Malware Analysis Report

2025-01-18 09:48

Sample ID 241130-alrcyaylcl
Target Slf.msi
SHA256 6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321
Tags
hijackloader remcos v2 discovery loader persistence privilege_escalation rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321

Threat Level: Known bad

The file Slf.msi was found to be: Known bad.

Malicious Activity Summary

hijackloader remcos v2 discovery loader persistence privilege_escalation rat

Detects HijackLoader (aka IDAT Loader)

Remcos

Remcos family

HijackLoader

Hijackloader family

Enumerates connected drives

Suspicious use of SetThreadContext

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

Event Triggered Execution: Installer Packages

System Location Discovery: System Language Discovery

Enumerates physical storage devices

NSIS installer

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-30 00:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-30 00:18

Reported

2024-11-30 00:20

Platform

win7-20240903-en

Max time kernel

150s

Max time network

128s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Slf.msi

Signatures

Detects HijackLoader (aka IDAT Loader)

Description Indicator Process Target
N/A N/A N/A N/A

HijackLoader

loader hijackloader

Hijackloader family

hijackloader

Remcos

rat remcos

Remcos family

remcos

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2808 set thread context of 2044 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2676 set thread context of 2616 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 set thread context of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSID99F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDB16.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76d81a.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76d817.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76d817.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID95F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID855.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76d81a.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Updwork.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 1560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2316 wrote to memory of 1560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2316 wrote to memory of 1560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2316 wrote to memory of 1560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2316 wrote to memory of 1560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2316 wrote to memory of 1560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2316 wrote to memory of 1560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2316 wrote to memory of 2676 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2316 wrote to memory of 2676 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2316 wrote to memory of 2676 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2316 wrote to memory of 2676 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2316 wrote to memory of 2808 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 2316 wrote to memory of 2808 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 2316 wrote to memory of 2808 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 2316 wrote to memory of 2808 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 2676 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2808 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2808 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2808 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2808 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2808 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2676 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2616 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2616 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2616 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2616 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2616 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Slf.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B63C0542A324B2A7C4F5D9AD53DF54D7

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

"C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe"

C:\Users\Admin\AppData\Local\Temp\Updwork.exe

"C:\Users\Admin\AppData\Local\Temp\Updwork.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}

C:\Windows\SysWOW64\WerFault.exe

"C:\Windows\System32\WerFault.exe"

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Network

Country Destination Domain Proto
NL 185.157.162.126:1995 tcp

Files

C:\Users\Admin\AppData\Local\Temp\MSI6d75b.LOG

MD5 f229995dd7c772fdb4671ead3b425908
SHA1 ce7456345212fa4438666886ff84402bc7c95595
SHA256 0dce09fb82b71ba0a2b57c79aebbd1709b49ce14517a1a0b030a4a81d4e513ce
SHA512 efa9aec75b2aea1bfd3feac5bc4f12e177d139dc6e62da1ab53b2931cdc4a1e387fbc33615bcbebe3a1d36ab360c018f49565c6121bfbb74fc8f3b0c1927cc86

C:\Windows\Installer\MSID855.tmp

MD5 2c9c51ac508570303c6d46c0571ea3a1
SHA1 e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256 ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512 df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

C:\Config.Msi\f76d81b.rbs

MD5 df5715ad2d3c9f8f20c88d4e542f0e3b
SHA1 e6dcbf959616e5f4608b3941a8b5645d5f7b16b1
SHA256 fa69095cf595d2876d8a5aa6beba631054efd5ba148ea2285e1b300025584cd6
SHA512 a340985b0f03e29a7752978afceb96fb9f3c803d262d91df317020592f98725403151741517332a0c3b3c567e8524caa91797651bff2fc24728369711ac0a203

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

MD5 9329ba45c8b97485926a171e34c2abb8
SHA1 20118bc0432b4e8b3660a4b038b20ca28f721e5c
SHA256 effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659
SHA512 0af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc

C:\Users\Admin\AppData\Local\Temp\Updwork.exe

MD5 253c52411b256e4af301cba58dcb6cef
SHA1 f21252c959b9eb47cd210f41b997cf598612d7c9
SHA256 7d57b704dd881413e7ee2effb3d85bdfff1e208b0f3f745419e640930d9d339d
SHA512 40de728edae55f97ac9459cf78bbc31b38e8b59bdb7a74fbd9e09d7efd2a81b1dc5fd8011007c66efb58e850f1c57d099ec340aecd62911d6aebf2e70d1275d0

C:\Users\Admin\AppData\Local\Temp\http_dll.dll

MD5 4366cd6c5d795811822b9ccc3df3eab4
SHA1 30f6050729b4c08b7657454cb79dd5a3d463c606
SHA256 55497a3eced5d8d190400bcd1a4b43a304ebf74a0d6d098665474ed4b1b0e9da
SHA512 4a56a2da7ded16125c2795d5760c7c08a93362536c9212cff3a31dbf6613cb3fca436efd77c256338f5134da955bc7ccc564b4af0c45ac0dfd645460b922a349

C:\Users\Admin\AppData\Local\Temp\MFC80U.DLL

MD5 686b224b4987c22b153fbb545fee9657
SHA1 684ee9f018fbb0bbf6ffa590f3782ba49d5d096c
SHA256 a2ac851f35066c2f13a7452b7a9a3fee05bfb42907ae77a6b85b212a2227fc36
SHA512 44d65db91ceea351d2b6217eaa27358dbc2ed27c9a83d226b59aecb336a9252b60aec5ce5e646706a2af5631d5ee0f721231ec751e97e47bbbc32d5f40908875

\Users\Admin\AppData\Local\Temp\RaftelibeGarss\zlib1.dll

MD5 3ca940e27e87443f7891d39536650f9b
SHA1 2603ff220c43f13591a51abb0cf339aecb758207
SHA256 a91f13aece1ea7ebe326f0e340bda9d00613d3365cd81b7f138a4c9446ffbd38
SHA512 0c0e04cbb8247f6dfe0790d1c3453596e3cb5f5ff0d2c3bc4e01fb38ad8e042322130072263c135c5637a745ef70ac68487bdade3510990ce8f609cad46566ee

C:\Users\Admin\AppData\Local\Temp\audiogram.tif

MD5 5124236fd955464317fbb1f344a1d2f2
SHA1 fe3a91e252f1dc3c3b4980ade7157369ea6f5097
SHA256 ed1389002cdf96c9b54de35b6e972166ee3296d628943fd594a383e674c5cba6
SHA512 2b2ac23244b16f936ef9a4049586f58c809fcc4391a56390cc5db2e8d96140001e0b977680ed1d8b0ab9c410e865a880209e22add8d42e563dc40bc91236b252

memory/2676-55-0x0000000073DA0000-0x0000000073F14000-memory.dmp

memory/2808-57-0x0000000062E80000-0x0000000062EE3000-memory.dmp

memory/2044-62-0x0000000000400000-0x0000000000449000-memory.dmp

memory/2676-71-0x0000000073DA0000-0x0000000073F14000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c67509e9

MD5 660577dadffedf23e7d13e0e5adde688
SHA1 891b50c4a3d46eacfacec1413282430afc12c145
SHA256 18741a0a8ccdfa1e7f33cebe481f6ce370b8450c950bdae81956f4c4b1efa682
SHA512 ccaf55126a40e5bd6190df3e58f98ec246d6275da5c4b13a6b02490d8dead281f032c72a7ba659b5e2ba74a6ce75febd79ae6dd28a077140e9ad1b7fb2a11b7c

memory/2616-74-0x0000000077240000-0x00000000773E9000-memory.dmp

memory/2616-121-0x0000000073DA0000-0x0000000073F14000-memory.dmp

memory/2364-125-0x00000000727C0000-0x0000000073822000-memory.dmp

memory/2364-127-0x0000000077240000-0x00000000773E9000-memory.dmp

memory/2364-128-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2364-131-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2364-133-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2364-134-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2364-137-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2364-138-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2364-139-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2364-140-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2364-141-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2364-142-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2364-143-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2364-144-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2364-145-0x00000000001C0000-0x0000000000244000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-30 00:18

Reported

2024-11-30 00:20

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

144s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Slf.msi

Signatures

Detects HijackLoader (aka IDAT Loader)

Description Indicator Process Target
N/A N/A N/A N/A

HijackLoader

loader hijackloader

Hijackloader family

hijackloader

Remcos

rat remcos

Remcos family

remcos

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2156 set thread context of 4300 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 1880 set thread context of 3960 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 3960 set thread context of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI853E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI85BC.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5783b7.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5783b7.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8414.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI866A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI85DC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{BB2F3E18-3F04-450F-B8B5-60A9665181A8} C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Updwork.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 1800 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1904 wrote to memory of 1800 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1904 wrote to memory of 1800 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1904 wrote to memory of 1880 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 1904 wrote to memory of 1880 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 1904 wrote to memory of 1880 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 1904 wrote to memory of 2156 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 1904 wrote to memory of 2156 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 1904 wrote to memory of 2156 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 1880 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2156 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2156 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2156 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2156 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 1880 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 3960 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 3960 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 3960 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 3960 wrote to memory of 5028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Slf.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding DE8C79BD7D57DD2641E5493C9FE84536

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

"C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe"

C:\Users\Admin\AppData\Local\Temp\Updwork.exe

"C:\Users\Admin\AppData\Local\Temp\Updwork.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}

C:\Windows\SysWOW64\WerFault.exe

"C:\Windows\System32\WerFault.exe"

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
NL 185.157.162.126:1995 tcp
US 8.8.8.8:53 126.162.157.185.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MSI7824f.LOG

MD5 86a2e903b8cbe5713179433c49d89b1b
SHA1 d1d8c022efe42eec2128ee72aaf7ee8d37cb5084
SHA256 f74436b4c17dc1c7fefbe5871dde9d940dc85bedec0e1cd2a9590fc8739cea95
SHA512 9a80ed415df65934aad8145fb994260a4e5055bba9964ca18e91026d4227dca1066b772cf9959bb71cfb4b330168aaefefde9ace16b1c65123a16d93f7923ab2

C:\Windows\Installer\MSI8414.tmp

MD5 2c9c51ac508570303c6d46c0571ea3a1
SHA1 e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256 ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512 df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

C:\Config.Msi\e5783ba.rbs

MD5 94246d0fc97edd83f70f5cab7eceffce
SHA1 681223694fe76556ba93867397b217477923b562
SHA256 121e2c4deeb74b175cb1558a2d2b89e737ad0914f688f8134f235d2700449808
SHA512 cee8d48df746d37bb2616496c515467b01597bdebaac75b26fc1f3a27d82b2d7e72e15d781ad8c6c59d0bcbdd539d80daea01e1fd10d4c5126718f6673860dd9

C:\Users\Admin\AppData\Local\Temp\audiogram.tif

MD5 5124236fd955464317fbb1f344a1d2f2
SHA1 fe3a91e252f1dc3c3b4980ade7157369ea6f5097
SHA256 ed1389002cdf96c9b54de35b6e972166ee3296d628943fd594a383e674c5cba6
SHA512 2b2ac23244b16f936ef9a4049586f58c809fcc4391a56390cc5db2e8d96140001e0b977680ed1d8b0ab9c410e865a880209e22add8d42e563dc40bc91236b252

C:\Users\Admin\AppData\Local\Temp\mfc80u.dll

MD5 686b224b4987c22b153fbb545fee9657
SHA1 684ee9f018fbb0bbf6ffa590f3782ba49d5d096c
SHA256 a2ac851f35066c2f13a7452b7a9a3fee05bfb42907ae77a6b85b212a2227fc36
SHA512 44d65db91ceea351d2b6217eaa27358dbc2ed27c9a83d226b59aecb336a9252b60aec5ce5e646706a2af5631d5ee0f721231ec751e97e47bbbc32d5f40908875

C:\Users\Admin\AppData\Local\Temp\http_dll.dll

MD5 4366cd6c5d795811822b9ccc3df3eab4
SHA1 30f6050729b4c08b7657454cb79dd5a3d463c606
SHA256 55497a3eced5d8d190400bcd1a4b43a304ebf74a0d6d098665474ed4b1b0e9da
SHA512 4a56a2da7ded16125c2795d5760c7c08a93362536c9212cff3a31dbf6613cb3fca436efd77c256338f5134da955bc7ccc564b4af0c45ac0dfd645460b922a349

memory/1880-49-0x0000000074390000-0x000000007450B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Updwork.exe

MD5 253c52411b256e4af301cba58dcb6cef
SHA1 f21252c959b9eb47cd210f41b997cf598612d7c9
SHA256 7d57b704dd881413e7ee2effb3d85bdfff1e208b0f3f745419e640930d9d339d
SHA512 40de728edae55f97ac9459cf78bbc31b38e8b59bdb7a74fbd9e09d7efd2a81b1dc5fd8011007c66efb58e850f1c57d099ec340aecd62911d6aebf2e70d1275d0

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

MD5 9329ba45c8b97485926a171e34c2abb8
SHA1 20118bc0432b4e8b3660a4b038b20ca28f721e5c
SHA256 effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659
SHA512 0af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc

C:\Users\Admin\AppData\Local\Temp\RaftelibeGarss\zlib1.dll

MD5 3ca940e27e87443f7891d39536650f9b
SHA1 2603ff220c43f13591a51abb0cf339aecb758207
SHA256 a91f13aece1ea7ebe326f0e340bda9d00613d3365cd81b7f138a4c9446ffbd38
SHA512 0c0e04cbb8247f6dfe0790d1c3453596e3cb5f5ff0d2c3bc4e01fb38ad8e042322130072263c135c5637a745ef70ac68487bdade3510990ce8f609cad46566ee

memory/2156-59-0x0000000062E80000-0x0000000062EE3000-memory.dmp

memory/4300-64-0x0000000000690000-0x00000000006D9000-memory.dmp

memory/1880-73-0x0000000074390000-0x000000007450B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ff3d5e01

MD5 037346d568f61f2ab0792061207e03cb
SHA1 57191674928277f4383c41a5e589f8d8a31ccd3c
SHA256 3cee461aacf99b7d51b97e44866fae7c3ac060aa48003b2631fd7ca85d814698
SHA512 8838ca98f6c4eda06259b405008b8b98bf564e47820883f00844f765e0d1389e9b764872c2876458bbb477dfbefb68648b34941b0742ea618a3c05caeee62305

memory/3960-76-0x00007FFB38E70000-0x00007FFB39065000-memory.dmp

memory/3960-78-0x0000000074390000-0x000000007450B000-memory.dmp

memory/5028-80-0x0000000072960000-0x0000000073BB4000-memory.dmp

memory/5028-82-0x00007FFB38E70000-0x00007FFB39065000-memory.dmp

memory/5028-83-0x0000000000410000-0x0000000000494000-memory.dmp

memory/5028-86-0x0000000000410000-0x0000000000494000-memory.dmp

memory/5028-87-0x0000000000410000-0x0000000000494000-memory.dmp

memory/5028-90-0x0000000000410000-0x0000000000494000-memory.dmp

memory/5028-91-0x0000000000410000-0x0000000000494000-memory.dmp

memory/5028-92-0x0000000000410000-0x0000000000494000-memory.dmp

memory/5028-93-0x0000000000410000-0x0000000000494000-memory.dmp

memory/5028-94-0x0000000000410000-0x0000000000494000-memory.dmp

memory/5028-95-0x0000000000410000-0x0000000000494000-memory.dmp

memory/5028-96-0x0000000000410000-0x0000000000494000-memory.dmp

memory/5028-97-0x0000000000410000-0x0000000000494000-memory.dmp

memory/5028-98-0x0000000000410000-0x0000000000494000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-30 00:18

Reported

2024-11-30 00:20

Platform

win11-20241007-en

Max time kernel

148s

Max time network

128s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Slf.msi

Signatures

Detects HijackLoader (aka IDAT Loader)

Description Indicator Process Target
N/A N/A N/A N/A

HijackLoader

loader hijackloader

Hijackloader family

hijackloader

Remcos

rat remcos

Remcos family

remcos

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3996 set thread context of 3288 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 4968 set thread context of 1756 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 set thread context of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SystemTemp\~DFD04148233B709BB2.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI904A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8FBB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8FEB.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF1B7AA800CA26067D.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF386929AF87E1A210.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFDE7A1986A03BAC31.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5b8e13.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8E62.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8F7C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5b8e13.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{BB2F3E18-3F04-450F-B8B5-60A9665181A8} C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Updwork.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 2152 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1916 wrote to memory of 2152 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1916 wrote to memory of 2152 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1916 wrote to memory of 4968 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 1916 wrote to memory of 4968 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 1916 wrote to memory of 4968 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 1916 wrote to memory of 3996 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 1916 wrote to memory of 3996 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 1916 wrote to memory of 3996 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 4968 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 3996 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 3996 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 3996 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 3996 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 4968 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 1756 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 1756 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 1756 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 1756 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Slf.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding F6B69BF4CCD323538166F3672BFC5712

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

"C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe"

C:\Users\Admin\AppData\Local\Temp\Updwork.exe

"C:\Users\Admin\AppData\Local\Temp\Updwork.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}

C:\Windows\SysWOW64\WerFault.exe

"C:\Windows\System32\WerFault.exe"

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Network

Country Destination Domain Proto
NL 185.157.162.126:1995 tcp
US 8.8.8.8:53 126.162.157.185.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MSIb8ceb.LOG

MD5 f3985d29a01d82bd2b5965705dae6697
SHA1 9d0bc0a1fa286b5b86bbf83ead221db4b1d8796e
SHA256 9723576ae86355134e20d0e355d1896fec2950fad51d8991db0f3a20564b0791
SHA512 ffa501f6803620534d2569dda2381cacaceeff052ea1b383d5071e3343f451016183a347c569eaaa43e19203656efffd94e094bee081e5914e705eb5d6726af7

C:\Windows\Installer\MSI8E62.tmp

MD5 2c9c51ac508570303c6d46c0571ea3a1
SHA1 e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256 ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512 df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

C:\Config.Msi\e5b8e16.rbs

MD5 94246d0fc97edd83f70f5cab7eceffce
SHA1 681223694fe76556ba93867397b217477923b562
SHA256 121e2c4deeb74b175cb1558a2d2b89e737ad0914f688f8134f235d2700449808
SHA512 cee8d48df746d37bb2616496c515467b01597bdebaac75b26fc1f3a27d82b2d7e72e15d781ad8c6c59d0bcbdd539d80daea01e1fd10d4c5126718f6673860dd9

C:\Users\Admin\AppData\Local\Temp\Updwork.exe

MD5 253c52411b256e4af301cba58dcb6cef
SHA1 f21252c959b9eb47cd210f41b997cf598612d7c9
SHA256 7d57b704dd881413e7ee2effb3d85bdfff1e208b0f3f745419e640930d9d339d
SHA512 40de728edae55f97ac9459cf78bbc31b38e8b59bdb7a74fbd9e09d7efd2a81b1dc5fd8011007c66efb58e850f1c57d099ec340aecd62911d6aebf2e70d1275d0

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

MD5 9329ba45c8b97485926a171e34c2abb8
SHA1 20118bc0432b4e8b3660a4b038b20ca28f721e5c
SHA256 effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659
SHA512 0af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc

C:\Users\Admin\AppData\Local\Temp\http_dll.dll

MD5 4366cd6c5d795811822b9ccc3df3eab4
SHA1 30f6050729b4c08b7657454cb79dd5a3d463c606
SHA256 55497a3eced5d8d190400bcd1a4b43a304ebf74a0d6d098665474ed4b1b0e9da
SHA512 4a56a2da7ded16125c2795d5760c7c08a93362536c9212cff3a31dbf6613cb3fca436efd77c256338f5134da955bc7ccc564b4af0c45ac0dfd645460b922a349

C:\Users\Admin\AppData\Local\Temp\mfc80u.dll

MD5 686b224b4987c22b153fbb545fee9657
SHA1 684ee9f018fbb0bbf6ffa590f3782ba49d5d096c
SHA256 a2ac851f35066c2f13a7452b7a9a3fee05bfb42907ae77a6b85b212a2227fc36
SHA512 44d65db91ceea351d2b6217eaa27358dbc2ed27c9a83d226b59aecb336a9252b60aec5ce5e646706a2af5631d5ee0f721231ec751e97e47bbbc32d5f40908875

C:\Users\Admin\AppData\Local\Temp\audiogram.tif

MD5 5124236fd955464317fbb1f344a1d2f2
SHA1 fe3a91e252f1dc3c3b4980ade7157369ea6f5097
SHA256 ed1389002cdf96c9b54de35b6e972166ee3296d628943fd594a383e674c5cba6
SHA512 2b2ac23244b16f936ef9a4049586f58c809fcc4391a56390cc5db2e8d96140001e0b977680ed1d8b0ab9c410e865a880209e22add8d42e563dc40bc91236b252

memory/4968-54-0x0000000074C60000-0x0000000074DDD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RaftelibeGarss\zlib1.dll

MD5 3ca940e27e87443f7891d39536650f9b
SHA1 2603ff220c43f13591a51abb0cf339aecb758207
SHA256 a91f13aece1ea7ebe326f0e340bda9d00613d3365cd81b7f138a4c9446ffbd38
SHA512 0c0e04cbb8247f6dfe0790d1c3453596e3cb5f5ff0d2c3bc4e01fb38ad8e042322130072263c135c5637a745ef70ac68487bdade3510990ce8f609cad46566ee

memory/3996-59-0x0000000062E80000-0x0000000062EE3000-memory.dmp

memory/3288-64-0x0000000000400000-0x0000000000449000-memory.dmp

memory/4968-73-0x0000000074C60000-0x0000000074DDD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d7b55d82

MD5 28aaba3d964b188a870cef88cb147fd5
SHA1 47437296b1f89ba17c46fd3206afe9735f961523
SHA256 b468cedce8aa04ac49703abce990dc66b46e14c3d30eab5dac2ec5650713f4e5
SHA512 256d7b44b42bc4b5188e876ce174c93826b208d6c134db1573b136842cdf7e45401b4061d0bf93a4f96cd432d6619d45e087836cc8a42bc7b72228901ab5bbde

memory/1756-76-0x00007FFC4AE80000-0x00007FFC4B089000-memory.dmp

memory/1756-78-0x0000000074C60000-0x0000000074DDD000-memory.dmp

memory/3064-80-0x0000000072980000-0x0000000073C97000-memory.dmp

memory/3064-82-0x00007FFC4AE80000-0x00007FFC4B089000-memory.dmp

memory/3064-83-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3064-86-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3064-87-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3064-90-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3064-91-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3064-92-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3064-93-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3064-94-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3064-95-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3064-96-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3064-97-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3064-98-0x0000000000410000-0x0000000000494000-memory.dmp