Analysis Overview
SHA256
d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6
Threat Level: Known bad
The file NetworkIsooProSetup.msi was found to be: Known bad.
Malicious Activity Summary
Remcos
Command and Scripting Interpreter: PowerShell
Adds Run key to start application
Enumerates connected drives
Modifies Windows Firewall
Blocklisted process makes network request
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Event Triggered Execution: Netsh Helper DLL
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: AddClipboardFormatListener
Modifies data under HKEY_USERS
Checks SCSI registry key(s)
Uses Volume Shadow Copy service COM API
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-15 21:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 21:49
Reported
2024-08-15 21:51
Platform
win7-20240704-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
Remcos
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Active RPC Converter Suite = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Network MPluginManager\\Coolmuster PDF Image Extractor.exe" | C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\f76f23b.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76f23c.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76f23e.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f76f23b.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF6E1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76f23c.ipi | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe | N/A |
Loads dropped DLL
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NetworkIsooProSetup.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000590" "000000000000005C"
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe
"C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Coolmuster PDF Image Extractor In Service" dir=in action=allow program="C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Coolmuster PDF Image Extractor Out Service" dir=out action=allow program="C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | win-update.xml | udp |
| N/A | 127.0.0.1:49415 | tcp | |
| N/A | 127.0.0.1:49417 | tcp | |
| N/A | 127.0.0.1:49419 | tcp | |
| DE | 45.133.74.183:2404 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabCD11.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarCE1D.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ed77a1e2b1f1633370fee9c24fba7d13 |
| SHA1 | 7fe2159b1f367a224dcdaf4bcc6ba2db65083735 |
| SHA256 | 86ece0d3856ebaf90c22571c2829f4c4beecba7fa2c88773c553dfdd8e4d4057 |
| SHA512 | 54723bb816a53eb549f9049fc7f1abe46dce9b28d22b8ed9e32a568f85e1131ed3039af2a5db9f82b5875353b4fb3858346021a9f2b01d2e80fd045dd2cbe774 |
C:\Config.Msi\f76f23d.rbs
| MD5 | 17b7e50dae957d8fbc6b7f550fc74840 |
| SHA1 | 6c60ef9fd1f0859192fe6bab7b617212a05dbd5f |
| SHA256 | bf2e4cd6e0eeef8dd060e23a48d7d358a26c37b8eaa87b85109fac2154cc9cdf |
| SHA512 | 466bb50d5ad9d6f8793f80516649684d1776a787859d882c740066d5d1c60bc549e838161eaf754851c6ffceae5467734ab0352511364ab53684c919d12647bc |
C:\Windows\Installer\f76f23b.msi
| MD5 | 4fff2618d8f4f571bd0fed70db95a6a2 |
| SHA1 | 0c2dc8df585ef1fb3d963820d4b9a5c5a41ad0f6 |
| SHA256 | d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6 |
| SHA512 | b05a8627f52943f5b1beacfdbc45c49c9cc70c9a12e8a165b8587d6a7bab18edf1bb7d90231c404a4be7c0c7b73856056a5d11d642eefd83a8d2cf236636dfc8 |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe
| MD5 | e11235cb041e3ae98cb17d746b45cb66 |
| SHA1 | fcaa4feab36f28bd38e71ee762cc499f731d3d47 |
| SHA256 | c7030fb23fd25fc99c39457618a3afd2b27b381d7b833d4662995493d85deaf4 |
| SHA512 | 08da0141966050864a404c413f51fada820489872da15ddff1ef8273211deab106bf912105076f24e801b88276db772cb8f8f15201b83ef35e069d0a4de63db4 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\libxml2-2.dll
| MD5 | 72b58be0b56aa0f7bbfdfddd2554b06f |
| SHA1 | c4519063ee6cbbb8feb6c846949b1c5c81da26ba |
| SHA256 | f52724ae696b5c9e2586fd41047e6ac56541efdfc157a33ba20ad5826234bf53 |
| SHA512 | 640b747ebe5efa39ec05558a75b418bf1c60de9f503698b2e8a68afb5bfb2dc890943d13bfa3cd6366c7f9d7e293c9aa9b783c00e313aa27f6e15065937628c1 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\libdrive.dll
| MD5 | 1406431ed0927c24bc87045547cb7892 |
| SHA1 | 68e0710011ea9948a7a72f5bbac3a2732953f4a2 |
| SHA256 | 2a2b4cd5722f251c56ae5b7ac7671bb423b229ee30089e8723bd942aed0bf36e |
| SHA512 | 3bb4eeaf6b1181a68d9ba2351ca3212fe99d49af8d99ab7dd3e1dcf0bcfac6caa9de1828644127cea694cd66cf862eb339c705fe56a378ea625f88775961f5f8 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\Module.View.dll
| MD5 | 74bc438e41c723c1389ee2484e0359c7 |
| SHA1 | 927bb7bcb50965a896757a28744887eade204337 |
| SHA256 | 6b1002b04d0334d6afcf28147918df5f284c016da605bdc36f4f2c5806950316 |
| SHA512 | 55d03871b1fc7afa9d35df978ed968be603b10754b43f3e4aa8cf89b989549e7114f183cad10b242e3ab27f85f10b8cd91207364f170c02cc8e94d24c6e6caab |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-multibyte-l1-1-0.dll
| MD5 | e92ba8ab3be45a5fa0b0439966583d8b |
| SHA1 | 88ec890850a4d531476151ddabb6f6def5d87273 |
| SHA256 | f65bb318be803581780fed95f57d0fd7b5c1b0e070e0062a8d06e4e5dde4c9ee |
| SHA512 | 4a5d11dfb7ed1c95eb2b839c9a094f7a8cd32e78d3af9f1eefe52857d9b17cc69649638b8afd8ae581518cf9b223c352ccdf84a46990ac56b57577502a9035dc |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\groceryc.dll
| MD5 | 5bde978a0febd4a59de0e6b835180389 |
| SHA1 | 1c522ff3fa433a2302bfa6538c4460ce04833ee6 |
| SHA256 | 74c9d82bebeaaecb50001ff0b1ee6ea129fc9de3c6a673d29d3e12615b75b3c0 |
| SHA512 | aa598c8c1a0f701c22fe38f53693e5f6c4ff855f66fd568ddfcb5f46cef058773038f947236d21442575c63e77987127f7fdb1fe2b7223109c25fd0411220318 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\libglog.dll
| MD5 | dcda1583d25968da25b1d1bf91169680 |
| SHA1 | 10681c51922cfd06a088c6a6c75cd186f9c8d9d1 |
| SHA256 | 84a73bc173a30b2d174a66637bd075bd2c01e48e4fd97ed032dcafb2c8c0dea3 |
| SHA512 | 3df130f1a7a82f8401f7e7ec9d56b65f453ecd4cc525fe4aa196e090356951fc00fdcf9a99e776b2cde2b3ca9276af7db270bb2db4ff1b6cf3f63b648f7dca76 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\libI18n.dll
| MD5 | 602aeec43305021dcea0103bfd6167ae |
| SHA1 | 1eef22e0c1a076cf88fbe875974d0dd4d40e4d19 |
| SHA256 | 33e177db21f3f21b7d8cbe0d87e92042f3e45f892491046a26fba1e989e2c38e |
| SHA512 | 921e2b8be67b8180f0c77fb186d03c02ed3f5c3aa492618a399de3f72113161d131d081d0a34dd9ae8dc1b1218601154bf4281e5511679683389f151399a6165 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\libRG.dll
| MD5 | 90c5a4208aa1ac6dafb6189159cd7e10 |
| SHA1 | 7df05caa1dbbfa7d8f65abeaa2d5b3a49ac66032 |
| SHA256 | 17927ae7a1e834dd150c5c26e21f68dfa6404a813dfe1a1c33d0dad446ba3489 |
| SHA512 | e0fba99ac770a15338a6f06c94f99ce948cc9406444799bba7eed2514f122f0062dc330c2e67bd41f0235d526fca232974c9d19b40c9c1c5e0ed01e82494bdbe |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | 59bf6195153eab0d466f501bf8f14f68 |
| SHA1 | e6e156d6c3eed6b4190a266f7374cafac8ad1c07 |
| SHA256 | 28af247eca739d17fd68979b8c5067deaf85d4bf8478f480d00dc0337c06f47c |
| SHA512 | abd4e96c6e1f54e989e3167402188136aca172cd926e9910a456094bcd0fade2f0eaac97887dcd1bdef658d8b6d5606a9a493d6b0687653a0496228cf1907ecd |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | f966b9ff936d60de02c37b16b9d23e4e |
| SHA1 | 7dffea259d7e5ffdf005900ac9417319acc66f33 |
| SHA256 | 90788cc217e4f5e78ec988061552fcd1c1a3ab61c6df3de132aae606383fbc27 |
| SHA512 | bc27f4871e872d76b89d7f0ba5ed7d7062a04218bdf9a741598bfce82cd788e866d2c20513594726948e1701bfdb17afc2280405b0d994aaa3cd2ebefc1c8cf7 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 32abf928ec4678c2bd68a894da7de229 |
| SHA1 | eccc5e68ecf49a8bc448b88a6a8887a570ce47d4 |
| SHA256 | ae60603ed90d3ce024a9c05bdac449abb34ba43251241a27298f4a717a27c249 |
| SHA512 | 0e71ba1249f65e05461c3e416876502104dc302131312d44151ebde2d95df9433b6faeea3ca0e1afe5831172d59eaf3f348735609894e5ecec3f8d31d199ab2b |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | 735d7e5ae0a53b644482f5e70efeff5d |
| SHA1 | 8e99689cf9d24aa4268a51bd377015e9d9ad7f64 |
| SHA256 | e9d88aa96743aa2ff29ac8d7930ba0c8ebb21372329a1bf5926cce59a4b39f4b |
| SHA512 | 12239d14a634b7cdaa07e39186b674bc905f73c928db5230752407650f274bd401d10487b3ac2c426cc8da708f0ca6fbaffc2a5075e299901961bd205ad7bbd8 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 2b20bc164f817ffbba1b547857b0da2a |
| SHA1 | c40095898cfe64c6132e81090333317563184c3c |
| SHA256 | a7a4ba2270ae7e5679ff9413d1e53ba706a95bec28c906de378ab4b1a8fbf6e7 |
| SHA512 | a760294cd9b9f3c0c9c0ec4800536df874ef7d3757cad9469da96c293187a9382867f332caf714f91c9059a90a3dda7670b265f3a5e2339b9e12ca05eb373e56 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 281399c6a7ca9c52c6b20c78938ec2d3 |
| SHA1 | 5e76793588075edaeedab8d30297d9a8031c74b5 |
| SHA256 | 58e0f4ae04529a03bc5a453cdb891fcdaf82e4d7ec2757b3f88f5f967407fc94 |
| SHA512 | 459fe7cb8433fa23dc765894b78c1e2fd007ac3ed659d6f4fc9191a589e349107f7c4c03718e34c9a9231324fdcd970fae75e2772c153a97001933869628a7e6 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 2e7fcee0944d063d8528399f22c9b2b7 |
| SHA1 | 05a68b73e778817f52885e6f27800e99125efdca |
| SHA256 | a38f46fe1a1bba3a8c7cc942bac945413c5c0e992ca599f9f09181b7f5645f52 |
| SHA512 | df689de14369d858412b79156acd8e2fcafeb45793eac91f1ce0cba37bcc2e88c53533934647960176c48133c1e5383f406eef859bfb5231f49730acf4320d95 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | 5f158413a85e905b0ceb5aaa1aa35f28 |
| SHA1 | 8807fa016b184ae6e8b66177bf34f1810f5d6095 |
| SHA256 | 93780b67e8ff9dd076cc67c620d1baa7b5518ecb5cf45ecc1dbf92e6bafcf646 |
| SHA512 | e20e433e45ac817f74fca61be03bb9a998adfb2038b50f4476bcb2fcaf0e09236844dc2a9fa4200724d62c646aa9ea5ad315e51fcb4aa9fbf1add1a55a735983 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-string-l1-1-0.dll
| MD5 | c04f55920b25221f81575231bbb5e4d7 |
| SHA1 | b0a65c6ee855e49a4a1d937572f7aaa7b6d9539a |
| SHA256 | c87e13d8fb07cdf07deb3222270afec1de7fc7e481a9fb22068eee74f2a60685 |
| SHA512 | 2159de09ae92d8a88feb7eb1d0072b928c726fad94a3a72d3523fb15e41a2ad9cb26affdb23cb3d6441fd2b377f29b3df5cd7e0db0ec48871c9dcdaa35a4a000 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 6521cf7e6a66c747726fd09e51a1f92d |
| SHA1 | b89168c27063a2b4f81c69df4ce23f144b55bcc4 |
| SHA256 | dc8ae6136313ed0ee26aed6e9d3a192413d62e12c7c568fae5a7abb784ca4c72 |
| SHA512 | 03a63ed3c2e0be3e1e918eb01e5fb722be06d8e32179782ed3f7106048f522426bda045cd3ae605a066403bded2621923a8c33d075bf8e11b58c432a69481ac2 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-synch-l1-2-0.dll
| MD5 | 5a8978023b93c8c369d3696c8251b71d |
| SHA1 | 1ffc61471c2f49a80d5e3f83df2a9010d3c5a1c7 |
| SHA256 | dba254b1446808887d452bcd6c27685462c39dc2f1da181765f0898b4eb1b953 |
| SHA512 | 53ae57280e593d886b609d55c313e2ef208c3f0ce53b5d015f57aaf3cce901a192efe60b24d9e9b5c6e9ef7779c9103a951e813780a53d12a27680965e5b39ad |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-file-l2-1-0.dll
| MD5 | adfc5bebc4a2c52023f47a1e548b0cc9 |
| SHA1 | a2562ef8534b1448409adfa6c5d7e283ad005a70 |
| SHA256 | 7de5743f68d9bd6cff0fb8021c22d4069e2e993d97735db0ef65756ff915f39c |
| SHA512 | 89665104bd17f9020a871215f03acd40294302e933e503ad22b208ec7c96dddcf5f7b1ae1aa2c3d83fbd608d525d36ff2f7ee86762e44e441153124da352a278 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | ed3a91953d5ce03d65bd90fa46c1e29d |
| SHA1 | 92cdac4071850ac96759ae77a0b3c5f6bebdc2ef |
| SHA256 | 35ea6ec01e55108182c743b47fed5be381acf295982be87d92b4588ccb71240d |
| SHA512 | edb4539b6081e73bb410668c420d437a0a746fc4aba28f7f15f7a2debc8bf8eb11e03f38957b438bfb95e86652b44c1bdb0162f449146df467ff5e1de281e56d |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-file-l1-2-0.dll
| MD5 | 045e4617b49e817007d8a88652af7734 |
| SHA1 | 305026109a1eabf49bf7ae6a233a4a11e2a22580 |
| SHA256 | fd387d4e358e3755db38a618066fb72cd03b17b54d058dbe3dab82065519edc7 |
| SHA512 | 7e21cf4982ce6f4aa52f0281eae101287a850152c70577b456876356201e12983c9d211d04e05d2c81f80a56bc11ab54eaefa7e492e3910af21af14ff10962cc |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 1f462654c1bbc1ced7e4d8e879732e14 |
| SHA1 | a56a7c4154870db07395d50f4d8d963e4cce92ab |
| SHA256 | b8e6deceacbc5f8e483ad076196df819377d2731e146eb4f48c5a59da9abdd65 |
| SHA512 | 917edfc5cbf3f82708d6cb84a2ad31c41b1b02cf44a921b6934bff614b69d0754115c35aaf4d181085a4b77ebd816fe06cb9def01addc5c68846da0850fe8cce |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 2a3da8e1cd09aca0fc13be43848c7695 |
| SHA1 | 72380005fde41e6c6b37db5a46cdb0efc3d6cb08 |
| SHA256 | c3f671d3b41fffa444a33f79c0e65df7ca01e56598e4b2f90e7af18c77b97652 |
| SHA512 | e4b659aa290a6c256799a76890c296e702316094b132b9bc4b393dc6bff7640b7e62de0f05097932291db411dfb871533f7473cc6c55805f69d75562aae6dc44 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\ucrtbase.dll
| MD5 | 6c2810f92a98551650cb268e68a12441 |
| SHA1 | 0086b73b79da608bfb969d06d72b6cb9fed948f4 |
| SHA256 | 656e7fe89e902f00e5115d23f69ffbd043d923277c5a21149f2c60e0abbb4614 |
| SHA512 | d8ed5fc3c7ca60225f4965bd097b86ea197a111655e5974690f926900ec787a103b62431b113818b1f81f9a576cc970b1b8798d30d89fa4713abdc13ffd291a3 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | f24259dabe9905bf00eef0374053937b |
| SHA1 | b1949c85cfaeb2b2cdf99b51d3191e4e3bd0dd54 |
| SHA256 | f99a3f408880834ce3c762fb434cea98c87bc6df19b63d509d1093f2295bbc8e |
| SHA512 | fc46db162ba62b46106c7b5c942e2ee186b126deebb8f2e48daf9892620d4b4acaa244fb4b65e1e6f02e06072a8b61d95e49e2ecbfa676cedc361735abb34f01 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\vcruntime140.dll
| MD5 | a37ee36b536409056a86f50e67777dd7 |
| SHA1 | 1cafa159292aa736fc595fc04e16325b27cd6750 |
| SHA256 | 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825 |
| SHA512 | 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\msvcp140.dll
| MD5 | 5ff1fca37c466d6723ec67be93b51442 |
| SHA1 | 34cc4e158092083b13d67d6d2bc9e57b798a303b |
| SHA256 | 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062 |
| SHA512 | 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\pthreadGC2.dll
| MD5 | 72c1ff7f3c7474850b11fc962ee1620c |
| SHA1 | b94f73a1ce848d18b38274c96e863df0636f48a7 |
| SHA256 | 3b159da9dad9afd4bd28b5b1a53dc502a2487068055ed8c30136a76cd6924890 |
| SHA512 | 1ed4b3c34dd0033ec2aa05bdacaa45041d9cd5880fdb5530ca033308ab349c09d4811bb276bbdf51a3040b7a337f9a5d33796924550962a56058203799c5bd53 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\zlib1.dll
| MD5 | 13cd5ab2da5a98f5f76aa6f987187461 |
| SHA1 | dd2d54668258b989cc500c132d9a686babe67fa5 |
| SHA256 | 3310ca85f0cb26e07bb3d8e1168c49e572a7c50762fa8140768663a5df9823e9 |
| SHA512 | c1c0c11b9804e6d25c8b1c74a09bfd3133255fe47ab9515cde124ec73231205b11d0536a66fccc9379dd84a33bb589cc78f867ef423ff30067363fdee7d605ca |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\libBasic.dll
| MD5 | 4dc44d5151384fa688d01dff77e7bf97 |
| SHA1 | e538146be27b44ad54fd857a17c518ea7096a22e |
| SHA256 | f490db01d8a604117856ff993726456b6d3aa087b017c8cbc5ed1b917cd4df57 |
| SHA512 | 56933d16050765e0262bd38bc96ee9a71de4ac28c6748ad908c08955fc5463feed5966481176354570404923cfc3fc699a3d93e0470807a26613ba3ac6ad5f32 |
memory/2420-219-0x0000000073E30000-0x0000000073EAB000-memory.dmp
memory/2420-220-0x00000000068E0000-0x0000000006A39000-memory.dmp
memory/2420-225-0x00000000068E0000-0x0000000006A39000-memory.dmp
memory/2420-227-0x00000000068E0000-0x0000000006A39000-memory.dmp
memory/2420-230-0x0000000062E80000-0x0000000062EA2000-memory.dmp
memory/2420-231-0x0000000062480000-0x00000000624A5000-memory.dmp
memory/2420-232-0x0000000070F40000-0x00000000712A4000-memory.dmp
memory/2420-235-0x0000000074260000-0x00000000742E4000-memory.dmp
memory/2420-234-0x0000000073FE0000-0x0000000074238000-memory.dmp
memory/2420-233-0x0000000074510000-0x0000000074631000-memory.dmp
memory/2420-255-0x00000000068E0000-0x0000000006A39000-memory.dmp
memory/2420-256-0x00000000068E0000-0x0000000006A39000-memory.dmp
memory/2420-254-0x00000000068E0000-0x0000000006A39000-memory.dmp
memory/2420-248-0x00000000068E0000-0x0000000006A39000-memory.dmp
memory/2420-258-0x00000000068E0000-0x0000000006A39000-memory.dmp
memory/2420-260-0x00000000068E0000-0x0000000006A39000-memory.dmp
memory/2420-257-0x0000000006FD0000-0x000000000704F000-memory.dmp
memory/2420-261-0x0000000006DE0000-0x0000000006E60000-memory.dmp
memory/2420-262-0x0000000006DE0000-0x0000000006E60000-memory.dmp
memory/2420-264-0x0000000006DE0000-0x0000000006E60000-memory.dmp
memory/2420-267-0x0000000006DE0000-0x0000000006E60000-memory.dmp
memory/2420-268-0x0000000006DE0000-0x0000000006E60000-memory.dmp
memory/2420-270-0x0000000006DE0000-0x0000000006E60000-memory.dmp
memory/2420-269-0x0000000006DE0000-0x0000000006E60000-memory.dmp
memory/2420-271-0x0000000006DE0000-0x0000000006E60000-memory.dmp
memory/2420-282-0x0000000006DE0000-0x0000000006E60000-memory.dmp
memory/2420-299-0x0000000006DE0000-0x0000000006E60000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 1cf977a1499e288c8cedaf63fcd0318b |
| SHA1 | d7c7fd5fbd99ce101165252a18332a38d3a0230b |
| SHA256 | 00cf7d3a9ad7e8218602a02c687030278f1a97e8e27ac1d76b8e95c60422b3de |
| SHA512 | 56240d686166b37b0a71a0ca9db6ae442e91989ab6381f10b9dadbf8570baeaf4630c98e791dc9c56ca335a185ad9c7ac993e741a2beb25d11c4405394cff849 |
memory/2420-327-0x0000000073E30000-0x0000000073EAB000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 1b42d585b6b090783cfcc5d21383d958 |
| SHA1 | e3226014c0038ab81475f010ca002ef432159f9c |
| SHA256 | 08d41fe132793bfb86e733a1ffd70e85fa49efe3a9f1da27a1f202a139d8ac79 |
| SHA512 | 37616dcda8120011be7bf0060ce9cf3d98daaa447cdd9b399dd6b22d616d7193d2f407cb9e2225ff076ee6f49f4c7932fd293835ee1084e8c1df2d05421929de |
C:\ProgramData\remcos\logs.dat
| MD5 | 60b3183b91def59683dba4d090eb49db |
| SHA1 | d39c70c255d29c13045afb8f3974e8f06eac55e4 |
| SHA256 | e94ace265151dea1374a9c0038bcf7e26c37b77b3412e63443697853444ddc9e |
| SHA512 | 199f6fa0686a398db121fbb576c27225f58c4600f02e3ef575f10f89d347f9b6748653c6ac0d12c3bfceba316f7f49f6e97838cc7a45a7cd51fc5e2d738b89a8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 21:49
Reported
2024-08-15 21:52
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Remcos
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Active RPC Converter Suite = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Network MPluginManager\\Coolmuster PDF Image Extractor.exe" | C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\SourceHash{4A194FDC-5FC7-428C-83CA-BC4A750D530B} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI30BF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e582eed.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e582eeb.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e582eeb.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe | N/A |
Loads dropped DLL
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d6be30f9a4b6bc740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d6be30f90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d6be30f9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd6be30f9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d6be30f900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NetworkIsooProSetup.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe
"C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.57.26.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| DE | 45.133.74.183:2404 | tcp | |
| US | 8.8.8.8:53 | 183.74.133.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
\??\Volume{f930bed6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b4efac1f-bf14-45cb-941e-e32382e7e14c}_OnDiskSnapshotProp
| MD5 | 042a78f887babdc1ed8e2b73aeb3c5a5 |
| SHA1 | b151334eff6d91ce360995c9882d0d0fba18a306 |
| SHA256 | 0583f77d45e387930084aa29b99a77234f5b6040bc9b44605fc077d8453ba60a |
| SHA512 | 18817a0a1833c71078fb3e5fe8691f5e88677b5a445c9abd804c045a158e29e2872dfe1a61df9c0355ad7c1a4569c56d10239273b695fc8083717a0f43373ee2 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | cae2b17843e9b1ed3e7bfb992755051d |
| SHA1 | b68c77a99470c76c39b7fc0ce2527b447ebfad36 |
| SHA256 | 692c69e38d895d8b31ca7fcf8c5f974f1f04c09f8c0d343319e502a83750077e |
| SHA512 | b777c29cd2c6b196b9c28765eb4caacc4271053490a46f177777714c929512a99bbf3f14c18f7425c6a23250514120b6a08639d37a1fbb2783d97421351c2902 |
C:\Config.Msi\e582eec.rbs
| MD5 | b8b540e94e34c1a5b8e0d5dbdd85230d |
| SHA1 | c149b97f3fe011584b2b4824a17c621524493e96 |
| SHA256 | 7b7c8262fd8e93969068a79f4f8c3df45446744692c3e4bbf5df051fbed8d2d8 |
| SHA512 | 7ae7bbcd41099a48d75e659779e189ac0c6e22f090e696e779812b4037d3fd60b676843e31e2c31e2d8903e190ef19336acaa39304208d95acebe3e29d964d0f |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe
| MD5 | e11235cb041e3ae98cb17d746b45cb66 |
| SHA1 | fcaa4feab36f28bd38e71ee762cc499f731d3d47 |
| SHA256 | c7030fb23fd25fc99c39457618a3afd2b27b381d7b833d4662995493d85deaf4 |
| SHA512 | 08da0141966050864a404c413f51fada820489872da15ddff1ef8273211deab106bf912105076f24e801b88276db772cb8f8f15201b83ef35e069d0a4de63db4 |
C:\Windows\Installer\e582eeb.msi
| MD5 | 4fff2618d8f4f571bd0fed70db95a6a2 |
| SHA1 | 0c2dc8df585ef1fb3d963820d4b9a5c5a41ad0f6 |
| SHA256 | d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6 |
| SHA512 | b05a8627f52943f5b1beacfdbc45c49c9cc70c9a12e8a165b8587d6a7bab18edf1bb7d90231c404a4be7c0c7b73856056a5d11d642eefd83a8d2cf236636dfc8 |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\pthreadGC2.dll
| MD5 | 72c1ff7f3c7474850b11fc962ee1620c |
| SHA1 | b94f73a1ce848d18b38274c96e863df0636f48a7 |
| SHA256 | 3b159da9dad9afd4bd28b5b1a53dc502a2487068055ed8c30136a76cd6924890 |
| SHA512 | 1ed4b3c34dd0033ec2aa05bdacaa45041d9cd5880fdb5530ca033308ab349c09d4811bb276bbdf51a3040b7a337f9a5d33796924550962a56058203799c5bd53 |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\libUpdate.dll
| MD5 | 8254b2b4065959e64aca2c91c2fccea7 |
| SHA1 | 483591ed9e282c6c6726d0da557fa783ed9a798c |
| SHA256 | be195001a8b43dda8f6193623133e51d378e08094e5ab8f29174a35299eb4e57 |
| SHA512 | 4c1777d500cc7198e155142a9322e26a4dc7b392e21948f94a2aaf64beb1b02d3643b7aaef3f6af1bb33d324cd571fd06c3fbc672abb577cad3fd0f10fbee529 |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\libcrypto-1_1.dll
| MD5 | f2aa84d12fcc64349f96df7ef5f6d063 |
| SHA1 | eddf2f6d54cb86b4251be168080f5e4acd4acc0a |
| SHA256 | 1a4ef4224d094e512cf7a21eb7ade8a36c0028aebbdf292f34ea6fe752793cd0 |
| SHA512 | e6ace721d6d570db247774d0d78e1f8226a1977a7e1f3ce892e58dca6556ea7324c42507de9d3ba8e7e55ca22d7329f2f91e93b4c735fd0c63fb80b319ab26e8 |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\libssl-1_1.dll
| MD5 | 55694c901f906b6234a0b89a27f0f508 |
| SHA1 | 5ba83e0bac11f952c05b85ef731b8aa3c2b1cc2f |
| SHA256 | a384deb5f6c8517852b0fa4832a373c37881855faf1ffce5b7b49ea866371393 |
| SHA512 | bf37592206fcebb6a2bdec9b57377456b0dfd56678c51c3d6f81f06f103546966a3f569390522a48917bd461dfa3404d3cce870d0db9e98a89c98d4c9653a276 |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\libexpat.dll
| MD5 | 8b650e64ca112a000f95eb16d698e151 |
| SHA1 | 7b6533950068eeb9aa96ebab55e524c48732b70c |
| SHA256 | cd4f37c1c978f6c7b38ae44b25f0c1dbe40f1b6cf626a08947d5808d7e34a086 |
| SHA512 | e3d9c1c0e21631697fa7bca5a76467647863430283d855a860a16f87ee9273a1bc37b9a6e5fa16e1a9ed47058738603ba12dc7276278799d1b657aa504597701 |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\libcurl.dll
| MD5 | 5e4d6ce410e2c156c293162cef078fca |
| SHA1 | 19e8f2046683a71cdaf907120ce4c95f5339faf3 |
| SHA256 | 6e158f098213773ee2ab91c1f02ab39fbe2896947c9dfcf762aee10662a8bcd8 |
| SHA512 | 076824cc390a7ede124f6acbbf407ed7caed0cf15e5b827f0b622fc93b851eaaa3f8a1d6f2f701ccb2078b7b8a28d2383de7b71de6f560b628049394dfc29ea9 |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\vcruntime140.dll
| MD5 | a37ee36b536409056a86f50e67777dd7 |
| SHA1 | 1cafa159292aa736fc595fc04e16325b27cd6750 |
| SHA256 | 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825 |
| SHA512 | 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356 |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\libxml2-2.dll
| MD5 | 72b58be0b56aa0f7bbfdfddd2554b06f |
| SHA1 | c4519063ee6cbbb8feb6c846949b1c5c81da26ba |
| SHA256 | f52724ae696b5c9e2586fd41047e6ac56541efdfc157a33ba20ad5826234bf53 |
| SHA512 | 640b747ebe5efa39ec05558a75b418bf1c60de9f503698b2e8a68afb5bfb2dc890943d13bfa3cd6366c7f9d7e293c9aa9b783c00e313aa27f6e15065937628c1 |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Module.Helper.dll
| MD5 | 500296c19761254e94039c5e947fd4c1 |
| SHA1 | 75bd8b2f53c7af89eacd8f82561345de7f903fea |
| SHA256 | ccaf204af80f66a2254cfc8d37b4665fd158ca51ac60febef89af3683f2a65f5 |
| SHA512 | 341a227809f788f5905d90297743130d616f98bf93e50b53e27953a0227b20929146af50bb3afaed227356c1f55cac381f9cf8c15f35849dbc4a9ad01f11753e |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\groceryc.dll
| MD5 | 5bde978a0febd4a59de0e6b835180389 |
| SHA1 | 1c522ff3fa433a2302bfa6538c4460ce04833ee6 |
| SHA256 | 74c9d82bebeaaecb50001ff0b1ee6ea129fc9de3c6a673d29d3e12615b75b3c0 |
| SHA512 | aa598c8c1a0f701c22fe38f53693e5f6c4ff855f66fd568ddfcb5f46cef058773038f947236d21442575c63e77987127f7fdb1fe2b7223109c25fd0411220318 |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\libRG.dll
| MD5 | 90c5a4208aa1ac6dafb6189159cd7e10 |
| SHA1 | 7df05caa1dbbfa7d8f65abeaa2d5b3a49ac66032 |
| SHA256 | 17927ae7a1e834dd150c5c26e21f68dfa6404a813dfe1a1c33d0dad446ba3489 |
| SHA512 | e0fba99ac770a15338a6f06c94f99ce948cc9406444799bba7eed2514f122f0062dc330c2e67bd41f0235d526fca232974c9d19b40c9c1c5e0ed01e82494bdbe |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\libglog.dll
| MD5 | dcda1583d25968da25b1d1bf91169680 |
| SHA1 | 10681c51922cfd06a088c6a6c75cd186f9c8d9d1 |
| SHA256 | 84a73bc173a30b2d174a66637bd075bd2c01e48e4fd97ed032dcafb2c8c0dea3 |
| SHA512 | 3df130f1a7a82f8401f7e7ec9d56b65f453ecd4cc525fe4aa196e090356951fc00fdcf9a99e776b2cde2b3ca9276af7db270bb2db4ff1b6cf3f63b648f7dca76 |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\libI18n.dll
| MD5 | 602aeec43305021dcea0103bfd6167ae |
| SHA1 | 1eef22e0c1a076cf88fbe875974d0dd4d40e4d19 |
| SHA256 | 33e177db21f3f21b7d8cbe0d87e92042f3e45f892491046a26fba1e989e2c38e |
| SHA512 | 921e2b8be67b8180f0c77fb186d03c02ed3f5c3aa492618a399de3f72113161d131d081d0a34dd9ae8dc1b1218601154bf4281e5511679683389f151399a6165 |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\msvcp140.dll
| MD5 | 5ff1fca37c466d6723ec67be93b51442 |
| SHA1 | 34cc4e158092083b13d67d6d2bc9e57b798a303b |
| SHA256 | 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062 |
| SHA512 | 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546 |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\zlib1.dll
| MD5 | 13cd5ab2da5a98f5f76aa6f987187461 |
| SHA1 | dd2d54668258b989cc500c132d9a686babe67fa5 |
| SHA256 | 3310ca85f0cb26e07bb3d8e1168c49e572a7c50762fa8140768663a5df9823e9 |
| SHA512 | c1c0c11b9804e6d25c8b1c74a09bfd3133255fe47ab9515cde124ec73231205b11d0536a66fccc9379dd84a33bb589cc78f867ef423ff30067363fdee7d605ca |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\libBasic.dll
| MD5 | 4dc44d5151384fa688d01dff77e7bf97 |
| SHA1 | e538146be27b44ad54fd857a17c518ea7096a22e |
| SHA256 | f490db01d8a604117856ff993726456b6d3aa087b017c8cbc5ed1b917cd4df57 |
| SHA512 | 56933d16050765e0262bd38bc96ee9a71de4ac28c6748ad908c08955fc5463feed5966481176354570404923cfc3fc699a3d93e0470807a26613ba3ac6ad5f32 |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Module.View.dll
| MD5 | 74bc438e41c723c1389ee2484e0359c7 |
| SHA1 | 927bb7bcb50965a896757a28744887eade204337 |
| SHA256 | 6b1002b04d0334d6afcf28147918df5f284c016da605bdc36f4f2c5806950316 |
| SHA512 | 55d03871b1fc7afa9d35df978ed968be603b10754b43f3e4aa8cf89b989549e7114f183cad10b242e3ab27f85f10b8cd91207364f170c02cc8e94d24c6e6caab |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\libdrive.dll
| MD5 | 1406431ed0927c24bc87045547cb7892 |
| SHA1 | 68e0710011ea9948a7a72f5bbac3a2732953f4a2 |
| SHA256 | 2a2b4cd5722f251c56ae5b7ac7671bb423b229ee30089e8723bd942aed0bf36e |
| SHA512 | 3bb4eeaf6b1181a68d9ba2351ca3212fe99d49af8d99ab7dd3e1dcf0bcfac6caa9de1828644127cea694cd66cf862eb339c705fe56a378ea625f88775961f5f8 |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Unrar.dll
| MD5 | 2f1c4f707f985ebf08d469e2bccef1b9 |
| SHA1 | b5a4abbceef05dae8ac53772f7f2237a7b0e2e7a |
| SHA256 | 0982b342033c4715024d6baf4c9b8ec11354e68913684e9ddd1b9730dbf3693d |
| SHA512 | 6cba2ef7f30a311faf87dab40c81824369bacc423a20351b03b23b9a6300606bb6b9758ce9de98f492dccacb3053d6948f60cc73f762e6cf9be479e8c8411d15 |
memory/2464-155-0x0000000073680000-0x00000000736FB000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\ImageUtility.dll
| MD5 | b3dd45104ad801bc9186c2bf5c44beaf |
| SHA1 | 6849399a9910412f4726779188dd855e17b786d3 |
| SHA256 | 1e1526e44f06f2d3f2518e4f81f3ae08eceb48a8c5fb361f9eb4489798bd62a0 |
| SHA512 | a0a1e645ef27317e692ea99124dcfd426907ced0918c0e6576f5a90594fd0df2ec338805981a972e533ea20c4d893e3a8420ddc9665a18298580f5e5e21029b9 |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\containers\temp.wav
| MD5 | b2bee4ca7c5919a4dcd783301aab69f1 |
| SHA1 | e408168d5a3f7da81a3b3a235a0d9f25976a7fe3 |
| SHA256 | ae6688f5cbd92c00035cc9858743c11326a3024c5b733d3795fa052e15f1474b |
| SHA512 | ca4589482a2a5cd64525e7ab30dc6e21a7448d176f311e9f9874bdd3054e101c51d210e96d7caeedf07848823a1bb1acea9eb3a787901d3281c2f38e59e5f493 |
memory/2464-156-0x0000000006510000-0x0000000006669000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Error.raw
| MD5 | 1cc5ef6614632b8d91bebf248c891c25 |
| SHA1 | 1b60f75ebe6d03d3d589a15758ab5aa7f430c1b0 |
| SHA256 | 05d59eb6a94e12226dc71d0b3700a69318066841485bcdc92879967db7d7d2f8 |
| SHA512 | d4a333413ad69813b5fbe3fa3270e9156cea5a01f84c98b2cad8546ceb19631281ee643c67a7a11efdf1d24d1132e806365e3c83b0968099ff301eff59249752 |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\curl-ca-bundle.crt
| MD5 | e48e896b4c1d16f92885e580fb2a3d08 |
| SHA1 | 42272157c20f4e00a1a3797dbf7db44fa0eeb478 |
| SHA256 | 313d562594ebd07846ad6b840dd18993f22e0f8b3f275d9aacfae118f4f00fb7 |
| SHA512 | d4e6573b3bbd6c5c63c5e77ffa79b05171f59c27c0ed458ebb00b42fef300dd17e42df2c91fa8da44cc37420785ce5a4bb083487ba66d3cac9d858b129fd3745 |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\license_En.txt
| MD5 | 707cbbb07cc3d4a379391a04a0c8e477 |
| SHA1 | 35dec34bd8189cdc1640e38413fb312936148242 |
| SHA256 | edb62536c5c814b5c66977e8cd08316f4596f6c5acc11c195a697831ed7f42a2 |
| SHA512 | ead93bdf25f806cf8a9630e1728a1d87917bc071cbc27131546619fda45562684c658ca4d1b693d5b528c98915995d7b43af6909c39cfb23e7d9ad8414720dfe |
memory/2464-164-0x0000000006510000-0x0000000006669000-memory.dmp
memory/2464-166-0x0000000006510000-0x0000000006669000-memory.dmp
memory/2464-169-0x0000000062480000-0x00000000624A5000-memory.dmp
memory/2464-170-0x0000000062E80000-0x0000000062EA2000-memory.dmp
memory/2464-171-0x0000000070F40000-0x00000000712A4000-memory.dmp
memory/2464-174-0x0000000074580000-0x00000000747D8000-memory.dmp
memory/2464-173-0x00000000747E0000-0x0000000074864000-memory.dmp
memory/2464-172-0x00000000748D0000-0x00000000749F1000-memory.dmp
memory/2464-194-0x00000000077B0000-0x0000000007839000-memory.dmp
memory/2464-196-0x0000000006510000-0x0000000006669000-memory.dmp
memory/2464-199-0x0000000007510000-0x0000000007590000-memory.dmp
memory/2464-195-0x0000000006510000-0x0000000006669000-memory.dmp
memory/2464-193-0x0000000006510000-0x0000000006669000-memory.dmp
memory/2464-187-0x0000000006510000-0x0000000006669000-memory.dmp
memory/2464-200-0x0000000006510000-0x0000000006669000-memory.dmp
memory/2464-201-0x0000000007510000-0x0000000007590000-memory.dmp
memory/2464-204-0x0000000007510000-0x0000000007590000-memory.dmp
memory/2464-207-0x0000000007510000-0x0000000007590000-memory.dmp
memory/2464-206-0x0000000007510000-0x0000000007590000-memory.dmp
memory/2464-227-0x0000000007510000-0x0000000007590000-memory.dmp
memory/2464-228-0x0000000007510000-0x0000000007590000-memory.dmp
memory/2464-229-0x0000000007510000-0x0000000007590000-memory.dmp
memory/2464-231-0x0000000007510000-0x0000000007590000-memory.dmp
memory/2464-233-0x0000000007510000-0x0000000007590000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 6dc75349cc87f82b879054dd2fe7063d |
| SHA1 | ed7b090101f71648f6fb97980f8622b960cd8690 |
| SHA256 | 26a940cf51378dfd28a460450ed86b739a0a1b23ce98e129bd6f7ce0022eefbd |
| SHA512 | 56631a1c55ca0add838b66c3aa8f800b26277b81449b7e5b7a6c08ed41a1e77ccb63fc31a58ba58d539414e297732290229902a511c43268a99dedf6d685cc0e |
memory/2464-258-0x0000000073680000-0x00000000736FB000-memory.dmp
memory/4092-265-0x00000000033B0000-0x00000000033E6000-memory.dmp
memory/4092-266-0x0000000005B30000-0x0000000006158000-memory.dmp
memory/4092-268-0x0000000005AF0000-0x0000000005B12000-memory.dmp
memory/4092-269-0x00000000062D0000-0x0000000006336000-memory.dmp
memory/4092-270-0x0000000006340000-0x00000000063A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ak0isren.yw1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4092-280-0x00000000063B0000-0x0000000006704000-memory.dmp
memory/4092-287-0x00000000069A0000-0x00000000069BE000-memory.dmp
memory/4092-288-0x00000000069D0000-0x0000000006A1C000-memory.dmp
memory/4092-289-0x0000000006F70000-0x0000000006FA2000-memory.dmp
memory/4092-290-0x000000006E000000-0x000000006E04C000-memory.dmp
memory/4092-300-0x0000000006FB0000-0x0000000006FCE000-memory.dmp
memory/4092-301-0x0000000007C30000-0x0000000007CD3000-memory.dmp
memory/4092-302-0x0000000008360000-0x00000000089DA000-memory.dmp
memory/4092-303-0x0000000007C00000-0x0000000007C1A000-memory.dmp
memory/4092-304-0x0000000007D40000-0x0000000007D4A000-memory.dmp
memory/4092-305-0x0000000007F30000-0x0000000007FC6000-memory.dmp
memory/4092-306-0x0000000007EC0000-0x0000000007ED1000-memory.dmp
memory/4092-307-0x0000000007EF0000-0x0000000007EFE000-memory.dmp
memory/4092-308-0x0000000007F00000-0x0000000007F14000-memory.dmp
memory/4092-309-0x0000000007FF0000-0x000000000800A000-memory.dmp
memory/4092-310-0x0000000007FE0000-0x0000000007FE8000-memory.dmp