Malware Analysis Report

2025-01-18 09:48

Sample ID 241201-c3gk6stpgx
Target 6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321.msi
SHA256 6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321
Tags
hijackloader remcos v2 discovery loader persistence privilege_escalation rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321

Threat Level: Known bad

The file 6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321.msi was found to be: Known bad.

Malicious Activity Summary

hijackloader remcos v2 discovery loader persistence privilege_escalation rat

Detects HijackLoader (aka IDAT Loader)

Remcos family

HijackLoader

Remcos

Hijackloader family

Enumerates connected drives

Suspicious use of SetThreadContext

Loads dropped DLL

Drops file in Windows directory

Executes dropped EXE

Event Triggered Execution: Installer Packages

System Location Discovery: System Language Discovery

Enumerates physical storage devices

NSIS installer

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-01 02:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-01 02:35

Reported

2024-12-01 02:38

Platform

win7-20240729-en

Max time kernel

148s

Max time network

136s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321.msi

Signatures

Detects HijackLoader (aka IDAT Loader)

Description Indicator Process Target
N/A N/A N/A N/A

HijackLoader

loader hijackloader

Hijackloader family

hijackloader

Remcos

rat remcos

Remcos family

remcos

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2728 set thread context of 2548 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2660 set thread context of 2376 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 set thread context of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f77e6c6.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f77e6c9.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE9D5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f77e6c6.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE705.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE7C1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE800.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f77e6c9.ipi C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Updwork.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 2216 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2432 wrote to memory of 2216 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2432 wrote to memory of 2216 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2432 wrote to memory of 2216 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2432 wrote to memory of 2216 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2432 wrote to memory of 2216 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2432 wrote to memory of 2216 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2432 wrote to memory of 2660 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2432 wrote to memory of 2660 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2432 wrote to memory of 2660 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2432 wrote to memory of 2660 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2432 wrote to memory of 2728 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 2432 wrote to memory of 2728 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 2432 wrote to memory of 2728 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 2432 wrote to memory of 2728 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 2660 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2728 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2728 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2728 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2728 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2728 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 2660 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2376 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2376 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2376 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2376 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2376 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding D0B7DE24814DE163A7122EC1321C56A8

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

"C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe"

C:\Users\Admin\AppData\Local\Temp\Updwork.exe

"C:\Users\Admin\AppData\Local\Temp\Updwork.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}

C:\Windows\SysWOW64\WerFault.exe

"C:\Windows\System32\WerFault.exe"

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Network

Country Destination Domain Proto
NL 185.157.162.126:1995 tcp

Files

C:\Users\Admin\AppData\Local\Temp\MSI7e5bd.LOG

MD5 a5e31cbcc00acb162190dea285aac61b
SHA1 9581b215e39bdf44eb79cc81776896e3ddcd401e
SHA256 9a491c7e545193baa5754998d39a8cd9d2d111ecf00538b4490c585b14e91089
SHA512 76aeec15b9d4e4a2521ff3c24361c100dd874626314be05102206edec8e1d785da92759501b9a09dca9e7a4c5836d51483a4f5be4752fe06f0e4f96da272e56e

C:\Windows\Installer\MSIE705.tmp

MD5 2c9c51ac508570303c6d46c0571ea3a1
SHA1 e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256 ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512 df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

C:\Config.Msi\f77e6ca.rbs

MD5 d789a6212541eac56889a762c31cf40e
SHA1 93a68e2ea5fa906e5fa957851fc325b2b21aeefd
SHA256 561f157ca36e7b14d13d1943598641e187b6a2dd0615b192f2935d7833a2b316
SHA512 2342817a0b9c7d4a5f70c3f87b5b77ef4bd13d0101d313f45f038337578b63207968ca2a579d94795a0ccfa94c4730b567dff32ee337020b9c9e6b71dfe34eb1

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

MD5 9329ba45c8b97485926a171e34c2abb8
SHA1 20118bc0432b4e8b3660a4b038b20ca28f721e5c
SHA256 effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659
SHA512 0af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc

C:\Users\Admin\AppData\Local\Temp\Updwork.exe

MD5 253c52411b256e4af301cba58dcb6cef
SHA1 f21252c959b9eb47cd210f41b997cf598612d7c9
SHA256 7d57b704dd881413e7ee2effb3d85bdfff1e208b0f3f745419e640930d9d339d
SHA512 40de728edae55f97ac9459cf78bbc31b38e8b59bdb7a74fbd9e09d7efd2a81b1dc5fd8011007c66efb58e850f1c57d099ec340aecd62911d6aebf2e70d1275d0

C:\Users\Admin\AppData\Local\Temp\http_dll.dll

MD5 4366cd6c5d795811822b9ccc3df3eab4
SHA1 30f6050729b4c08b7657454cb79dd5a3d463c606
SHA256 55497a3eced5d8d190400bcd1a4b43a304ebf74a0d6d098665474ed4b1b0e9da
SHA512 4a56a2da7ded16125c2795d5760c7c08a93362536c9212cff3a31dbf6613cb3fca436efd77c256338f5134da955bc7ccc564b4af0c45ac0dfd645460b922a349

C:\Users\Admin\AppData\Local\Temp\MFC80U.DLL

MD5 686b224b4987c22b153fbb545fee9657
SHA1 684ee9f018fbb0bbf6ffa590f3782ba49d5d096c
SHA256 a2ac851f35066c2f13a7452b7a9a3fee05bfb42907ae77a6b85b212a2227fc36
SHA512 44d65db91ceea351d2b6217eaa27358dbc2ed27c9a83d226b59aecb336a9252b60aec5ce5e646706a2af5631d5ee0f721231ec751e97e47bbbc32d5f40908875

C:\Users\Admin\AppData\Local\Temp\audiogram.tif

MD5 5124236fd955464317fbb1f344a1d2f2
SHA1 fe3a91e252f1dc3c3b4980ade7157369ea6f5097
SHA256 ed1389002cdf96c9b54de35b6e972166ee3296d628943fd594a383e674c5cba6
SHA512 2b2ac23244b16f936ef9a4049586f58c809fcc4391a56390cc5db2e8d96140001e0b977680ed1d8b0ab9c410e865a880209e22add8d42e563dc40bc91236b252

\Users\Admin\AppData\Local\Temp\RaftelibeGarss\zlib1.dll

MD5 3ca940e27e87443f7891d39536650f9b
SHA1 2603ff220c43f13591a51abb0cf339aecb758207
SHA256 a91f13aece1ea7ebe326f0e340bda9d00613d3365cd81b7f138a4c9446ffbd38
SHA512 0c0e04cbb8247f6dfe0790d1c3453596e3cb5f5ff0d2c3bc4e01fb38ad8e042322130072263c135c5637a745ef70ac68487bdade3510990ce8f609cad46566ee

memory/2660-55-0x0000000074430000-0x00000000745A4000-memory.dmp

memory/2728-57-0x0000000062E80000-0x0000000062EE3000-memory.dmp

memory/2548-62-0x0000000000400000-0x0000000000449000-memory.dmp

memory/2660-71-0x0000000074430000-0x00000000745A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\75dd5736

MD5 eb4197c89e76838732236178ce2c6604
SHA1 0c0275f642170a632898dfa365892f4433dab463
SHA256 91b841f1e40bb75746132da94e4b6414cf4463cd362338a7ae1656f95d4baffe
SHA512 7c7303aef7e32b978e8b58c7861d35608e137644b78cacaa6d755a136afa3dddda2ee459d7d321a6813c1f24586eadca0c486763377682dbef8f0487fab1ca54

memory/2376-74-0x00000000778D0000-0x0000000077A79000-memory.dmp

memory/2376-121-0x0000000074430000-0x00000000745A4000-memory.dmp

memory/1768-125-0x0000000072F00000-0x0000000073F62000-memory.dmp

memory/1768-127-0x00000000778D0000-0x0000000077A79000-memory.dmp

memory/1768-128-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/1768-132-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/1768-133-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/1768-136-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/1768-137-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/1768-138-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/1768-139-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/1768-140-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/1768-141-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/1768-142-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/1768-143-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/1768-144-0x00000000001C0000-0x0000000000244000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-01 02:35

Reported

2024-12-01 02:38

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

144s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321.msi

Signatures

Detects HijackLoader (aka IDAT Loader)

Description Indicator Process Target
N/A N/A N/A N/A

HijackLoader

loader hijackloader

Hijackloader family

hijackloader

Remcos

rat remcos

Remcos family

remcos

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3776 set thread context of 3928 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 1380 set thread context of 872 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 872 set thread context of 3348 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\e57a2f7.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA354.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{BB2F3E18-3F04-450F-B8B5-60A9665181A8} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57a2f7.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA49D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA4ED.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA51C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA5BA.tmp C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Updwork.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2144 wrote to memory of 1984 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2144 wrote to memory of 1984 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2144 wrote to memory of 1984 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2144 wrote to memory of 1380 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2144 wrote to memory of 1380 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2144 wrote to memory of 1380 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2144 wrote to memory of 3776 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 2144 wrote to memory of 3776 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 2144 wrote to memory of 3776 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Updwork.exe
PID 1380 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 1380 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 1380 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 3776 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 3776 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 3776 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 3776 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 3776 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\Updwork.exe C:\Windows\SysWOW64\WerFault.exe
PID 1380 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 872 wrote to memory of 3348 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 872 wrote to memory of 3348 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 872 wrote to memory of 3348 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 872 wrote to memory of 3348 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 872 wrote to memory of 3348 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding CE7E47C4F66A609068B6AB39736B4FB6

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

"C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe"

C:\Users\Admin\AppData\Local\Temp\Updwork.exe

"C:\Users\Admin\AppData\Local\Temp\Updwork.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}

C:\Windows\SysWOW64\WerFault.exe

"C:\Windows\System32\WerFault.exe"

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
NL 185.157.162.126:1995 tcp
US 8.8.8.8:53 126.162.157.185.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MSI7a1ae.LOG

MD5 525eaf3e444da475afbce8ca0f63fcc6
SHA1 675531a8e5c6c23df11e57655babf2bee66f54ef
SHA256 a43a6493db419955fc082df009843168707c32830610d00ec0a43bfb8b65f19a
SHA512 7f0ece800105bb60351c84ccbfc231c508e6f8f3267ad3c67ed5cdc4c00f0040497339671570dfcbd78d8ebc583c544a027ed2869dac742fa965664b5b7ff5ff

C:\Windows\Installer\MSIA354.tmp

MD5 2c9c51ac508570303c6d46c0571ea3a1
SHA1 e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256 ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512 df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

C:\Config.Msi\e57a2fa.rbs

MD5 089cb40b3724da3b9d6a8c947f5d4d36
SHA1 6b54c40dca0e0e4140ccfd10af119aa56e0322b1
SHA256 855a74961f2e13aeeedc46861a8e08c683dcb6823e8ea5014f083f5dffc51463
SHA512 3c81738bf5cc231d9956b2384ea1cfe654fcaaddeecc6cf571677a6352384a43fce906e54380a065926d3d9e9300de25bf4b32139be9e8f0b780b93b4170a465

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

MD5 9329ba45c8b97485926a171e34c2abb8
SHA1 20118bc0432b4e8b3660a4b038b20ca28f721e5c
SHA256 effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659
SHA512 0af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc

C:\Users\Admin\AppData\Local\Temp\MFC80U.DLL

MD5 686b224b4987c22b153fbb545fee9657
SHA1 684ee9f018fbb0bbf6ffa590f3782ba49d5d096c
SHA256 a2ac851f35066c2f13a7452b7a9a3fee05bfb42907ae77a6b85b212a2227fc36
SHA512 44d65db91ceea351d2b6217eaa27358dbc2ed27c9a83d226b59aecb336a9252b60aec5ce5e646706a2af5631d5ee0f721231ec751e97e47bbbc32d5f40908875

C:\Users\Admin\AppData\Local\Temp\http_dll.dll

MD5 4366cd6c5d795811822b9ccc3df3eab4
SHA1 30f6050729b4c08b7657454cb79dd5a3d463c606
SHA256 55497a3eced5d8d190400bcd1a4b43a304ebf74a0d6d098665474ed4b1b0e9da
SHA512 4a56a2da7ded16125c2795d5760c7c08a93362536c9212cff3a31dbf6613cb3fca436efd77c256338f5134da955bc7ccc564b4af0c45ac0dfd645460b922a349

C:\Users\Admin\AppData\Local\Temp\Updwork.exe

MD5 253c52411b256e4af301cba58dcb6cef
SHA1 f21252c959b9eb47cd210f41b997cf598612d7c9
SHA256 7d57b704dd881413e7ee2effb3d85bdfff1e208b0f3f745419e640930d9d339d
SHA512 40de728edae55f97ac9459cf78bbc31b38e8b59bdb7a74fbd9e09d7efd2a81b1dc5fd8011007c66efb58e850f1c57d099ec340aecd62911d6aebf2e70d1275d0

C:\Users\Admin\AppData\Local\Temp\audiogram.tif

MD5 5124236fd955464317fbb1f344a1d2f2
SHA1 fe3a91e252f1dc3c3b4980ade7157369ea6f5097
SHA256 ed1389002cdf96c9b54de35b6e972166ee3296d628943fd594a383e674c5cba6
SHA512 2b2ac23244b16f936ef9a4049586f58c809fcc4391a56390cc5db2e8d96140001e0b977680ed1d8b0ab9c410e865a880209e22add8d42e563dc40bc91236b252

C:\Users\Admin\AppData\Local\Temp\RaftelibeGarss\zlib1.dll

MD5 3ca940e27e87443f7891d39536650f9b
SHA1 2603ff220c43f13591a51abb0cf339aecb758207
SHA256 a91f13aece1ea7ebe326f0e340bda9d00613d3365cd81b7f138a4c9446ffbd38
SHA512 0c0e04cbb8247f6dfe0790d1c3453596e3cb5f5ff0d2c3bc4e01fb38ad8e042322130072263c135c5637a745ef70ac68487bdade3510990ce8f609cad46566ee

memory/1380-53-0x0000000073F70000-0x00000000740EB000-memory.dmp

memory/3776-59-0x0000000062E80000-0x0000000062EE3000-memory.dmp

memory/3928-64-0x0000000000400000-0x0000000000449000-memory.dmp

memory/1380-73-0x0000000073F70000-0x00000000740EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2fa9360b

MD5 f5e4f7deb21b14e4981a0762ac179a55
SHA1 ea14a4ebf2a5aa39678f9d22c1c0e00d2d9bd73a
SHA256 d69b51400866813afe2d8228fd0baec0c29fded57a8f468517ef89112583a01b
SHA512 25554ebfd3d0b3b1165570f2bc335f3bac361a14f04247b125a7d74ca4f5e799913d9f235afa56158ecd0e0172a4c29c5a7d46749825cde8e8a58730a769b38d

memory/872-76-0x00007FFCE9BD0000-0x00007FFCE9DC5000-memory.dmp

memory/872-78-0x0000000073F70000-0x00000000740EB000-memory.dmp

memory/3348-80-0x0000000072700000-0x0000000073954000-memory.dmp

memory/3348-82-0x00007FFCE9BD0000-0x00007FFCE9DC5000-memory.dmp

memory/3348-83-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3348-86-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3348-87-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3348-90-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3348-91-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3348-92-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3348-93-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3348-94-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3348-95-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3348-96-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3348-97-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3348-98-0x0000000000410000-0x0000000000494000-memory.dmp