Malware Analysis Report

2025-01-18 09:48

Sample ID 241130-anw17stpex
Target Slf.msi
SHA256 6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321
Tags
hijackloader remcos v2 discovery loader persistence privilege_escalation rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321

Threat Level: Known bad

The file Slf.msi was found to be: Known bad.

Malicious Activity Summary

hijackloader remcos v2 discovery loader persistence privilege_escalation rat

Remcos family

Hijackloader family

Remcos

HijackLoader

Detects HijackLoader (aka IDAT Loader)

Enumerates connected drives

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

System Location Discovery: System Language Discovery

Event Triggered Execution: Installer Packages

Enumerates physical storage devices

NSIS installer

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-30 00:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-30 00:22

Reported

2024-11-30 00:24

Platform

win7-20241023-en

Max time kernel

149s

Max time network

120s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Slf.msi

Signatures

Detects HijackLoader (aka IDAT Loader)

Description Indicator Process Target
N/A N/A N/A N/A

HijackLoader

loader hijackloader

Hijackloader family

hijackloader

Remcos

rat remcos

Remcos family

remcos

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3052 set thread context of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2268 set thread context of 2828 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 set thread context of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIC34F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC45A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76c2f1.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC3EC.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76c2f4.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC65E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76c2f4.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76c2f1.msi C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Updwork.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 2560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2160 wrote to memory of 2560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2160 wrote to memory of 2560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2160 wrote to memory of 2560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2160 wrote to memory of 2560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2160 wrote to memory of 2560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2160 wrote to memory of 2560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2160 wrote to memory of 2268 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2160 wrote to memory of 2268 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2160 wrote to memory of 2268 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2160 wrote to memory of 2268 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2160 wrote to memory of 3052 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 2160 wrote to memory of 3052 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 2160 wrote to memory of 3052 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 2160 wrote to memory of 3052 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 2268 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 3052 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 3052 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 3052 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 3052 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 3052 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2268 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2828 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2828 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2828 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2828 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2828 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Slf.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding DCC0E9A4FC388E5724EB85202427AAC4

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

"C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe"

C:\Users\Admin\AppData\Local\Temp\Updwork.exe

"C:\Users\Admin\AppData\Local\Temp\Updwork.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}

C:\Windows\SysWOW64\WerFault.exe

"C:\Windows\System32\WerFault.exe"

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Network

Country Destination Domain Proto
NL 185.157.162.126:1995 tcp

Files

C:\Users\Admin\AppData\Local\Temp\MSI6c217.LOG

MD5 8f9cdb56eb093e2e110fd1393f060f59
SHA1 9ac369f236627b02662804107bbf7212f6dd7ee4
SHA256 b99ef5d72a5880bc454476d96238e53a58d8b5588ee69e18fbb72a489a2564d9
SHA512 0f7f21e7ad69d3b8d1cfe0f7d4afc958c64ebf81554a72760dc67680855fd40d02d773c30950f31d17a1261ccd421bddf6076758c5d665c8185977b16121756b

C:\Windows\Installer\MSIC34F.tmp

MD5 2c9c51ac508570303c6d46c0571ea3a1
SHA1 e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256 ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512 df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

C:\Config.Msi\f76c2f5.rbs

MD5 b6f2ba56bfe349d9e19c2eb067eec037
SHA1 1efc892a70452ea378ca070bf45718f51962b12e
SHA256 a4a3fac1d173609b78c5a3c064e851681ca9bf0c4e53f663a3b4eca5572a3b85
SHA512 9891d411502b77da191f422e66f1246e3ae03396c0be2f41700d47834c30e41535068ca89654015c70320915ae35d81d2c8b45e734aa75dbd1212b3058451dbc

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

MD5 9329ba45c8b97485926a171e34c2abb8
SHA1 20118bc0432b4e8b3660a4b038b20ca28f721e5c
SHA256 effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659
SHA512 0af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc

C:\Users\Admin\AppData\Local\Temp\Updwork.exe

MD5 253c52411b256e4af301cba58dcb6cef
SHA1 f21252c959b9eb47cd210f41b997cf598612d7c9
SHA256 7d57b704dd881413e7ee2effb3d85bdfff1e208b0f3f745419e640930d9d339d
SHA512 40de728edae55f97ac9459cf78bbc31b38e8b59bdb7a74fbd9e09d7efd2a81b1dc5fd8011007c66efb58e850f1c57d099ec340aecd62911d6aebf2e70d1275d0

C:\Users\Admin\AppData\Local\Temp\http_dll.dll

MD5 4366cd6c5d795811822b9ccc3df3eab4
SHA1 30f6050729b4c08b7657454cb79dd5a3d463c606
SHA256 55497a3eced5d8d190400bcd1a4b43a304ebf74a0d6d098665474ed4b1b0e9da
SHA512 4a56a2da7ded16125c2795d5760c7c08a93362536c9212cff3a31dbf6613cb3fca436efd77c256338f5134da955bc7ccc564b4af0c45ac0dfd645460b922a349

C:\Users\Admin\AppData\Local\Temp\MFC80U.DLL

MD5 686b224b4987c22b153fbb545fee9657
SHA1 684ee9f018fbb0bbf6ffa590f3782ba49d5d096c
SHA256 a2ac851f35066c2f13a7452b7a9a3fee05bfb42907ae77a6b85b212a2227fc36
SHA512 44d65db91ceea351d2b6217eaa27358dbc2ed27c9a83d226b59aecb336a9252b60aec5ce5e646706a2af5631d5ee0f721231ec751e97e47bbbc32d5f40908875

\Users\Admin\AppData\Local\Temp\RaftelibeGarss\zlib1.dll

MD5 3ca940e27e87443f7891d39536650f9b
SHA1 2603ff220c43f13591a51abb0cf339aecb758207
SHA256 a91f13aece1ea7ebe326f0e340bda9d00613d3365cd81b7f138a4c9446ffbd38
SHA512 0c0e04cbb8247f6dfe0790d1c3453596e3cb5f5ff0d2c3bc4e01fb38ad8e042322130072263c135c5637a745ef70ac68487bdade3510990ce8f609cad46566ee

C:\Users\Admin\AppData\Local\Temp\audiogram.tif

MD5 5124236fd955464317fbb1f344a1d2f2
SHA1 fe3a91e252f1dc3c3b4980ade7157369ea6f5097
SHA256 ed1389002cdf96c9b54de35b6e972166ee3296d628943fd594a383e674c5cba6
SHA512 2b2ac23244b16f936ef9a4049586f58c809fcc4391a56390cc5db2e8d96140001e0b977680ed1d8b0ab9c410e865a880209e22add8d42e563dc40bc91236b252

memory/2268-56-0x0000000074680000-0x00000000747F4000-memory.dmp

memory/3052-57-0x0000000062E80000-0x0000000062EE3000-memory.dmp

memory/1948-63-0x0000000000400000-0x0000000000449000-memory.dmp

memory/2268-71-0x0000000074680000-0x00000000747F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a88a1eb6

MD5 e5aaf990c9f586247c8a451298caa3d2
SHA1 74bd59a0d6801e0747b74e6d9c364beb09d1ea9f
SHA256 4809e6491220049a196de793cdaccbfe87fee3d2934a726042ec7b54dd43d862
SHA512 caa59655cef824da54c2dae91aae8aeb69ebab9af7070cabc2b8e1ff8fabc8f71a2c485c2acb0789eb93a8927f5b7f50808ce38d55a3f60051f9f7f5fa8fcbf0

memory/2828-74-0x0000000077B20000-0x0000000077CC9000-memory.dmp

memory/2828-121-0x0000000074680000-0x00000000747F4000-memory.dmp

memory/2336-125-0x00000000730A0000-0x0000000074102000-memory.dmp

memory/2336-127-0x0000000077B20000-0x0000000077CC9000-memory.dmp

memory/2336-128-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2336-132-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2336-133-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2336-135-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2336-137-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2336-138-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2336-139-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2336-140-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2336-141-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2336-142-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2336-143-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2336-144-0x00000000001C0000-0x0000000000244000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-30 00:22

Reported

2024-11-30 00:24

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

155s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Slf.msi

Signatures

Detects HijackLoader (aka IDAT Loader)

Description Indicator Process Target
N/A N/A N/A N/A

HijackLoader

loader hijackloader

Hijackloader family

hijackloader

Remcos

rat remcos

Remcos family

remcos

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2948 set thread context of 4880 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 set thread context of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 4880 set thread context of 3556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e57bbde.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBC6A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBFE9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57bbde.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBE5F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBEDD.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBEFD.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{BB2F3E18-3F04-450F-B8B5-60A9665181A8} C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Updwork.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3904 wrote to memory of 3184 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3904 wrote to memory of 3184 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3904 wrote to memory of 3184 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3904 wrote to memory of 2948 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 3904 wrote to memory of 2948 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 3904 wrote to memory of 2948 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 3904 wrote to memory of 2256 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 3904 wrote to memory of 2256 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 3904 wrote to memory of 2256 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 2948 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2256 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2256 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2256 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2256 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 4880 wrote to memory of 3556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 4880 wrote to memory of 3556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 4880 wrote to memory of 3556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 4880 wrote to memory of 3556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 4880 wrote to memory of 3556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Slf.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 91EFB2D73C2CB1410F46B58268572ECB

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

"C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe"

C:\Users\Admin\AppData\Local\Temp\Updwork.exe

"C:\Users\Admin\AppData\Local\Temp\Updwork.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}

C:\Windows\SysWOW64\WerFault.exe

"C:\Windows\System32\WerFault.exe"

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 185.157.162.126:1995 tcp
US 8.8.8.8:53 126.162.157.185.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MSI7b99b.LOG

MD5 e7960b38964bdd7e255623b6675d61e9
SHA1 8170687a4e24cbc8516faa0774d2982028c0c760
SHA256 bad0d00273f60a9ad353d8f4976c1edc41c850a9f745f205c71c5625835a9aa6
SHA512 e3be7b1d02651174d76bd62fd8def66e369f3bfc20d33b793266936d4e1d533a6293e3265abc6e4f9552b2e200a62bf700e524431f5e505853457cf122bf5be3

C:\Windows\Installer\MSIBC6A.tmp

MD5 2c9c51ac508570303c6d46c0571ea3a1
SHA1 e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256 ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512 df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

C:\Config.Msi\e57bbe1.rbs

MD5 4b01d4966a92edc2ba097f0d136f252a
SHA1 f900277c17cb552cbfbe96bf4a57ee1cf481f869
SHA256 3dd5afdd3456c1c8f22522220a2e8d17ea691026f521e2cf3813205301189f3b
SHA512 290408afe016fb6ecdc8dd12b25a5c7a04f58968a21f8c0b1277552bac1770ca7fe4b8d91a60ccc57fd0aaa8f92f10a29e1d9e03d309c84953ad689b36a7acad

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

MD5 9329ba45c8b97485926a171e34c2abb8
SHA1 20118bc0432b4e8b3660a4b038b20ca28f721e5c
SHA256 effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659
SHA512 0af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc

C:\Users\Admin\AppData\Local\Temp\Updwork.exe

MD5 253c52411b256e4af301cba58dcb6cef
SHA1 f21252c959b9eb47cd210f41b997cf598612d7c9
SHA256 7d57b704dd881413e7ee2effb3d85bdfff1e208b0f3f745419e640930d9d339d
SHA512 40de728edae55f97ac9459cf78bbc31b38e8b59bdb7a74fbd9e09d7efd2a81b1dc5fd8011007c66efb58e850f1c57d099ec340aecd62911d6aebf2e70d1275d0

C:\Users\Admin\AppData\Local\Temp\http_dll.dll

MD5 4366cd6c5d795811822b9ccc3df3eab4
SHA1 30f6050729b4c08b7657454cb79dd5a3d463c606
SHA256 55497a3eced5d8d190400bcd1a4b43a304ebf74a0d6d098665474ed4b1b0e9da
SHA512 4a56a2da7ded16125c2795d5760c7c08a93362536c9212cff3a31dbf6613cb3fca436efd77c256338f5134da955bc7ccc564b4af0c45ac0dfd645460b922a349

C:\Users\Admin\AppData\Local\Temp\MFC80U.DLL

MD5 686b224b4987c22b153fbb545fee9657
SHA1 684ee9f018fbb0bbf6ffa590f3782ba49d5d096c
SHA256 a2ac851f35066c2f13a7452b7a9a3fee05bfb42907ae77a6b85b212a2227fc36
SHA512 44d65db91ceea351d2b6217eaa27358dbc2ed27c9a83d226b59aecb336a9252b60aec5ce5e646706a2af5631d5ee0f721231ec751e97e47bbbc32d5f40908875

C:\Users\Admin\AppData\Local\Temp\audiogram.tif

MD5 5124236fd955464317fbb1f344a1d2f2
SHA1 fe3a91e252f1dc3c3b4980ade7157369ea6f5097
SHA256 ed1389002cdf96c9b54de35b6e972166ee3296d628943fd594a383e674c5cba6
SHA512 2b2ac23244b16f936ef9a4049586f58c809fcc4391a56390cc5db2e8d96140001e0b977680ed1d8b0ab9c410e865a880209e22add8d42e563dc40bc91236b252

memory/2948-53-0x0000000074490000-0x000000007460B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RaftelibeGarss\zlib1.dll

MD5 3ca940e27e87443f7891d39536650f9b
SHA1 2603ff220c43f13591a51abb0cf339aecb758207
SHA256 a91f13aece1ea7ebe326f0e340bda9d00613d3365cd81b7f138a4c9446ffbd38
SHA512 0c0e04cbb8247f6dfe0790d1c3453596e3cb5f5ff0d2c3bc4e01fb38ad8e042322130072263c135c5637a745ef70ac68487bdade3510990ce8f609cad46566ee

memory/2948-59-0x0000000074490000-0x000000007460B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5796df21

MD5 ca7d644a6d4a3ea6f8dc397a08665107
SHA1 c4ddcb90d9c5b09388b9d1f092a5c15a0ebde2f2
SHA256 dc7de43a8c31ab4b122535855e794b3d90dd5f6cd1c51e5730cbf9ad6b0d88d2
SHA512 bf0eac73dd1a4ce7b6b3ad27b1d16ab9ef43925dd6112100662e32f26885ca3912a6bea881fb8de3cbfba080f72cbc6444b2727b118fc6781620a61fb9c0f5fa

memory/2256-61-0x0000000062E80000-0x0000000062EE3000-memory.dmp

memory/2588-67-0x0000000000400000-0x0000000000449000-memory.dmp

memory/4880-76-0x00007FF8FDB70000-0x00007FF8FDD65000-memory.dmp

memory/4880-78-0x0000000074490000-0x000000007460B000-memory.dmp

memory/3556-80-0x0000000073230000-0x0000000074484000-memory.dmp

memory/3556-82-0x00007FF8FDB70000-0x00007FF8FDD65000-memory.dmp

memory/3556-83-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3556-86-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3556-87-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3556-90-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3556-91-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3556-92-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3556-93-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3556-94-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3556-97-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3556-98-0x0000000000410000-0x0000000000494000-memory.dmp