Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15-08-2024 21:49
Static task
static1
Behavioral task
behavioral1
Sample
NetworkIsooProSetup.msi
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
NetworkIsooProSetup.msi
Resource
win10v2004-20240802-en
General
-
Target
NetworkIsooProSetup.msi
-
Size
14.0MB
-
MD5
4fff2618d8f4f571bd0fed70db95a6a2
-
SHA1
0c2dc8df585ef1fb3d963820d4b9a5c5a41ad0f6
-
SHA256
d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6
-
SHA512
b05a8627f52943f5b1beacfdbc45c49c9cc70c9a12e8a165b8587d6a7bab18edf1bb7d90231c404a4be7c0c7b73856056a5d11d642eefd83a8d2cf236636dfc8
-
SSDEEP
393216:75Nm1Z7nsPSUTtXmAKARHAnm3z1GQOjKE7Uov:nm1ZTsaUTtZsE1GQOjvt
Malware Config
Extracted
remcos
RemoteHost
45.133.74.183:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-1QFIL0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1720 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Active RPC Converter Suite = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Network MPluginManager\\Coolmuster PDF Image Extractor.exe" Coolmuster PDF Image Extractor.exe -
Blocklisted process makes network request 3 IoCs
flow pid Process 3 2688 msiexec.exe 5 2688 msiexec.exe 6 2884 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 2172 netsh.exe 1008 netsh.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f76f23b.msi msiexec.exe File created C:\Windows\Installer\f76f23c.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\f76f23e.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f76f23b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF6E1.tmp msiexec.exe File opened for modification C:\Windows\Installer\f76f23c.ipi msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 2420 Coolmuster PDF Image Extractor.exe -
Loads dropped DLL 39 IoCs
pid Process 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe 2420 Coolmuster PDF Image Extractor.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2688 msiexec.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coolmuster PDF Image Extractor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2420 Coolmuster PDF Image Extractor.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2884 msiexec.exe 2884 msiexec.exe 1720 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2420 Coolmuster PDF Image Extractor.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2688 msiexec.exe Token: SeIncreaseQuotaPrivilege 2688 msiexec.exe Token: SeRestorePrivilege 2884 msiexec.exe Token: SeTakeOwnershipPrivilege 2884 msiexec.exe Token: SeSecurityPrivilege 2884 msiexec.exe Token: SeCreateTokenPrivilege 2688 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2688 msiexec.exe Token: SeLockMemoryPrivilege 2688 msiexec.exe Token: SeIncreaseQuotaPrivilege 2688 msiexec.exe Token: SeMachineAccountPrivilege 2688 msiexec.exe Token: SeTcbPrivilege 2688 msiexec.exe Token: SeSecurityPrivilege 2688 msiexec.exe Token: SeTakeOwnershipPrivilege 2688 msiexec.exe Token: SeLoadDriverPrivilege 2688 msiexec.exe Token: SeSystemProfilePrivilege 2688 msiexec.exe Token: SeSystemtimePrivilege 2688 msiexec.exe Token: SeProfSingleProcessPrivilege 2688 msiexec.exe Token: SeIncBasePriorityPrivilege 2688 msiexec.exe Token: SeCreatePagefilePrivilege 2688 msiexec.exe Token: SeCreatePermanentPrivilege 2688 msiexec.exe Token: SeBackupPrivilege 2688 msiexec.exe Token: SeRestorePrivilege 2688 msiexec.exe Token: SeShutdownPrivilege 2688 msiexec.exe Token: SeDebugPrivilege 2688 msiexec.exe Token: SeAuditPrivilege 2688 msiexec.exe Token: SeSystemEnvironmentPrivilege 2688 msiexec.exe Token: SeChangeNotifyPrivilege 2688 msiexec.exe Token: SeRemoteShutdownPrivilege 2688 msiexec.exe Token: SeUndockPrivilege 2688 msiexec.exe Token: SeSyncAgentPrivilege 2688 msiexec.exe Token: SeEnableDelegationPrivilege 2688 msiexec.exe Token: SeManageVolumePrivilege 2688 msiexec.exe Token: SeImpersonatePrivilege 2688 msiexec.exe Token: SeCreateGlobalPrivilege 2688 msiexec.exe Token: SeBackupPrivilege 2612 vssvc.exe Token: SeRestorePrivilege 2612 vssvc.exe Token: SeAuditPrivilege 2612 vssvc.exe Token: SeBackupPrivilege 2884 msiexec.exe Token: SeRestorePrivilege 2884 msiexec.exe Token: SeRestorePrivilege 2444 DrvInst.exe Token: SeRestorePrivilege 2444 DrvInst.exe Token: SeRestorePrivilege 2444 DrvInst.exe Token: SeRestorePrivilege 2444 DrvInst.exe Token: SeRestorePrivilege 2444 DrvInst.exe Token: SeRestorePrivilege 2444 DrvInst.exe Token: SeRestorePrivilege 2444 DrvInst.exe Token: SeLoadDriverPrivilege 2444 DrvInst.exe Token: SeLoadDriverPrivilege 2444 DrvInst.exe Token: SeLoadDriverPrivilege 2444 DrvInst.exe Token: SeRestorePrivilege 2884 msiexec.exe Token: SeTakeOwnershipPrivilege 2884 msiexec.exe Token: SeRestorePrivilege 2884 msiexec.exe Token: SeTakeOwnershipPrivilege 2884 msiexec.exe Token: SeRestorePrivilege 2884 msiexec.exe Token: SeTakeOwnershipPrivilege 2884 msiexec.exe Token: SeRestorePrivilege 2884 msiexec.exe Token: SeTakeOwnershipPrivilege 2884 msiexec.exe Token: SeRestorePrivilege 2884 msiexec.exe Token: SeTakeOwnershipPrivilege 2884 msiexec.exe Token: SeRestorePrivilege 2884 msiexec.exe Token: SeTakeOwnershipPrivilege 2884 msiexec.exe Token: SeRestorePrivilege 2884 msiexec.exe Token: SeTakeOwnershipPrivilege 2884 msiexec.exe Token: SeRestorePrivilege 2884 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2688 msiexec.exe 2688 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2420 Coolmuster PDF Image Extractor.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2884 wrote to memory of 2420 2884 msiexec.exe 35 PID 2884 wrote to memory of 2420 2884 msiexec.exe 35 PID 2884 wrote to memory of 2420 2884 msiexec.exe 35 PID 2884 wrote to memory of 2420 2884 msiexec.exe 35 PID 2420 wrote to memory of 2172 2420 Coolmuster PDF Image Extractor.exe 37 PID 2420 wrote to memory of 2172 2420 Coolmuster PDF Image Extractor.exe 37 PID 2420 wrote to memory of 2172 2420 Coolmuster PDF Image Extractor.exe 37 PID 2420 wrote to memory of 2172 2420 Coolmuster PDF Image Extractor.exe 37 PID 2420 wrote to memory of 1008 2420 Coolmuster PDF Image Extractor.exe 38 PID 2420 wrote to memory of 1008 2420 Coolmuster PDF Image Extractor.exe 38 PID 2420 wrote to memory of 1008 2420 Coolmuster PDF Image Extractor.exe 38 PID 2420 wrote to memory of 1008 2420 Coolmuster PDF Image Extractor.exe 38 PID 2420 wrote to memory of 2060 2420 Coolmuster PDF Image Extractor.exe 40 PID 2420 wrote to memory of 2060 2420 Coolmuster PDF Image Extractor.exe 40 PID 2420 wrote to memory of 2060 2420 Coolmuster PDF Image Extractor.exe 40 PID 2420 wrote to memory of 2060 2420 Coolmuster PDF Image Extractor.exe 40 PID 2060 wrote to memory of 1720 2060 cmd.exe 43 PID 2060 wrote to memory of 1720 2060 cmd.exe 43 PID 2060 wrote to memory of 1720 2060 cmd.exe 43 PID 2060 wrote to memory of 1720 2060 cmd.exe 43 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NetworkIsooProSetup.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2688
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe"C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe"2⤵
- Adds Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Coolmuster PDF Image Extractor In Service" dir=in action=allow program="C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2172
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Coolmuster PDF Image Extractor Out Service" dir=out action=allow program="C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1008
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1720
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000590" "000000000000005C"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2444
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD517b7e50dae957d8fbc6b7f550fc74840
SHA16c60ef9fd1f0859192fe6bab7b617212a05dbd5f
SHA256bf2e4cd6e0eeef8dd060e23a48d7d358a26c37b8eaa87b85109fac2154cc9cdf
SHA512466bb50d5ad9d6f8793f80516649684d1776a787859d882c740066d5d1c60bc549e838161eaf754851c6ffceae5467734ab0352511364ab53684c919d12647bc
-
Filesize
300B
MD51cf977a1499e288c8cedaf63fcd0318b
SHA1d7c7fd5fbd99ce101165252a18332a38d3a0230b
SHA25600cf7d3a9ad7e8218602a02c687030278f1a97e8e27ac1d76b8e95c60422b3de
SHA51256240d686166b37b0a71a0ca9db6ae442e91989ab6381f10b9dadbf8570baeaf4630c98e791dc9c56ca335a185ad9c7ac993e741a2beb25d11c4405394cff849
-
Filesize
406B
MD51b42d585b6b090783cfcc5d21383d958
SHA1e3226014c0038ab81475f010ca002ef432159f9c
SHA25608d41fe132793bfb86e733a1ffd70e85fa49efe3a9f1da27a1f202a139d8ac79
SHA51237616dcda8120011be7bf0060ce9cf3d98daaa447cdd9b399dd6b22d616d7193d2f407cb9e2225ff076ee6f49f4c7932fd293835ee1084e8c1df2d05421929de
-
Filesize
624B
MD560b3183b91def59683dba4d090eb49db
SHA1d39c70c255d29c13045afb8f3974e8f06eac55e4
SHA256e94ace265151dea1374a9c0038bcf7e26c37b77b3412e63443697853444ddc9e
SHA512199f6fa0686a398db121fbb576c27225f58c4600f02e3ef575f10f89d347f9b6748653c6ac0d12c3bfceba316f7f49f6e97838cc7a45a7cd51fc5e2d738b89a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ed77a1e2b1f1633370fee9c24fba7d13
SHA17fe2159b1f367a224dcdaf4bcc6ba2db65083735
SHA25686ece0d3856ebaf90c22571c2829f4c4beecba7fa2c88773c553dfdd8e4d4057
SHA51254723bb816a53eb549f9049fc7f1abe46dce9b28d22b8ed9e32a568f85e1131ed3039af2a5db9f82b5875353b4fb3858346021a9f2b01d2e80fd045dd2cbe774
-
Filesize
607KB
MD5e11235cb041e3ae98cb17d746b45cb66
SHA1fcaa4feab36f28bd38e71ee762cc499f731d3d47
SHA256c7030fb23fd25fc99c39457618a3afd2b27b381d7b833d4662995493d85deaf4
SHA51208da0141966050864a404c413f51fada820489872da15ddff1ef8273211deab106bf912105076f24e801b88276db772cb8f8f15201b83ef35e069d0a4de63db4
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
14.0MB
MD54fff2618d8f4f571bd0fed70db95a6a2
SHA10c2dc8df585ef1fb3d963820d4b9a5c5a41ad0f6
SHA256d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6
SHA512b05a8627f52943f5b1beacfdbc45c49c9cc70c9a12e8a165b8587d6a7bab18edf1bb7d90231c404a4be7c0c7b73856056a5d11d642eefd83a8d2cf236636dfc8
-
Filesize
212KB
MD574bc438e41c723c1389ee2484e0359c7
SHA1927bb7bcb50965a896757a28744887eade204337
SHA2566b1002b04d0334d6afcf28147918df5f284c016da605bdc36f4f2c5806950316
SHA51255d03871b1fc7afa9d35df978ed968be603b10754b43f3e4aa8cf89b989549e7114f183cad10b242e3ab27f85f10b8cd91207364f170c02cc8e94d24c6e6caab
-
Filesize
19KB
MD5045e4617b49e817007d8a88652af7734
SHA1305026109a1eabf49bf7ae6a233a4a11e2a22580
SHA256fd387d4e358e3755db38a618066fb72cd03b17b54d058dbe3dab82065519edc7
SHA5127e21cf4982ce6f4aa52f0281eae101287a850152c70577b456876356201e12983c9d211d04e05d2c81f80a56bc11ab54eaefa7e492e3910af21af14ff10962cc
-
Filesize
19KB
MD5adfc5bebc4a2c52023f47a1e548b0cc9
SHA1a2562ef8534b1448409adfa6c5d7e283ad005a70
SHA2567de5743f68d9bd6cff0fb8021c22d4069e2e993d97735db0ef65756ff915f39c
SHA51289665104bd17f9020a871215f03acd40294302e933e503ad22b208ec7c96dddcf5f7b1ae1aa2c3d83fbd608d525d36ff2f7ee86762e44e441153124da352a278
-
Filesize
21KB
MD52a3da8e1cd09aca0fc13be43848c7695
SHA172380005fde41e6c6b37db5a46cdb0efc3d6cb08
SHA256c3f671d3b41fffa444a33f79c0e65df7ca01e56598e4b2f90e7af18c77b97652
SHA512e4b659aa290a6c256799a76890c296e702316094b132b9bc4b393dc6bff7640b7e62de0f05097932291db411dfb871533f7473cc6c55805f69d75562aae6dc44
-
\Users\Admin\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-processthreads-l1-1-1.dll
Filesize19KB
MD51f462654c1bbc1ced7e4d8e879732e14
SHA1a56a7c4154870db07395d50f4d8d963e4cce92ab
SHA256b8e6deceacbc5f8e483ad076196df819377d2731e146eb4f48c5a59da9abdd65
SHA512917edfc5cbf3f82708d6cb84a2ad31c41b1b02cf44a921b6934bff614b69d0754115c35aaf4d181085a4b77ebd816fe06cb9def01addc5c68846da0850fe8cce
-
Filesize
19KB
MD55a8978023b93c8c369d3696c8251b71d
SHA11ffc61471c2f49a80d5e3f83df2a9010d3c5a1c7
SHA256dba254b1446808887d452bcd6c27685462c39dc2f1da181765f0898b4eb1b953
SHA51253ae57280e593d886b609d55c313e2ef208c3f0ce53b5d015f57aaf3cce901a192efe60b24d9e9b5c6e9ef7779c9103a951e813780a53d12a27680965e5b39ad
-
Filesize
19KB
MD5ed3a91953d5ce03d65bd90fa46c1e29d
SHA192cdac4071850ac96759ae77a0b3c5f6bebdc2ef
SHA25635ea6ec01e55108182c743b47fed5be381acf295982be87d92b4588ccb71240d
SHA512edb4539b6081e73bb410668c420d437a0a746fc4aba28f7f15f7a2debc8bf8eb11e03f38957b438bfb95e86652b44c1bdb0162f449146df467ff5e1de281e56d
-
Filesize
23KB
MD52e7fcee0944d063d8528399f22c9b2b7
SHA105a68b73e778817f52885e6f27800e99125efdca
SHA256a38f46fe1a1bba3a8c7cc942bac945413c5c0e992ca599f9f09181b7f5645f52
SHA512df689de14369d858412b79156acd8e2fcafeb45793eac91f1ce0cba37bcc2e88c53533934647960176c48133c1e5383f406eef859bfb5231f49730acf4320d95
-
Filesize
19KB
MD5f966b9ff936d60de02c37b16b9d23e4e
SHA17dffea259d7e5ffdf005900ac9417319acc66f33
SHA25690788cc217e4f5e78ec988061552fcd1c1a3ab61c6df3de132aae606383fbc27
SHA512bc27f4871e872d76b89d7f0ba5ed7d7062a04218bdf9a741598bfce82cd788e866d2c20513594726948e1701bfdb17afc2280405b0d994aaa3cd2ebefc1c8cf7
-
Filesize
21KB
MD5735d7e5ae0a53b644482f5e70efeff5d
SHA18e99689cf9d24aa4268a51bd377015e9d9ad7f64
SHA256e9d88aa96743aa2ff29ac8d7930ba0c8ebb21372329a1bf5926cce59a4b39f4b
SHA51212239d14a634b7cdaa07e39186b674bc905f73c928db5230752407650f274bd401d10487b3ac2c426cc8da708f0ca6fbaffc2a5075e299901961bd205ad7bbd8
-
Filesize
20KB
MD56521cf7e6a66c747726fd09e51a1f92d
SHA1b89168c27063a2b4f81c69df4ce23f144b55bcc4
SHA256dc8ae6136313ed0ee26aed6e9d3a192413d62e12c7c568fae5a7abb784ca4c72
SHA51203a63ed3c2e0be3e1e918eb01e5fb722be06d8e32179782ed3f7106048f522426bda045cd3ae605a066403bded2621923a8c33d075bf8e11b58c432a69481ac2
-
Filesize
19KB
MD5281399c6a7ca9c52c6b20c78938ec2d3
SHA15e76793588075edaeedab8d30297d9a8031c74b5
SHA25658e0f4ae04529a03bc5a453cdb891fcdaf82e4d7ec2757b3f88f5f967407fc94
SHA512459fe7cb8433fa23dc765894b78c1e2fd007ac3ed659d6f4fc9191a589e349107f7c4c03718e34c9a9231324fdcd970fae75e2772c153a97001933869628a7e6
-
Filesize
29KB
MD52b20bc164f817ffbba1b547857b0da2a
SHA1c40095898cfe64c6132e81090333317563184c3c
SHA256a7a4ba2270ae7e5679ff9413d1e53ba706a95bec28c906de378ab4b1a8fbf6e7
SHA512a760294cd9b9f3c0c9c0ec4800536df874ef7d3757cad9469da96c293187a9382867f332caf714f91c9059a90a3dda7670b265f3a5e2339b9e12ca05eb373e56
-
Filesize
27KB
MD5e92ba8ab3be45a5fa0b0439966583d8b
SHA188ec890850a4d531476151ddabb6f6def5d87273
SHA256f65bb318be803581780fed95f57d0fd7b5c1b0e070e0062a8d06e4e5dde4c9ee
SHA5124a5d11dfb7ed1c95eb2b839c9a094f7a8cd32e78d3af9f1eefe52857d9b17cc69649638b8afd8ae581518cf9b223c352ccdf84a46990ac56b57577502a9035dc
-
Filesize
23KB
MD5f24259dabe9905bf00eef0374053937b
SHA1b1949c85cfaeb2b2cdf99b51d3191e4e3bd0dd54
SHA256f99a3f408880834ce3c762fb434cea98c87bc6df19b63d509d1093f2295bbc8e
SHA512fc46db162ba62b46106c7b5c942e2ee186b126deebb8f2e48daf9892620d4b4acaa244fb4b65e1e6f02e06072a8b61d95e49e2ecbfa676cedc361735abb34f01
-
Filesize
25KB
MD55f158413a85e905b0ceb5aaa1aa35f28
SHA18807fa016b184ae6e8b66177bf34f1810f5d6095
SHA25693780b67e8ff9dd076cc67c620d1baa7b5518ecb5cf45ecc1dbf92e6bafcf646
SHA512e20e433e45ac817f74fca61be03bb9a998adfb2038b50f4476bcb2fcaf0e09236844dc2a9fa4200724d62c646aa9ea5ad315e51fcb4aa9fbf1add1a55a735983
-
Filesize
25KB
MD5c04f55920b25221f81575231bbb5e4d7
SHA1b0a65c6ee855e49a4a1d937572f7aaa7b6d9539a
SHA256c87e13d8fb07cdf07deb3222270afec1de7fc7e481a9fb22068eee74f2a60685
SHA5122159de09ae92d8a88feb7eb1d0072b928c726fad94a3a72d3523fb15e41a2ad9cb26affdb23cb3d6441fd2b377f29b3df5cd7e0db0ec48871c9dcdaa35a4a000
-
Filesize
21KB
MD532abf928ec4678c2bd68a894da7de229
SHA1eccc5e68ecf49a8bc448b88a6a8887a570ce47d4
SHA256ae60603ed90d3ce024a9c05bdac449abb34ba43251241a27298f4a717a27c249
SHA5120e71ba1249f65e05461c3e416876502104dc302131312d44151ebde2d95df9433b6faeea3ca0e1afe5831172d59eaf3f348735609894e5ecec3f8d31d199ab2b
-
Filesize
19KB
MD559bf6195153eab0d466f501bf8f14f68
SHA1e6e156d6c3eed6b4190a266f7374cafac8ad1c07
SHA25628af247eca739d17fd68979b8c5067deaf85d4bf8478f480d00dc0337c06f47c
SHA512abd4e96c6e1f54e989e3167402188136aca172cd926e9910a456094bcd0fade2f0eaac97887dcd1bdef658d8b6d5606a9a493d6b0687653a0496228cf1907ecd
-
Filesize
368KB
MD55bde978a0febd4a59de0e6b835180389
SHA11c522ff3fa433a2302bfa6538c4460ce04833ee6
SHA25674c9d82bebeaaecb50001ff0b1ee6ea129fc9de3c6a673d29d3e12615b75b3c0
SHA512aa598c8c1a0f701c22fe38f53693e5f6c4ff855f66fd568ddfcb5f46cef058773038f947236d21442575c63e77987127f7fdb1fe2b7223109c25fd0411220318
-
Filesize
241KB
MD54dc44d5151384fa688d01dff77e7bf97
SHA1e538146be27b44ad54fd857a17c518ea7096a22e
SHA256f490db01d8a604117856ff993726456b6d3aa087b017c8cbc5ed1b917cd4df57
SHA51256933d16050765e0262bd38bc96ee9a71de4ac28c6748ad908c08955fc5463feed5966481176354570404923cfc3fc699a3d93e0470807a26613ba3ac6ad5f32
-
Filesize
25KB
MD5602aeec43305021dcea0103bfd6167ae
SHA11eef22e0c1a076cf88fbe875974d0dd4d40e4d19
SHA25633e177db21f3f21b7d8cbe0d87e92042f3e45f892491046a26fba1e989e2c38e
SHA512921e2b8be67b8180f0c77fb186d03c02ed3f5c3aa492618a399de3f72113161d131d081d0a34dd9ae8dc1b1218601154bf4281e5511679683389f151399a6165
-
Filesize
55KB
MD590c5a4208aa1ac6dafb6189159cd7e10
SHA17df05caa1dbbfa7d8f65abeaa2d5b3a49ac66032
SHA25617927ae7a1e834dd150c5c26e21f68dfa6404a813dfe1a1c33d0dad446ba3489
SHA512e0fba99ac770a15338a6f06c94f99ce948cc9406444799bba7eed2514f122f0062dc330c2e67bd41f0235d526fca232974c9d19b40c9c1c5e0ed01e82494bdbe
-
Filesize
7.3MB
MD51406431ed0927c24bc87045547cb7892
SHA168e0710011ea9948a7a72f5bbac3a2732953f4a2
SHA2562a2b4cd5722f251c56ae5b7ac7671bb423b229ee30089e8723bd942aed0bf36e
SHA5123bb4eeaf6b1181a68d9ba2351ca3212fe99d49af8d99ab7dd3e1dcf0bcfac6caa9de1828644127cea694cd66cf862eb339c705fe56a378ea625f88775961f5f8
-
Filesize
136KB
MD5dcda1583d25968da25b1d1bf91169680
SHA110681c51922cfd06a088c6a6c75cd186f9c8d9d1
SHA25684a73bc173a30b2d174a66637bd075bd2c01e48e4fd97ed032dcafb2c8c0dea3
SHA5123df130f1a7a82f8401f7e7ec9d56b65f453ecd4cc525fe4aa196e090356951fc00fdcf9a99e776b2cde2b3ca9276af7db270bb2db4ff1b6cf3f63b648f7dca76
-
Filesize
3.5MB
MD572b58be0b56aa0f7bbfdfddd2554b06f
SHA1c4519063ee6cbbb8feb6c846949b1c5c81da26ba
SHA256f52724ae696b5c9e2586fd41047e6ac56541efdfc157a33ba20ad5826234bf53
SHA512640b747ebe5efa39ec05558a75b418bf1c60de9f503698b2e8a68afb5bfb2dc890943d13bfa3cd6366c7f9d7e293c9aa9b783c00e313aa27f6e15065937628c1
-
Filesize
439KB
MD55ff1fca37c466d6723ec67be93b51442
SHA134cc4e158092083b13d67d6d2bc9e57b798a303b
SHA2565136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA5124802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546
-
Filesize
117KB
MD572c1ff7f3c7474850b11fc962ee1620c
SHA1b94f73a1ce848d18b38274c96e863df0636f48a7
SHA2563b159da9dad9afd4bd28b5b1a53dc502a2487068055ed8c30136a76cd6924890
SHA5121ed4b3c34dd0033ec2aa05bdacaa45041d9cd5880fdb5530ca033308ab349c09d4811bb276bbdf51a3040b7a337f9a5d33796924550962a56058203799c5bd53
-
Filesize
1.1MB
MD56c2810f92a98551650cb268e68a12441
SHA10086b73b79da608bfb969d06d72b6cb9fed948f4
SHA256656e7fe89e902f00e5115d23f69ffbd043d923277c5a21149f2c60e0abbb4614
SHA512d8ed5fc3c7ca60225f4965bd097b86ea197a111655e5974690f926900ec787a103b62431b113818b1f81f9a576cc970b1b8798d30d89fa4713abdc13ffd291a3
-
Filesize
78KB
MD5a37ee36b536409056a86f50e67777dd7
SHA11cafa159292aa736fc595fc04e16325b27cd6750
SHA2568934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA5123a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356
-
Filesize
101KB
MD513cd5ab2da5a98f5f76aa6f987187461
SHA1dd2d54668258b989cc500c132d9a686babe67fa5
SHA2563310ca85f0cb26e07bb3d8e1168c49e572a7c50762fa8140768663a5df9823e9
SHA512c1c0c11b9804e6d25c8b1c74a09bfd3133255fe47ab9515cde124ec73231205b11d0536a66fccc9379dd84a33bb589cc78f867ef423ff30067363fdee7d605ca