Malware Analysis Report

2025-01-18 09:48

Sample ID 241130-anzgbstpe1
Target Slf.msi
SHA256 6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321
Tags
hijackloader remcos v2 discovery loader persistence privilege_escalation rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321

Threat Level: Known bad

The file Slf.msi was found to be: Known bad.

Malicious Activity Summary

hijackloader remcos v2 discovery loader persistence privilege_escalation rat

Remcos family

Hijackloader family

Remcos

HijackLoader

Detects HijackLoader (aka IDAT Loader)

Enumerates connected drives

Suspicious use of SetThreadContext

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

NSIS installer

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-30 00:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-30 00:22

Reported

2024-11-30 00:24

Platform

win7-20240708-en

Max time kernel

148s

Max time network

143s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Slf.msi

Signatures

Detects HijackLoader (aka IDAT Loader)

Description Indicator Process Target
N/A N/A N/A N/A

HijackLoader

loader hijackloader

Hijackloader family

hijackloader

Remcos

rat remcos

Remcos family

remcos

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2984 set thread context of 2264 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 1820 set thread context of 1504 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 set thread context of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI56AA.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f765573.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI59A7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f765573.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f765570.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI55AE.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f765570.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI566B.tmp C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Updwork.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2736 wrote to memory of 2788 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2736 wrote to memory of 2788 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2736 wrote to memory of 2788 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2736 wrote to memory of 2788 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2736 wrote to memory of 2788 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2736 wrote to memory of 2788 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2736 wrote to memory of 2788 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2736 wrote to memory of 1820 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2736 wrote to memory of 1820 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2736 wrote to memory of 1820 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2736 wrote to memory of 1820 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2736 wrote to memory of 2984 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 2736 wrote to memory of 2984 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 2736 wrote to memory of 2984 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 2736 wrote to memory of 2984 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 1820 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2984 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2984 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2984 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2984 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2984 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 1820 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 1504 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 1504 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 1504 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 1504 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 1504 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Slf.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A3A085D715CFBA99F5A80E5F3115AD96

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

"C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe"

C:\Users\Admin\AppData\Local\Temp\Updwork.exe

"C:\Users\Admin\AppData\Local\Temp\Updwork.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}

C:\Windows\SysWOW64\WerFault.exe

"C:\Windows\System32\WerFault.exe"

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Network

Country Destination Domain Proto
NL 185.157.162.126:1995 tcp

Files

memory/1820-51-0x0000000073B20000-0x0000000073C94000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\audiogram.tif

MD5 5124236fd955464317fbb1f344a1d2f2
SHA1 fe3a91e252f1dc3c3b4980ade7157369ea6f5097
SHA256 ed1389002cdf96c9b54de35b6e972166ee3296d628943fd594a383e674c5cba6
SHA512 2b2ac23244b16f936ef9a4049586f58c809fcc4391a56390cc5db2e8d96140001e0b977680ed1d8b0ab9c410e865a880209e22add8d42e563dc40bc91236b252

\Users\Admin\AppData\Local\Temp\RaftelibeGarss\zlib1.dll

MD5 3ca940e27e87443f7891d39536650f9b
SHA1 2603ff220c43f13591a51abb0cf339aecb758207
SHA256 a91f13aece1ea7ebe326f0e340bda9d00613d3365cd81b7f138a4c9446ffbd38
SHA512 0c0e04cbb8247f6dfe0790d1c3453596e3cb5f5ff0d2c3bc4e01fb38ad8e042322130072263c135c5637a745ef70ac68487bdade3510990ce8f609cad46566ee

\Users\Admin\AppData\Local\Temp\mfc80u.dll

MD5 686b224b4987c22b153fbb545fee9657
SHA1 684ee9f018fbb0bbf6ffa590f3782ba49d5d096c
SHA256 a2ac851f35066c2f13a7452b7a9a3fee05bfb42907ae77a6b85b212a2227fc36
SHA512 44d65db91ceea351d2b6217eaa27358dbc2ed27c9a83d226b59aecb336a9252b60aec5ce5e646706a2af5631d5ee0f721231ec751e97e47bbbc32d5f40908875

C:\Users\Admin\AppData\Local\Temp\Updwork.exe

MD5 253c52411b256e4af301cba58dcb6cef
SHA1 f21252c959b9eb47cd210f41b997cf598612d7c9
SHA256 7d57b704dd881413e7ee2effb3d85bdfff1e208b0f3f745419e640930d9d339d
SHA512 40de728edae55f97ac9459cf78bbc31b38e8b59bdb7a74fbd9e09d7efd2a81b1dc5fd8011007c66efb58e850f1c57d099ec340aecd62911d6aebf2e70d1275d0

\Users\Admin\AppData\Local\Temp\http_dll.dll

MD5 4366cd6c5d795811822b9ccc3df3eab4
SHA1 30f6050729b4c08b7657454cb79dd5a3d463c606
SHA256 55497a3eced5d8d190400bcd1a4b43a304ebf74a0d6d098665474ed4b1b0e9da
SHA512 4a56a2da7ded16125c2795d5760c7c08a93362536c9212cff3a31dbf6613cb3fca436efd77c256338f5134da955bc7ccc564b4af0c45ac0dfd645460b922a349

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

MD5 9329ba45c8b97485926a171e34c2abb8
SHA1 20118bc0432b4e8b3660a4b038b20ca28f721e5c
SHA256 effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659
SHA512 0af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc

C:\Config.Msi\f765574.rbs

MD5 ee39c19e5c925f709bb373e2b0a907b3
SHA1 8b0204cc969ae9abc84bac30d4b28132b56bcd46
SHA256 b48e839ebe8b4b4f99a8408a16bcf39265d7d59e7cf31f8429f5f5e535df8f2b
SHA512 a9bf66a7509a5bae9592fc6b9b03f25dee3bda92dcc667b9a54ae8d3ea2a488249b744beeb58126d326e5f7a2bb77a2be19df622b334f8041d669cde783d1e43

\Windows\Installer\MSI56AA.tmp

MD5 2c9c51ac508570303c6d46c0571ea3a1
SHA1 e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256 ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512 df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

C:\Users\Admin\AppData\Local\Temp\MSI654e4.LOG

MD5 5be873725a03c8c3b8921977a57cd8ea
SHA1 a05323205e2d7f45b73ab723c1ced5a065638b99
SHA256 6eac0a103423678c00b1d400ecda08b70c34b1f1f0d6c09f2787466023f55abe
SHA512 09d031068c3a1c081f20e3f41b63b854dc431eef5ed76b0eb9a6728b36bdffb2504d0c5b30f59ecc662df1b694bc523aac0b9e5a99410a6bed4c08c76733bf7d

memory/2984-57-0x0000000062E80000-0x0000000062EE3000-memory.dmp

memory/2264-62-0x0000000000400000-0x0000000000449000-memory.dmp

memory/1820-71-0x0000000073B20000-0x0000000073C94000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fd3e2c66

MD5 febb989da36b083bd3f2a960db080393
SHA1 1fdd91981b63221f9c34b9691f060f9c40c85976
SHA256 4c91f919e77277cf33edfd9e85bde82476e42cafbb54683a5b04d4c64da8de77
SHA512 42fbfa7fb03db5ebb328bc02aae60900cb684cfa8a607bb5f555ddc3fe1a5fb6a37c2b757f0ebd232e885022b9192cddb688faadcca1c7a1a2fc57e3aaa08cf7

memory/1504-74-0x0000000076FC0000-0x0000000077169000-memory.dmp

memory/1504-121-0x0000000073B20000-0x0000000073C94000-memory.dmp

memory/1920-125-0x0000000072540000-0x00000000735A2000-memory.dmp

memory/1920-127-0x0000000076FC0000-0x0000000077169000-memory.dmp

memory/1920-128-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/1920-132-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/1920-133-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/1920-135-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/1920-137-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/1920-138-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/1920-139-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/1920-140-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/1920-141-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/1920-142-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/1920-143-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/1920-144-0x00000000001C0000-0x0000000000244000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-30 00:22

Reported

2024-11-30 00:24

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Slf.msi

Signatures

Detects HijackLoader (aka IDAT Loader)

Description Indicator Process Target
N/A N/A N/A N/A

HijackLoader

loader hijackloader

Hijackloader family

hijackloader

Remcos

rat remcos

Remcos family

remcos

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2284 set thread context of 2976 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 700 set thread context of 3504 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2976 set thread context of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\e578107.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI82BE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI82FD.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{BB2F3E18-3F04-450F-B8B5-60A9665181A8} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8447.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e578107.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8174.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI831D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Updwork.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 844 wrote to memory of 3864 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 844 wrote to memory of 3864 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 844 wrote to memory of 3864 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 844 wrote to memory of 2284 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 844 wrote to memory of 2284 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 844 wrote to memory of 2284 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 844 wrote to memory of 700 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 844 wrote to memory of 700 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 844 wrote to memory of 700 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 2284 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 700 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 700 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 700 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 700 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 700 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2976 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2976 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2976 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2976 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2976 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Slf.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A1049B51517F96C3837172B8604DB908

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

"C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe"

C:\Users\Admin\AppData\Local\Temp\Updwork.exe

"C:\Users\Admin\AppData\Local\Temp\Updwork.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}

C:\Windows\SysWOW64\WerFault.exe

"C:\Windows\System32\WerFault.exe"

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
NL 185.157.162.126:1995 tcp
US 8.8.8.8:53 126.162.157.185.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MSI77f13.LOG

MD5 567e6bab8c87c218809f415390950e54
SHA1 da6ec6cea9b05254a5d2c8124495ee3f7989b0f3
SHA256 b271e74bd9aaa851fc129e17133267d57eb186f8f466a47b68ac98ac04b677bb
SHA512 878b5524b39374bcb9a2bb72b7f5aec1bbc7d40ad4c53c8c788c3d7ebff661c5e0e84cc018cbbf1ed68affe2569c7263821025ed1259e56e4265cfb4529d2b98

C:\Windows\Installer\MSI8174.tmp

MD5 2c9c51ac508570303c6d46c0571ea3a1
SHA1 e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256 ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512 df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

C:\Config.Msi\e57810a.rbs

MD5 ee39c19e5c925f709bb373e2b0a907b3
SHA1 8b0204cc969ae9abc84bac30d4b28132b56bcd46
SHA256 b48e839ebe8b4b4f99a8408a16bcf39265d7d59e7cf31f8429f5f5e535df8f2b
SHA512 a9bf66a7509a5bae9592fc6b9b03f25dee3bda92dcc667b9a54ae8d3ea2a488249b744beeb58126d326e5f7a2bb77a2be19df622b334f8041d669cde783d1e43

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

MD5 9329ba45c8b97485926a171e34c2abb8
SHA1 20118bc0432b4e8b3660a4b038b20ca28f721e5c
SHA256 effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659
SHA512 0af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc

C:\Users\Admin\AppData\Local\Temp\Updwork.exe

MD5 253c52411b256e4af301cba58dcb6cef
SHA1 f21252c959b9eb47cd210f41b997cf598612d7c9
SHA256 7d57b704dd881413e7ee2effb3d85bdfff1e208b0f3f745419e640930d9d339d
SHA512 40de728edae55f97ac9459cf78bbc31b38e8b59bdb7a74fbd9e09d7efd2a81b1dc5fd8011007c66efb58e850f1c57d099ec340aecd62911d6aebf2e70d1275d0

C:\Users\Admin\AppData\Local\Temp\http_dll.dll

MD5 4366cd6c5d795811822b9ccc3df3eab4
SHA1 30f6050729b4c08b7657454cb79dd5a3d463c606
SHA256 55497a3eced5d8d190400bcd1a4b43a304ebf74a0d6d098665474ed4b1b0e9da
SHA512 4a56a2da7ded16125c2795d5760c7c08a93362536c9212cff3a31dbf6613cb3fca436efd77c256338f5134da955bc7ccc564b4af0c45ac0dfd645460b922a349

C:\Users\Admin\AppData\Local\Temp\mfc80u.dll

MD5 686b224b4987c22b153fbb545fee9657
SHA1 684ee9f018fbb0bbf6ffa590f3782ba49d5d096c
SHA256 a2ac851f35066c2f13a7452b7a9a3fee05bfb42907ae77a6b85b212a2227fc36
SHA512 44d65db91ceea351d2b6217eaa27358dbc2ed27c9a83d226b59aecb336a9252b60aec5ce5e646706a2af5631d5ee0f721231ec751e97e47bbbc32d5f40908875

C:\Users\Admin\AppData\Local\Temp\audiogram.tif

MD5 5124236fd955464317fbb1f344a1d2f2
SHA1 fe3a91e252f1dc3c3b4980ade7157369ea6f5097
SHA256 ed1389002cdf96c9b54de35b6e972166ee3296d628943fd594a383e674c5cba6
SHA512 2b2ac23244b16f936ef9a4049586f58c809fcc4391a56390cc5db2e8d96140001e0b977680ed1d8b0ab9c410e865a880209e22add8d42e563dc40bc91236b252

memory/2284-51-0x00000000741B0000-0x000000007432B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RaftelibeGarss\zlib1.dll

MD5 3ca940e27e87443f7891d39536650f9b
SHA1 2603ff220c43f13591a51abb0cf339aecb758207
SHA256 a91f13aece1ea7ebe326f0e340bda9d00613d3365cd81b7f138a4c9446ffbd38
SHA512 0c0e04cbb8247f6dfe0790d1c3453596e3cb5f5ff0d2c3bc4e01fb38ad8e042322130072263c135c5637a745ef70ac68487bdade3510990ce8f609cad46566ee

memory/700-59-0x0000000062E80000-0x0000000062EE3000-memory.dmp

memory/2284-60-0x00000000741B0000-0x000000007432B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\feb38fb9

MD5 fafcc48ed1ecfe2ea0d1790b65780416
SHA1 7616ddc11661a29b1493ef1e455ad2adee101fe0
SHA256 02e1a4fa82fd28dca1218b1d75772a953da5353d0a4713a17e8268d7023103df
SHA512 76bba26327dccfdd71cae3cf7d4603868b1aaa6a96021936812596c003b754ed40fc4f3ae97a25f45975a2b99ca8e4ecbacbbe3b6d52ea3f6ac12b9fa3e5e839

memory/3504-67-0x0000000000400000-0x0000000000449000-memory.dmp

memory/2976-76-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

memory/2976-78-0x00000000741B0000-0x000000007432B000-memory.dmp

memory/1416-80-0x0000000072F50000-0x00000000741A4000-memory.dmp

memory/1416-82-0x00007FFE18750000-0x00007FFE18945000-memory.dmp

memory/1416-83-0x0000000000410000-0x0000000000494000-memory.dmp

memory/1416-86-0x0000000000410000-0x0000000000494000-memory.dmp

memory/1416-87-0x0000000000410000-0x0000000000494000-memory.dmp

memory/1416-89-0x0000000000410000-0x0000000000494000-memory.dmp

memory/1416-91-0x0000000000410000-0x0000000000494000-memory.dmp

memory/1416-92-0x0000000000410000-0x0000000000494000-memory.dmp

memory/1416-93-0x0000000000410000-0x0000000000494000-memory.dmp

memory/1416-94-0x0000000000410000-0x0000000000494000-memory.dmp

memory/1416-98-0x0000000000410000-0x0000000000494000-memory.dmp