Malware Analysis Report

2025-01-02 03:10

Sample ID 240815-x4bfrstepl
Target NetworkIsooProSetup.msi
SHA256 d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6
Tags
remcos remotehost discovery execution persistence privilege_escalation rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6

Threat Level: Known bad

The file NetworkIsooProSetup.msi was found to be: Known bad.

Malicious Activity Summary

remcos remotehost discovery execution persistence privilege_escalation rat

Remcos

Command and Scripting Interpreter: PowerShell

Enumerates connected drives

Adds Run key to start application

Blocklisted process makes network request

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Event Triggered Execution: Installer Packages

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 19:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 19:23

Reported

2024-08-15 19:27

Platform

win10-20240404-en

Max time kernel

209s

Max time network

212s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NetworkIsooProSetup.msi

Signatures

Remcos

rat remcos

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Active RPC Converter Suite = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Network MPluginManager\\Coolmuster PDF Image Extractor.exe" C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e57a7db.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57a7d9.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57a7d9.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{4A194FDC-5FC7-428C-83CA-BC4A750D530B} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA911.tmp C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4320 wrote to memory of 1232 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4320 wrote to memory of 1232 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4320 wrote to memory of 4416 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe
PID 4320 wrote to memory of 4416 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe
PID 4320 wrote to memory of 4416 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe
PID 4416 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe C:\Windows\SysWOW64\cmd.exe
PID 4200 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4200 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4200 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NetworkIsooProSetup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe

"C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49932 tcp
DE 45.133.74.183:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 183.74.133.45.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 tcp
US 8.8.8.8:53 21.58.20.217.in-addr.arpa udp
NL 52.142.223.178:80 tcp

Files

\??\Volume{38fc2686-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9f00521b-8ccd-498b-af26-4f055d128a7a}_OnDiskSnapshotProp

MD5 270bd87fac16a416d38f76be96e54455
SHA1 28b23645e416fea9c5129233f0acc315becff365
SHA256 8cf479b2d7e5973b918e5fdc0eaca8f29dee346de48c38d6e069b4787270ad02
SHA512 667227ef005468bebe1ee6606271dd8a039030b346bdc1a81a1e49e3a44d63cfe26a430edc2149136a2cbd26562d6db3164b3f92bbcabd7d63db916a87eb6a66

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 5c1cf3956a6953883e2eb09d496a9b7e
SHA1 68c03edcdc2145c8bd3e649bb4f1324167dd1593
SHA256 f0c9887d13cd8896729c24bf73964001a6a330d2b7a8113900c4fec45675fdb2
SHA512 b69abadba44bf479343636d0639686af2b3c43db7bf511a71ef3ada140716880a92f3505e27797290aa069354d5dc41f647d25c2df24629b2ad67d68c98d1b5a

C:\Config.Msi\e57a7da.rbs

MD5 aac994db92dbed5165fab5cec26b6b53
SHA1 6cadb92fbd6f257c34aea36589badcf5b11fe304
SHA256 6f994bbbe1b949b91f6a1c65ca8cc98ff57f59a8892c766c056b0fe6568760ea
SHA512 c3f73a1272b6d62afb368fb7c26a69a1c55efc09aea9e7279e859c73ac4be0fd483cd79f8ac2262b7fd12ada4cb153745a46f2643311bb7c60f7b9353b28f22a

C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe

MD5 e11235cb041e3ae98cb17d746b45cb66
SHA1 fcaa4feab36f28bd38e71ee762cc499f731d3d47
SHA256 c7030fb23fd25fc99c39457618a3afd2b27b381d7b833d4662995493d85deaf4
SHA512 08da0141966050864a404c413f51fada820489872da15ddff1ef8273211deab106bf912105076f24e801b88276db772cb8f8f15201b83ef35e069d0a4de63db4

C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\pthreadGC2.dll

MD5 72c1ff7f3c7474850b11fc962ee1620c
SHA1 b94f73a1ce848d18b38274c96e863df0636f48a7
SHA256 3b159da9dad9afd4bd28b5b1a53dc502a2487068055ed8c30136a76cd6924890
SHA512 1ed4b3c34dd0033ec2aa05bdacaa45041d9cd5880fdb5530ca033308ab349c09d4811bb276bbdf51a3040b7a337f9a5d33796924550962a56058203799c5bd53

C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\libI18n.dll

MD5 602aeec43305021dcea0103bfd6167ae
SHA1 1eef22e0c1a076cf88fbe875974d0dd4d40e4d19
SHA256 33e177db21f3f21b7d8cbe0d87e92042f3e45f892491046a26fba1e989e2c38e
SHA512 921e2b8be67b8180f0c77fb186d03c02ed3f5c3aa492618a399de3f72113161d131d081d0a34dd9ae8dc1b1218601154bf4281e5511679683389f151399a6165

C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\VCRUNTIME140.dll

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\libssl-1_1.dll

MD5 55694c901f906b6234a0b89a27f0f508
SHA1 5ba83e0bac11f952c05b85ef731b8aa3c2b1cc2f
SHA256 a384deb5f6c8517852b0fa4832a373c37881855faf1ffce5b7b49ea866371393
SHA512 bf37592206fcebb6a2bdec9b57377456b0dfd56678c51c3d6f81f06f103546966a3f569390522a48917bd461dfa3404d3cce870d0db9e98a89c98d4c9653a276

\Users\Admin\AppData\Local\Programs\Network MPluginManager\libcrypto-1_1.dll

MD5 f2aa84d12fcc64349f96df7ef5f6d063
SHA1 eddf2f6d54cb86b4251be168080f5e4acd4acc0a
SHA256 1a4ef4224d094e512cf7a21eb7ade8a36c0028aebbdf292f34ea6fe752793cd0
SHA512 e6ace721d6d570db247774d0d78e1f8226a1977a7e1f3ce892e58dca6556ea7324c42507de9d3ba8e7e55ca22d7329f2f91e93b4c735fd0c63fb80b319ab26e8

\Users\Admin\AppData\Local\Programs\Network MPluginManager\libdrive.dll

MD5 1406431ed0927c24bc87045547cb7892
SHA1 68e0710011ea9948a7a72f5bbac3a2732953f4a2
SHA256 2a2b4cd5722f251c56ae5b7ac7671bb423b229ee30089e8723bd942aed0bf36e
SHA512 3bb4eeaf6b1181a68d9ba2351ca3212fe99d49af8d99ab7dd3e1dcf0bcfac6caa9de1828644127cea694cd66cf862eb339c705fe56a378ea625f88775961f5f8

\Users\Admin\AppData\Local\Programs\Network MPluginManager\libcurl.dll

MD5 5e4d6ce410e2c156c293162cef078fca
SHA1 19e8f2046683a71cdaf907120ce4c95f5339faf3
SHA256 6e158f098213773ee2ab91c1f02ab39fbe2896947c9dfcf762aee10662a8bcd8
SHA512 076824cc390a7ede124f6acbbf407ed7caed0cf15e5b827f0b622fc93b851eaaa3f8a1d6f2f701ccb2078b7b8a28d2383de7b71de6f560b628049394dfc29ea9

\Users\Admin\AppData\Local\Programs\Network MPluginManager\libexpat.dll

MD5 8b650e64ca112a000f95eb16d698e151
SHA1 7b6533950068eeb9aa96ebab55e524c48732b70c
SHA256 cd4f37c1c978f6c7b38ae44b25f0c1dbe40f1b6cf626a08947d5808d7e34a086
SHA512 e3d9c1c0e21631697fa7bca5a76467647863430283d855a860a16f87ee9273a1bc37b9a6e5fa16e1a9ed47058738603ba12dc7276278799d1b657aa504597701

\Users\Admin\AppData\Local\Programs\Network MPluginManager\zlib1.dll

MD5 13cd5ab2da5a98f5f76aa6f987187461
SHA1 dd2d54668258b989cc500c132d9a686babe67fa5
SHA256 3310ca85f0cb26e07bb3d8e1168c49e572a7c50762fa8140768663a5df9823e9
SHA512 c1c0c11b9804e6d25c8b1c74a09bfd3133255fe47ab9515cde124ec73231205b11d0536a66fccc9379dd84a33bb589cc78f867ef423ff30067363fdee7d605ca

\Users\Admin\AppData\Local\Programs\Network MPluginManager\libglog.dll

MD5 dcda1583d25968da25b1d1bf91169680
SHA1 10681c51922cfd06a088c6a6c75cd186f9c8d9d1
SHA256 84a73bc173a30b2d174a66637bd075bd2c01e48e4fd97ed032dcafb2c8c0dea3
SHA512 3df130f1a7a82f8401f7e7ec9d56b65f453ecd4cc525fe4aa196e090356951fc00fdcf9a99e776b2cde2b3ca9276af7db270bb2db4ff1b6cf3f63b648f7dca76

\Users\Admin\AppData\Local\Programs\Network MPluginManager\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

\Users\Admin\AppData\Local\Programs\Network MPluginManager\libxml2-2.dll

MD5 72b58be0b56aa0f7bbfdfddd2554b06f
SHA1 c4519063ee6cbbb8feb6c846949b1c5c81da26ba
SHA256 f52724ae696b5c9e2586fd41047e6ac56541efdfc157a33ba20ad5826234bf53
SHA512 640b747ebe5efa39ec05558a75b418bf1c60de9f503698b2e8a68afb5bfb2dc890943d13bfa3cd6366c7f9d7e293c9aa9b783c00e313aa27f6e15065937628c1

\Users\Admin\AppData\Local\Programs\Network MPluginManager\Module.Helper.dll

MD5 500296c19761254e94039c5e947fd4c1
SHA1 75bd8b2f53c7af89eacd8f82561345de7f903fea
SHA256 ccaf204af80f66a2254cfc8d37b4665fd158ca51ac60febef89af3683f2a65f5
SHA512 341a227809f788f5905d90297743130d616f98bf93e50b53e27953a0227b20929146af50bb3afaed227356c1f55cac381f9cf8c15f35849dbc4a9ad01f11753e

\Users\Admin\AppData\Local\Programs\Network MPluginManager\libUpdate.dll

MD5 8254b2b4065959e64aca2c91c2fccea7
SHA1 483591ed9e282c6c6726d0da557fa783ed9a798c
SHA256 be195001a8b43dda8f6193623133e51d378e08094e5ab8f29174a35299eb4e57
SHA512 4c1777d500cc7198e155142a9322e26a4dc7b392e21948f94a2aaf64beb1b02d3643b7aaef3f6af1bb33d324cd571fd06c3fbc672abb577cad3fd0f10fbee529

\Users\Admin\AppData\Local\Programs\Network MPluginManager\Module.View.dll

MD5 74bc438e41c723c1389ee2484e0359c7
SHA1 927bb7bcb50965a896757a28744887eade204337
SHA256 6b1002b04d0334d6afcf28147918df5f284c016da605bdc36f4f2c5806950316
SHA512 55d03871b1fc7afa9d35df978ed968be603b10754b43f3e4aa8cf89b989549e7114f183cad10b242e3ab27f85f10b8cd91207364f170c02cc8e94d24c6e6caab

\Users\Admin\AppData\Local\Programs\Network MPluginManager\groceryc.dll

MD5 5bde978a0febd4a59de0e6b835180389
SHA1 1c522ff3fa433a2302bfa6538c4460ce04833ee6
SHA256 74c9d82bebeaaecb50001ff0b1ee6ea129fc9de3c6a673d29d3e12615b75b3c0
SHA512 aa598c8c1a0f701c22fe38f53693e5f6c4ff855f66fd568ddfcb5f46cef058773038f947236d21442575c63e77987127f7fdb1fe2b7223109c25fd0411220318

\Users\Admin\AppData\Local\Programs\Network MPluginManager\libRG.dll

MD5 90c5a4208aa1ac6dafb6189159cd7e10
SHA1 7df05caa1dbbfa7d8f65abeaa2d5b3a49ac66032
SHA256 17927ae7a1e834dd150c5c26e21f68dfa6404a813dfe1a1c33d0dad446ba3489
SHA512 e0fba99ac770a15338a6f06c94f99ce948cc9406444799bba7eed2514f122f0062dc330c2e67bd41f0235d526fca232974c9d19b40c9c1c5e0ed01e82494bdbe

\Users\Admin\AppData\Local\Programs\Network MPluginManager\libBasic.dll

MD5 4dc44d5151384fa688d01dff77e7bf97
SHA1 e538146be27b44ad54fd857a17c518ea7096a22e
SHA256 f490db01d8a604117856ff993726456b6d3aa087b017c8cbc5ed1b917cd4df57
SHA512 56933d16050765e0262bd38bc96ee9a71de4ac28c6748ad908c08955fc5463feed5966481176354570404923cfc3fc699a3d93e0470807a26613ba3ac6ad5f32

C:\Windows\Installer\e57a7d9.msi

MD5 4fff2618d8f4f571bd0fed70db95a6a2
SHA1 0c2dc8df585ef1fb3d963820d4b9a5c5a41ad0f6
SHA256 d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6
SHA512 b05a8627f52943f5b1beacfdbc45c49c9cc70c9a12e8a165b8587d6a7bab18edf1bb7d90231c404a4be7c0c7b73856056a5d11d642eefd83a8d2cf236636dfc8

\Users\Admin\AppData\Local\Programs\Network MPluginManager\ImageUtility.dll

MD5 b3dd45104ad801bc9186c2bf5c44beaf
SHA1 6849399a9910412f4726779188dd855e17b786d3
SHA256 1e1526e44f06f2d3f2518e4f81f3ae08eceb48a8c5fb361f9eb4489798bd62a0
SHA512 a0a1e645ef27317e692ea99124dcfd426907ced0918c0e6576f5a90594fd0df2ec338805981a972e533ea20c4d893e3a8420ddc9665a18298580f5e5e21029b9

memory/4416-159-0x0000000073180000-0x00000000731FB000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\containers\temp.wav

MD5 b2bee4ca7c5919a4dcd783301aab69f1
SHA1 e408168d5a3f7da81a3b3a235a0d9f25976a7fe3
SHA256 ae6688f5cbd92c00035cc9858743c11326a3024c5b733d3795fa052e15f1474b
SHA512 ca4589482a2a5cd64525e7ab30dc6e21a7448d176f311e9f9874bdd3054e101c51d210e96d7caeedf07848823a1bb1acea9eb3a787901d3281c2f38e59e5f493

\Users\Admin\AppData\Local\Programs\Network MPluginManager\Unrar.dll

MD5 2f1c4f707f985ebf08d469e2bccef1b9
SHA1 b5a4abbceef05dae8ac53772f7f2237a7b0e2e7a
SHA256 0982b342033c4715024d6baf4c9b8ec11354e68913684e9ddd1b9730dbf3693d
SHA512 6cba2ef7f30a311faf87dab40c81824369bacc423a20351b03b23b9a6300606bb6b9758ce9de98f492dccacb3053d6948f60cc73f762e6cf9be479e8c8411d15

memory/4416-160-0x0000000005B20000-0x0000000005C79000-memory.dmp

C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\license_En.txt

MD5 707cbbb07cc3d4a379391a04a0c8e477
SHA1 35dec34bd8189cdc1640e38413fb312936148242
SHA256 edb62536c5c814b5c66977e8cd08316f4596f6c5acc11c195a697831ed7f42a2
SHA512 ead93bdf25f806cf8a9630e1728a1d87917bc071cbc27131546619fda45562684c658ca4d1b693d5b528c98915995d7b43af6909c39cfb23e7d9ad8414720dfe

C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Error.raw

MD5 1cc5ef6614632b8d91bebf248c891c25
SHA1 1b60f75ebe6d03d3d589a15758ab5aa7f430c1b0
SHA256 05d59eb6a94e12226dc71d0b3700a69318066841485bcdc92879967db7d7d2f8
SHA512 d4a333413ad69813b5fbe3fa3270e9156cea5a01f84c98b2cad8546ceb19631281ee643c67a7a11efdf1d24d1132e806365e3c83b0968099ff301eff59249752

C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\curl-ca-bundle.crt

MD5 e48e896b4c1d16f92885e580fb2a3d08
SHA1 42272157c20f4e00a1a3797dbf7db44fa0eeb478
SHA256 313d562594ebd07846ad6b840dd18993f22e0f8b3f275d9aacfae118f4f00fb7
SHA512 d4e6573b3bbd6c5c63c5e77ffa79b05171f59c27c0ed458ebb00b42fef300dd17e42df2c91fa8da44cc37420785ce5a4bb083487ba66d3cac9d858b129fd3745

memory/4416-170-0x0000000005B20000-0x0000000005C79000-memory.dmp

memory/4416-168-0x0000000005B20000-0x0000000005C79000-memory.dmp

memory/4416-173-0x0000000062480000-0x00000000624A5000-memory.dmp

memory/4416-176-0x0000000073DB0000-0x0000000073ED1000-memory.dmp

memory/4416-178-0x0000000073AC0000-0x0000000073D18000-memory.dmp

memory/4416-177-0x0000000073D20000-0x0000000073DA4000-memory.dmp

memory/4416-174-0x0000000070F40000-0x00000000712A4000-memory.dmp

memory/4416-175-0x0000000062E80000-0x0000000062EA2000-memory.dmp

memory/4416-191-0x0000000005B20000-0x0000000005C79000-memory.dmp

memory/4416-198-0x0000000007060000-0x00000000070E8000-memory.dmp

memory/4416-200-0x0000000005B20000-0x0000000005C79000-memory.dmp

memory/4416-203-0x0000000006DE0000-0x0000000006E60000-memory.dmp

memory/4416-204-0x0000000005B20000-0x0000000005C79000-memory.dmp

memory/4416-199-0x0000000005B20000-0x0000000005C79000-memory.dmp

memory/4416-197-0x0000000005B20000-0x0000000005C79000-memory.dmp

memory/4416-205-0x0000000006DE0000-0x0000000006E60000-memory.dmp

memory/4416-207-0x0000000006DE0000-0x0000000006E60000-memory.dmp

memory/4416-211-0x0000000006DE0000-0x0000000006E60000-memory.dmp

memory/4416-210-0x0000000006DE0000-0x0000000006E60000-memory.dmp

memory/4416-212-0x0000000006DE0000-0x0000000006E60000-memory.dmp

memory/4416-213-0x0000000006DE0000-0x0000000006E60000-memory.dmp

memory/4416-214-0x0000000006DE0000-0x0000000006E60000-memory.dmp

memory/4416-216-0x0000000006DE0000-0x0000000006E60000-memory.dmp

memory/4416-237-0x0000000006DE0000-0x0000000006E60000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 bc9ff968b5157e317091fc7c5c0292a1
SHA1 8f23c959457cf6ce6e953e081c9dbf9023382249
SHA256 1cfb1ee4f986dfce5ad8da0c537824bd199250f0fb55e3149f236053534ffe20
SHA512 3c39a3dab2a8c1b66bd6ca093f6022c234a619c98c412c093382803b3afe20d6a26415bce152d487767f933c4cc20d066243c455578e0d50c86bd49b64c8f284

memory/4416-262-0x0000000073180000-0x00000000731FB000-memory.dmp

memory/808-271-0x0000000002B90000-0x0000000002BC6000-memory.dmp

memory/808-272-0x0000000006FB0000-0x00000000075D8000-memory.dmp

memory/808-274-0x0000000006D90000-0x0000000006DB2000-memory.dmp

memory/808-275-0x0000000006E30000-0x0000000006E96000-memory.dmp

memory/808-276-0x00000000076E0000-0x0000000007746000-memory.dmp

memory/808-277-0x0000000007750000-0x0000000007AA0000-memory.dmp

memory/808-278-0x0000000007B20000-0x0000000007B3C000-memory.dmp

memory/808-279-0x0000000008050000-0x000000000809B000-memory.dmp

memory/808-280-0x0000000007DD0000-0x0000000007E46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5mjttyh1.p0o.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/808-297-0x0000000008F40000-0x0000000008F73000-memory.dmp

memory/808-298-0x0000000070A90000-0x0000000070ADB000-memory.dmp

memory/808-299-0x0000000008F00000-0x0000000008F1E000-memory.dmp

memory/808-304-0x0000000009070000-0x0000000009115000-memory.dmp

memory/808-305-0x0000000009240000-0x00000000092D4000-memory.dmp

memory/808-504-0x00000000091D0000-0x00000000091EA000-memory.dmp

memory/808-509-0x00000000091C0000-0x00000000091C8000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 389ba364bc8ed45eab3c15d079831347
SHA1 54adbaa86d95802997e6db97902867ed8be7825a
SHA256 8628b8228c8469069d5494aa0e63df42aaedc56b2921fa359ed15acc90651100
SHA512 79f288edd8e032e91dfeb0893863b5bf81d172f582d04b230351ea566c81726fb362b1f0bbb5556318dc44ecb2da79a41d1dd513a191e239c44aad73d8f3d45f