US 35.226.132.161:443 2ly.link tcp
US 35.226.132.161:443 2ly.link tcp
US 35.226.132.161:443 2ly.link tcp
US 35.226.132.161:443 2ly.link tcp
US 35.226.132.161:443 2ly.link tcp
US 35.226.132.161:443 2ly.link tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab18D0.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar19DC.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4e6354d44c8860d2d852e14f07aa0650
SHA1 79a2a5e7e384e0e3a2b0571d43029be8f95fce78
SHA256 5449205f27d13dee4497ef1d834715f67382a4b9a7408b5fc6e730888cb59d45
SHA512 dad361e64890c3bbf0773b2641408f933edd13e0fc9a424cfb9fb7be40d3f4d646d71850a4c60c0b6cddced1e1c8cfb2accdb8df190849bae6aa20ee670a2eeb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\538F535B7FBDE384E456CC9F5DA5FBAB

MD5 6d469ed9256d08235b5e747d1e27dbf2
SHA1 d3dd483e2bbf4c05e8af10f5fa7626cfd3dc3092
SHA256 b676f2eddae8775cd36cb0f63cd1d4603961f49e6265ba013a2f0307b6d0b804
SHA512 04cbf2a5f740d030208136b0ee1db38299943c74efa55045f564268246a929018fcaf26aa02768bb20321aa3f70c4609c163c75a3929ef8da016de000566a74c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\538F535B7FBDE384E456CC9F5DA5FBAB

MD5 b5621e8d4b7e987375d2e6db019008a7
SHA1 893a7dff5edaba56d3c6e953931e1cb5b6c0bc2c
SHA256 5cec8e67e97d126d80391f09d25b623bd426f89b47531eb18aa2d93f61fc3fe3
SHA512 5a05d3c28fb6add170e3c6152c97d8d56a54eef0998c38647ada506c3f496b4301d58f9e69b96ec8d8666f909544b3b59dfe678747ae724500d4d826ea2d912d

\Windows\Installer\MSI1DBA.tmp

MD5 8d84543f774c6b280b32b24265e272e8
SHA1 cd3a0dbc06b9b4945f3a5d3b40972a0b5f66044b
SHA256 32b60176177d943df28f931828717f4b52b1434b8c0cd3ca8cc8a424b016b092
SHA512 247c5c3c4765e61b4d4b7514886e9eccb45746593b21a8dc8f718a224a1a0bc813fe227030738c3035cb9a9017ba53d7feff07cccb11407e9b22678af0c42056

C:\Config.Msi\f761b90.rbs

MD5 253e6905d01d37603eccbb8166a73a21
SHA1 210bc3c848c06ae80e795246b898bf6366873d90
SHA256 08832b6fbf6780600e7187734b64c7799c3125cf0f24f6dc98153e319f6501a6
SHA512 5ff6bf9fcc5dd277ad50c2f1f523035bf57170e48a7ea9a566df7563bcb6ede5032b9179092970ea1ec803a42f34d9a714e9b9428e7d07749949dbaa0464c710

C:\Windows\Installer\MSI20FC.tmp

MD5 4f5c40ec5d343ed9f185fbd1d6123d0b
SHA1 3b7569cbe35834c21493385329e43a73ef66413f
SHA256 0272659c6402b95da6c59cbfe4e3e60a361c50bebf536dd0b4c7b914e05cf175
SHA512 64d5476938997a4478744c1185e73391047a1f198d57dc91cc49b9229f144086cae831af828600d979f02c1739065e252fc54e1491354438d875785ba9d8efac

memory/2768-167-0x0000000000ED0000-0x0000000000ED2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\URL20F8.url

MD5 f55413e1ba8c031cc52db905951a37d2
SHA1 62f6ef8f268fd5a7951980e2b20445b6a23b000c
SHA256 a2342cbf200f262c6b3a36da301d8ea540edd9f2627492032501679e54d01c55
SHA512 a18f615f8d2dab277ece0a85826168d8405e18f5f1aed725be77c847fbab9c40faed1cad9fdec8af6288d1fda15e51cb6bc9dd33648714cd51d1023d389757da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0753de270e8057d5303c0ce983e606f
SHA1 8160e3a75de8bbe10125548a6542d3877d14359d
SHA256 d9aebbe485641ad038c172f1da0cf418d33e8f674f3ccd3399bcc6f9a9a7c6f7
SHA512 21afa5d6abb33f6aa498dc4c1ed5fc6c89e4383426a9afdd4506b2e5cea44b7e521109042f4d3c277936cae3c10412a36c338eb923d9876e3bbb730a80ec1e2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9ae849e972ee3dfe608df5a204f53a0
SHA1 2435c15692f3f668a36e102177064449b8d5f382
SHA256 3b7671534345f951b223757a93e5f43f09fc48fbcfc9bb9b290e106ac73e7668
SHA512 092c133bfa1d4bb635641eff0db9b599dfff8decb3f1369544c6998ebf45e68be06422b7436a16e6d053ca9f131042c93ea1181a2bd0e2b731d44ccbda28ff9d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef314f1e3d828dd1053c119fd9e542d4
SHA1 114ca08d5d082fd510aad6e7c0ccacec87e8022a
SHA256 25d1f976aa9160782728dd4213654a4d9f6970c0276e3c0b6b32908a20c72d5d
SHA512 b1de1c1da811dc945fa95570f1adcee61aa74af558c468a6a33a9a52453d96f11648b5cc5b3c030313545e6dbc9ab44233fadbeb3602371d548db19e8bffbba7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a518333c627f8afeaa26304ddbc08fa7
SHA1 025f8df41ebf3a983c2f398b1a95b4b9fc08c0a8
SHA256 e4c400789adedff1ceb9fcf4efb04101b72954e9c36bf0a277a56de514988692
SHA512 0a26703e14cf1a34fcdfea7c0b2028b0c619d0505203b67e0715af3be469439991112823b8a6696bd489bc1a10faad3d0f3e55f3f1c40848627c5d16e0188dc3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b24258df2c86b230c8ba9d2a17aee426
SHA1 0739397f38d0d288a777bf311bd8c55e661614a4
SHA256 26acd09ac8a17289ed397f886120f8826ee9aee89a8228d38658a5ac6739cc61
SHA512 da73f5dab219af1963c410b940b235de2ff98cc16a2deb0a05babae5b35c41f860dddd928ca61440c4daf9cc75c4e4fc1667c43bcf541b1dbaca580f5a316ef0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1b58653414c8df3673d85d0272566e6
SHA1 9a10bf7249c23101fea894c89589493043847dd0
SHA256 7cebccd768c4f310e2b0a895afff9edca285170a7ad56ae0335dc522f98d87a7
SHA512 8348f29eea88d7a13703d5719419a32349a4d686893b4d4d36756dd053208bb0f125cf8e7c0e26466dc580f052e74ba8d691326a9039218dfbe4e405f971d373

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84e2a8b8172f4950d8033fee3d255174
SHA1 9772fdf0fd82ead4e816394bb3ecd6014fac840c
SHA256 e44a748427fe0d3835aaef4d7568d5785dc9c688535f0977537d968b4227d7bf
SHA512 6cbc548c009f0418685d2e747cb0615fd41ab462ce27a28ff6a8e0e62cd5126583db4a5d7cd5673db72ea5f2119350d3fdf1888f9889cf3037e9d974ee75a767

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6bad1709ea9d0287d6dd4522a046eb78
SHA1 5c1c2eb4a3798a41f5e618aec216907f009bbbb3
SHA256 065652659392e0b17f9281ea60267f99e8106c727482db277838337c41359707
SHA512 d8e91bc8515f9b3431ca1b33a82a67052b62bcb9bee076271ca886ed1b95d5d327d398d8a0244092e9232961028e93aec05f77e229197a38d63382e21e4a0b78

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1bedb8966a6b0795314d5bf3115f0f03
SHA1 434ded955a366ccb7d6d7291f6ee9b4ae9b20c86
SHA256 9b0cc946b7b452fb20515fd1c05d7c92955cb93b281012b42bb2f82898c72ef2
SHA512 564f12e511692ba56912edd135fc3e4b15539b7bf52e4385f69ce3519ae9232823d944ec2615cef7c5c9e023bd85bc510de5b8d96449d8a1ab081bb67ac77b31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23d8e8d988a79257f12b1d7101638ab6
SHA1 2173d7c964038578b82296dd85f73b36165a8e97
SHA256 172ec1ab67957306e8f59ea2c5f947e1b7b5636c97601291b740f48eeeaa3542
SHA512 e7eafeadd5d96f8b5f0a53e3c92b65b68c9f5b13dfa2fa715ba83e148fa3916a98f45700c3085696dc07ead46f07a9f02705bb31294ee0868ba069b49d26326d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c340a55e3fedc0bf90c3084556246ee8
SHA1 00c38d3d64eaea7a2cdbf2060927f10ef03e6c02
SHA256 74fad8a8324e28c85fec3bd62f516dddffa65de8df2741dbb2d1e82216609397
SHA512 9c966d24e7a296c0c0a1c4b66c80c77704898a3ad6627c595a793171a585d6489d9b06aba0ffb40015e84e7f90a9f1e253beebdd22a6d3f4f41d3545487e616f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b4df4b19f3a5bb61772985912ffda1b
SHA1 292f386015c9b527b954f18d81fcf254455d18d5
SHA256 438be88199e16ab85503c4b2cf9616f5188597afc0054dcd743aaf9cf24e3d1f
SHA512 c8eb477d7e3bd3157efe2534db4c01c56c5c21469c29591b5b432243d032f544f3213141679d737cf7d2f2b0da6d8cdfda81eab21b053078324d5421de8ea6eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 63afc48f012b23c90fc321237815a4ca
SHA1 f11547df717d4d6198f5be8e51cf8db01a38693a
SHA256 41d724e2f1f5767f8a21dc3c790f1fb4ad7798f6b6794e377a3e72bbcf9cf8ce
SHA512 9bd678c9c117273004d93249ee0d0d3ab31ae4843c27591231fe03726bcdc20374319d916d454afd9f951906fbff41ccdbd17455fbf75ebd4a413b67b6365982

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31e0becb8b9a8cc94449f8b29ecb2283
SHA1 e60f5c8647ed2a0598aa5b074d8caa2f9664cc70
SHA256 29ff99a76c3cb29624aff99d31895ca62c5ba5cc8bdeceaca24fdfd42c5ca7b1
SHA512 918f1752b272da6018d44448d20b677bd323e1c34023e5e13e0fa7cd875349606c5137e410c80d578dded54609e5453a4f5300464dd29bf15a80a9f1f7f76f09

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a33f5b227fb5dc33d4e71c501a646404
SHA1 9ff7bcabc9f2f289b81425ef1a57ac3913f56c3c
SHA256 9593792f4922f8a7e9db690e1486f5445afe4baa6d0a4ee258336d6c3e164a6d
SHA512 184bc183b2f4088fb8caf39dfa692022759170bbbd35b8a07c5b5ab1ab23a92099335bae046bbede72a4baf489c28c80a97901273878647d7fbae6aba8c801dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 08dafed31a45530a0321743585563dbe
SHA1 131bbd28f043fa42b75f4b93ba4b56fd1b8c1268
SHA256 4b88b980eab3817c9613431283bdc5242f92eeb3cea42057e7064a360aa93154
SHA512 dcd0e89961aa5fface0904a3991c8844bc5b33b9e4abb1d746b1758cd6c407f852dba1e86991830367749e7bc205ac8e51fe542d32cebeae612822ebb2e072c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4e218fe799e852336e7bec2b7ec89fee
SHA1 afc2c888ed19e567196425856c85d6ac4ce1154b
SHA256 db4508f9af17f497bb5605eff2be88dfc62cea36efd52ce6e82fa40a4a402ec1
SHA512 7470a2f50e27fa5dfe3268af15e9bf8d750b9f3b6154efa7b1a5675c2ffe04b7c4529f14f032c33022b425afb0043cd3a9fe336ec3acd53748a820dca4c776e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a2b5bed48005336861cc5354b7c02f7
SHA1 1b43751aceede246e66220d9ddda3528335cf014
SHA256 398b444906e48428689fd2d04aa441438eea059b6206579ba075620a3be7fce3
SHA512 e9720a348ef13926fb122ffa23bcaff01b9717b47ffff711ec044b040e10e7609d2403031d15f9a0d0363c0d122ae05f21230a4a2bee68a52e0ffac760aa266a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c3e7304023285437b572c0fb8b8f12c
SHA1 9b1b89fe7883565ed9dc1c807e3bc6447d6e8f46
SHA256 1e79837f47e08f4c43973a75e2f3728e16f545d8aa94c593cab978b95ec571c1
SHA512 88959cfe7fbac1a615ecb3a5e4c0e30115bbec6a05cc498b90999571a012cad69b6b62e00f5252f812838cc77d613e5a3392461166525308cd15c68c3378bdad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5270c04b6593b1af06b08dce34fad20a
SHA1 ec4fad76c17fe1209385fbfe937bf8afddea3b43
SHA256 12d76ebdb3962a9f474ea26c0e10c417c4b8f0076f09acb546229a05a47bef59
SHA512 de952624809e6d14556c7021825eded0b75eaa2c320412614642e033f6945bfa8409f9a29411d5f6498f21764e80c3b5f8550bcac919cf3b2e5a100d02dfa1e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d655641a4474caf49c3ec61dc46c6291
SHA1 d43e48912f9c4e95d7a95003c43cbe90012ad115
SHA256 8ab41ae8907429ba4407cf037f2e11305a95b27ed17dede6bdc7b8f0eda1eb93
SHA512 7c9ad461b6cf51bdd34e03572f8935f1cd479e46d021ca78558ba146aa386850b07cc99fa534890e9b54a8c61f04f36182b41a21e3be807504c97bd1ee7dd6f8

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 15:55

Reported

2024-06-13 15:58

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

94s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\RoGhoul.msi

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Windows\Installer\MSI5069.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e574ba3.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5069.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e574b9f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4D19.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4DA8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4DF7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4C6A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{8D051B69-E258-4E03-813B-5BB4627D724B} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4CE8.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4D68.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e574b9f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4D09.tmp C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Installer\MSI5069.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CE315C105C859B54A8A9FB99D8F5C90C C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\SourceList\PackageName = "RoGhoul.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\PackageCode = "2088ACF133F0AF54BBD3C7A4AF2F2121" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CE315C105C859B54A8A9FB99D8F5C90C\96B150D8852E30E418B3B54B26D727B4 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96B150D8852E30E418B3B54B26D727B4 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\Version = "16777216" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96B150D8852E30E418B3B54B26D727B4\MainFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\ProductName = "Guard" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3320 wrote to memory of 4464 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3320 wrote to memory of 4464 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3320 wrote to memory of 4464 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3320 wrote to memory of 4916 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI5069.tmp
PID 3320 wrote to memory of 4916 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI5069.tmp
PID 3320 wrote to memory of 4916 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI5069.tmp
PID 4916 wrote to memory of 1896 N/A C:\Windows\Installer\MSI5069.tmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4916 wrote to memory of 1896 N/A C:\Windows\Installer\MSI5069.tmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 4780 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 4780 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 2020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 1936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 1936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 4144 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\RoGhoul.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 81F349AF2C93AFF730F3111592B9C9A9

C:\Windows\Installer\MSI5069.tmp

"C:\Windows\Installer\MSI5069.tmp" https://telixsearch.com/tyy

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://telixsearch.com/tyy

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbe28f46f8,0x7ffbe28f4708,0x7ffbe28f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2260,3824183046773893275,12082273755076455083,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2260,3824183046773893275,12082273755076455083,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2260,3824183046773893275,12082273755076455083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,3824183046773893275,12082273755076455083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,3824183046773893275,12082273755076455083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,3824183046773893275,12082273755076455083,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 repository.certum.pl udp
BE 2.17.197.138:80 repository.certum.pl tcp
US 8.8.8.8:53 cevcsca2021.ocsp-certum.com udp
BE 2.17.197.67:80 cevcsca2021.ocsp-certum.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 149.27.18.2.in-addr.arpa udp
US 8.8.8.8:53 67.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 138.197.17.2.in-addr.arpa udp
BE 23.41.178.66:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 66.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 telixsearch.com udp
US 172.67.142.97:443 telixsearch.com tcp
US 8.8.8.8:53 97.142.67.172.in-addr.arpa udp
US 8.8.8.8:53 2ly.link udp
US 35.226.132.161:443 2ly.link tcp
US 8.8.8.8:53 yahoo.com udp
US 74.6.231.21:443 yahoo.com tcp
US 8.8.8.8:53 161.132.226.35.in-addr.arpa udp
US 8.8.8.8:53 21.231.6.74.in-addr.arpa udp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.11:443 www.yahoo.com tcp
US 8.8.8.8:53 guce.yahoo.com udp
IE 52.213.56.248:443 guce.yahoo.com tcp
US 8.8.8.8:53 consent.yahoo.com udp
IE 52.213.56.248:443 consent.yahoo.com tcp
US 8.8.8.8:53 s.yimg.com udp
IE 52.213.56.248:443 consent.yahoo.com tcp
US 8.8.8.8:53 11.114.248.87.in-addr.arpa udp
US 8.8.8.8:53 248.56.213.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 98.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B03113490075047F519A3F760F0FF379_95980E5E8BBE730A69D3C1EABF291983

MD5 31128e58cb2cb0d776fb8e4976c4a3db
SHA1 725be604d5339d9ced608e346430087d1aef7b49
SHA256 0e1068ad01000591546f6e664600f24cf5641c04b12f53d23164a8d6423ccbc6
SHA512 a09d6256589c1ac7cd61dd1b8428d677e93ca62fe651069a6b8c438b55b717547e271e2265a9cac09789f68ec1df8b04b121c368d935ba164061bce2eec615a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B03113490075047F519A3F760F0FF379_95980E5E8BBE730A69D3C1EABF291983

MD5 60e319477ff2fb3f698646f61d691f4c
SHA1 af1dd9cd3e2056fd7ffbef6f1cc60fbf06dcb902
SHA256 64d2f43aebc9d064210b0e91d7137f2f061e3729f642708ee8a9e7f34a27a5dc
SHA512 b5b1e397bc8c712086376b1798256e48fbc2664be00d5349fe4dde7ba2bed01dac0509fefd7c6837c57b7178d9d6b2526bfe43b4b93076899806630791ff4cc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30069012ED3CF5DB92F9F4FC78D55E2D_16AA5B9B040CB195ADDB70661F18F3C5

MD5 b15655ccff8cee0a3b06bba09c2844dc
SHA1 e11b55ac1de7d21d2418304687156a27f22bdb40
SHA256 4e02ce2ad371b1fbc030a6c46fa672c33f66da428ad364f5a59fb67edcc83fa2
SHA512 1d41df86e87f07c5aa2c631cd4752d2d27ce85fd78238bb1895f0695780a726d5948c07c04170b509bc90524dac37b5c3ab8e65fdf802cfd1579cee7f2230d34

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30069012ED3CF5DB92F9F4FC78D55E2D_16AA5B9B040CB195ADDB70661F18F3C5

MD5 9c84a9712b64875ad569c2631ffc7385
SHA1 09d68b3baae27f96feb3b910891851a78b5dad49
SHA256 5bf3b052999cacb59d6d24100a20224c9ecdfb1546baee3ae70ae2e10ac9de37
SHA512 a753b38cdf450ba211f4b00ea9b775d55db3849516484ff85591b924499645f4825eb30829bf726e6e00cea157f06481b5a8eb704937738d8608d3035f907f19

C:\Windows\Installer\MSI4C6A.tmp

MD5 8d84543f774c6b280b32b24265e272e8
SHA1 cd3a0dbc06b9b4945f3a5d3b40972a0b5f66044b
SHA256 32b60176177d943df28f931828717f4b52b1434b8c0cd3ca8cc8a424b016b092
SHA512 247c5c3c4765e61b4d4b7514886e9eccb45746593b21a8dc8f718a224a1a0bc813fe227030738c3035cb9a9017ba53d7feff07cccb11407e9b22678af0c42056

C:\Config.Msi\e574ba2.rbs

MD5 152cdfa117471ace9b834922a246ad9a
SHA1 37740eb5b9578635d1d352b99d1c07b68830b6e1
SHA256 706d60f8227d1590a74a2b163a8298ad2b93fa00dc09d1905890d43c052fe936
SHA512 9a8e6f48dc2e942fa01abaa4b0f1663dad2f6ee05d501f86d16795022e9370e38ab402ba579fd815594f33f24bd2065beb2113702054d50ead40ba9b8fc69afe

C:\Windows\Installer\MSI5069.tmp

MD5 4f5c40ec5d343ed9f185fbd1d6123d0b
SHA1 3b7569cbe35834c21493385329e43a73ef66413f
SHA256 0272659c6402b95da6c59cbfe4e3e60a361c50bebf536dd0b4c7b914e05cf175
SHA512 64d5476938997a4478744c1185e73391047a1f198d57dc91cc49b9229f144086cae831af828600d979f02c1739065e252fc54e1491354438d875785ba9d8efac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b4a74bc775caf3de7fc9cde3c30ce482
SHA1 c6ed3161390e5493f71182a6cb98d51c9063775d
SHA256 dfad4e020a946f85523604816a0a9781091ee4669c870db2cabab027f8b6f280
SHA512 55578e254444a645f455ea38480c9e02599ebf9522c32aca50ff37aad33976db30e663d35ebe31ff0ecafb4007362261716f756b3a0d67ac3937ca62ff10e25f

\??\pipe\LOCAL\crashpad_1896_JEABIVHUTGHBWNDO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c5abc082d9d9307e797b7e89a2f755f4
SHA1 54c442690a8727f1d3453b6452198d3ec4ec13df
SHA256 a055d69c6aba59e97e632d118b7960a5fdfbe35cfdfaa0de14f194fc6f874716
SHA512 ad765cddbf89472988de5356db5e0ee254ca3475491c6034fba1897c373702ab7cfa4bd21662ab862eebb48a757c3eb86b1f8ed58629751f71863822a59cd26c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ff555192756beca7ae17178947fa278a
SHA1 cc3d7126ff53ca5ab1ba473f41cf200137277c84
SHA256 74a7f5fc270d105b99514d4fd98c973bbbe83f24c371daa57e465ec8016f597d
SHA512 41b06983328774010ddd1ef8316a1418b3321bb3ddc5a5b11975e82b587d709408999cfdcfbbbe3dc447570114d199e2f4e6c78543032dab7f3966ebf637491a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f0ab94759611fed484e1baa1c8316911
SHA1 c6d822e6dd6a268cd79361ff44b0d5a5cc55db2a
SHA256 73d2d95ae0476ce677231b77654b57b0971faf4c0b568f76c9a0485af9a2fb13
SHA512 ff7fc81f6b921693e19ae1c67481bf4481d5a1b72563047e61ef2091671a21d276a754d2bbbe9f577010d5bf8c96b026407e380742ae7c2e139a7d478f16c5ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 dbf73bd15b9fd4779e0150771bc7acc4
SHA1 e8c395f9784f9f6a53694d50e9255ce7b30f46f6
SHA256 e762f97d6fc6cdeb6518f047d21dfbabb9217ec9fa6f688c734f1b8210ca086e
SHA512 d521a39d65b3c288ce8aa43a1bcff535547ea575061fe9901a321944d9e04e87d65d1f1dc2f8787360c7b7f3994f214cd3141459ad1fb9ba3ed751b518903b9b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c497d2570528378ca67a432b58281858
SHA1 4cac01aa5b859a71b12b48f7aa3cf1b2a2f8aff7
SHA256 0b895a0e3b00855d50085df399e1b1c9eb3624c056d00f67860d1eeaf5813da9
SHA512 a09f0d6795d8fd5027197cb51ff4fbacbf1d57eefb4715fcd6de884bc0d49c77c0cfeb3253bbc4e0045db5887f16ef552d817bb8c43e4b6ef1fb1604d1286185

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 118b495817a537875b6f084c2af00693
SHA1 5c1267358f74a7df8ce815c4a58eed4def4921f9
SHA256 71d743c02cb0405b9685c67f908f6e96aa63dab32eda5e74f4eb2835254445be
SHA512 ab160706a1f9a01afc289d83283e3f6ad2c19a56bdcb294463750f14b7286279e8f8c09f1f640fffbf065169fc820ce332ad8138090378ca08dacd3ae2737f8e