Analysis Overview
SHA256
d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6
Threat Level: Known bad
The file NetworkIsooProSetup.msi was found to be: Known bad.
Malicious Activity Summary
Remcos
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Adds Run key to start application
Blocklisted process makes network request
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Uses Volume Shadow Copy service COM API
Suspicious use of FindShellTrayWindow
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-15 19:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 19:23
Reported
2024-08-15 19:27
Platform
win10-20240404-en
Max time kernel
209s
Max time network
212s
Command Line
Signatures
Remcos
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Active RPC Converter Suite = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Network MPluginManager\\Coolmuster PDF Image Extractor.exe" | C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\e57a7db.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57a7d9.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e57a7d9.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{4A194FDC-5FC7-428C-83CA-BC4A750D530B} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA911.tmp | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe | N/A |
Loads dropped DLL
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NetworkIsooProSetup.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe
"C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49932 | tcp | |
| DE | 45.133.74.183:2404 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 183.74.133.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | 21.58.20.217.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp |
Files
\??\Volume{38fc2686-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9f00521b-8ccd-498b-af26-4f055d128a7a}_OnDiskSnapshotProp
| MD5 | 270bd87fac16a416d38f76be96e54455 |
| SHA1 | 28b23645e416fea9c5129233f0acc315becff365 |
| SHA256 | 8cf479b2d7e5973b918e5fdc0eaca8f29dee346de48c38d6e069b4787270ad02 |
| SHA512 | 667227ef005468bebe1ee6606271dd8a039030b346bdc1a81a1e49e3a44d63cfe26a430edc2149136a2cbd26562d6db3164b3f92bbcabd7d63db916a87eb6a66 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 5c1cf3956a6953883e2eb09d496a9b7e |
| SHA1 | 68c03edcdc2145c8bd3e649bb4f1324167dd1593 |
| SHA256 | f0c9887d13cd8896729c24bf73964001a6a330d2b7a8113900c4fec45675fdb2 |
| SHA512 | b69abadba44bf479343636d0639686af2b3c43db7bf511a71ef3ada140716880a92f3505e27797290aa069354d5dc41f647d25c2df24629b2ad67d68c98d1b5a |
C:\Config.Msi\e57a7da.rbs
| MD5 | aac994db92dbed5165fab5cec26b6b53 |
| SHA1 | 6cadb92fbd6f257c34aea36589badcf5b11fe304 |
| SHA256 | 6f994bbbe1b949b91f6a1c65ca8cc98ff57f59a8892c766c056b0fe6568760ea |
| SHA512 | c3f73a1272b6d62afb368fb7c26a69a1c55efc09aea9e7279e859c73ac4be0fd483cd79f8ac2262b7fd12ada4cb153745a46f2643311bb7c60f7b9353b28f22a |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe
| MD5 | e11235cb041e3ae98cb17d746b45cb66 |
| SHA1 | fcaa4feab36f28bd38e71ee762cc499f731d3d47 |
| SHA256 | c7030fb23fd25fc99c39457618a3afd2b27b381d7b833d4662995493d85deaf4 |
| SHA512 | 08da0141966050864a404c413f51fada820489872da15ddff1ef8273211deab106bf912105076f24e801b88276db772cb8f8f15201b83ef35e069d0a4de63db4 |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\pthreadGC2.dll
| MD5 | 72c1ff7f3c7474850b11fc962ee1620c |
| SHA1 | b94f73a1ce848d18b38274c96e863df0636f48a7 |
| SHA256 | 3b159da9dad9afd4bd28b5b1a53dc502a2487068055ed8c30136a76cd6924890 |
| SHA512 | 1ed4b3c34dd0033ec2aa05bdacaa45041d9cd5880fdb5530ca033308ab349c09d4811bb276bbdf51a3040b7a337f9a5d33796924550962a56058203799c5bd53 |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\libI18n.dll
| MD5 | 602aeec43305021dcea0103bfd6167ae |
| SHA1 | 1eef22e0c1a076cf88fbe875974d0dd4d40e4d19 |
| SHA256 | 33e177db21f3f21b7d8cbe0d87e92042f3e45f892491046a26fba1e989e2c38e |
| SHA512 | 921e2b8be67b8180f0c77fb186d03c02ed3f5c3aa492618a399de3f72113161d131d081d0a34dd9ae8dc1b1218601154bf4281e5511679683389f151399a6165 |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\VCRUNTIME140.dll
| MD5 | a37ee36b536409056a86f50e67777dd7 |
| SHA1 | 1cafa159292aa736fc595fc04e16325b27cd6750 |
| SHA256 | 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825 |
| SHA512 | 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356 |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\libssl-1_1.dll
| MD5 | 55694c901f906b6234a0b89a27f0f508 |
| SHA1 | 5ba83e0bac11f952c05b85ef731b8aa3c2b1cc2f |
| SHA256 | a384deb5f6c8517852b0fa4832a373c37881855faf1ffce5b7b49ea866371393 |
| SHA512 | bf37592206fcebb6a2bdec9b57377456b0dfd56678c51c3d6f81f06f103546966a3f569390522a48917bd461dfa3404d3cce870d0db9e98a89c98d4c9653a276 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\libcrypto-1_1.dll
| MD5 | f2aa84d12fcc64349f96df7ef5f6d063 |
| SHA1 | eddf2f6d54cb86b4251be168080f5e4acd4acc0a |
| SHA256 | 1a4ef4224d094e512cf7a21eb7ade8a36c0028aebbdf292f34ea6fe752793cd0 |
| SHA512 | e6ace721d6d570db247774d0d78e1f8226a1977a7e1f3ce892e58dca6556ea7324c42507de9d3ba8e7e55ca22d7329f2f91e93b4c735fd0c63fb80b319ab26e8 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\libdrive.dll
| MD5 | 1406431ed0927c24bc87045547cb7892 |
| SHA1 | 68e0710011ea9948a7a72f5bbac3a2732953f4a2 |
| SHA256 | 2a2b4cd5722f251c56ae5b7ac7671bb423b229ee30089e8723bd942aed0bf36e |
| SHA512 | 3bb4eeaf6b1181a68d9ba2351ca3212fe99d49af8d99ab7dd3e1dcf0bcfac6caa9de1828644127cea694cd66cf862eb339c705fe56a378ea625f88775961f5f8 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\libcurl.dll
| MD5 | 5e4d6ce410e2c156c293162cef078fca |
| SHA1 | 19e8f2046683a71cdaf907120ce4c95f5339faf3 |
| SHA256 | 6e158f098213773ee2ab91c1f02ab39fbe2896947c9dfcf762aee10662a8bcd8 |
| SHA512 | 076824cc390a7ede124f6acbbf407ed7caed0cf15e5b827f0b622fc93b851eaaa3f8a1d6f2f701ccb2078b7b8a28d2383de7b71de6f560b628049394dfc29ea9 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\libexpat.dll
| MD5 | 8b650e64ca112a000f95eb16d698e151 |
| SHA1 | 7b6533950068eeb9aa96ebab55e524c48732b70c |
| SHA256 | cd4f37c1c978f6c7b38ae44b25f0c1dbe40f1b6cf626a08947d5808d7e34a086 |
| SHA512 | e3d9c1c0e21631697fa7bca5a76467647863430283d855a860a16f87ee9273a1bc37b9a6e5fa16e1a9ed47058738603ba12dc7276278799d1b657aa504597701 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\zlib1.dll
| MD5 | 13cd5ab2da5a98f5f76aa6f987187461 |
| SHA1 | dd2d54668258b989cc500c132d9a686babe67fa5 |
| SHA256 | 3310ca85f0cb26e07bb3d8e1168c49e572a7c50762fa8140768663a5df9823e9 |
| SHA512 | c1c0c11b9804e6d25c8b1c74a09bfd3133255fe47ab9515cde124ec73231205b11d0536a66fccc9379dd84a33bb589cc78f867ef423ff30067363fdee7d605ca |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\libglog.dll
| MD5 | dcda1583d25968da25b1d1bf91169680 |
| SHA1 | 10681c51922cfd06a088c6a6c75cd186f9c8d9d1 |
| SHA256 | 84a73bc173a30b2d174a66637bd075bd2c01e48e4fd97ed032dcafb2c8c0dea3 |
| SHA512 | 3df130f1a7a82f8401f7e7ec9d56b65f453ecd4cc525fe4aa196e090356951fc00fdcf9a99e776b2cde2b3ca9276af7db270bb2db4ff1b6cf3f63b648f7dca76 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\msvcp140.dll
| MD5 | 5ff1fca37c466d6723ec67be93b51442 |
| SHA1 | 34cc4e158092083b13d67d6d2bc9e57b798a303b |
| SHA256 | 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062 |
| SHA512 | 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\libxml2-2.dll
| MD5 | 72b58be0b56aa0f7bbfdfddd2554b06f |
| SHA1 | c4519063ee6cbbb8feb6c846949b1c5c81da26ba |
| SHA256 | f52724ae696b5c9e2586fd41047e6ac56541efdfc157a33ba20ad5826234bf53 |
| SHA512 | 640b747ebe5efa39ec05558a75b418bf1c60de9f503698b2e8a68afb5bfb2dc890943d13bfa3cd6366c7f9d7e293c9aa9b783c00e313aa27f6e15065937628c1 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\Module.Helper.dll
| MD5 | 500296c19761254e94039c5e947fd4c1 |
| SHA1 | 75bd8b2f53c7af89eacd8f82561345de7f903fea |
| SHA256 | ccaf204af80f66a2254cfc8d37b4665fd158ca51ac60febef89af3683f2a65f5 |
| SHA512 | 341a227809f788f5905d90297743130d616f98bf93e50b53e27953a0227b20929146af50bb3afaed227356c1f55cac381f9cf8c15f35849dbc4a9ad01f11753e |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\libUpdate.dll
| MD5 | 8254b2b4065959e64aca2c91c2fccea7 |
| SHA1 | 483591ed9e282c6c6726d0da557fa783ed9a798c |
| SHA256 | be195001a8b43dda8f6193623133e51d378e08094e5ab8f29174a35299eb4e57 |
| SHA512 | 4c1777d500cc7198e155142a9322e26a4dc7b392e21948f94a2aaf64beb1b02d3643b7aaef3f6af1bb33d324cd571fd06c3fbc672abb577cad3fd0f10fbee529 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\Module.View.dll
| MD5 | 74bc438e41c723c1389ee2484e0359c7 |
| SHA1 | 927bb7bcb50965a896757a28744887eade204337 |
| SHA256 | 6b1002b04d0334d6afcf28147918df5f284c016da605bdc36f4f2c5806950316 |
| SHA512 | 55d03871b1fc7afa9d35df978ed968be603b10754b43f3e4aa8cf89b989549e7114f183cad10b242e3ab27f85f10b8cd91207364f170c02cc8e94d24c6e6caab |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\groceryc.dll
| MD5 | 5bde978a0febd4a59de0e6b835180389 |
| SHA1 | 1c522ff3fa433a2302bfa6538c4460ce04833ee6 |
| SHA256 | 74c9d82bebeaaecb50001ff0b1ee6ea129fc9de3c6a673d29d3e12615b75b3c0 |
| SHA512 | aa598c8c1a0f701c22fe38f53693e5f6c4ff855f66fd568ddfcb5f46cef058773038f947236d21442575c63e77987127f7fdb1fe2b7223109c25fd0411220318 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\libRG.dll
| MD5 | 90c5a4208aa1ac6dafb6189159cd7e10 |
| SHA1 | 7df05caa1dbbfa7d8f65abeaa2d5b3a49ac66032 |
| SHA256 | 17927ae7a1e834dd150c5c26e21f68dfa6404a813dfe1a1c33d0dad446ba3489 |
| SHA512 | e0fba99ac770a15338a6f06c94f99ce948cc9406444799bba7eed2514f122f0062dc330c2e67bd41f0235d526fca232974c9d19b40c9c1c5e0ed01e82494bdbe |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\libBasic.dll
| MD5 | 4dc44d5151384fa688d01dff77e7bf97 |
| SHA1 | e538146be27b44ad54fd857a17c518ea7096a22e |
| SHA256 | f490db01d8a604117856ff993726456b6d3aa087b017c8cbc5ed1b917cd4df57 |
| SHA512 | 56933d16050765e0262bd38bc96ee9a71de4ac28c6748ad908c08955fc5463feed5966481176354570404923cfc3fc699a3d93e0470807a26613ba3ac6ad5f32 |
C:\Windows\Installer\e57a7d9.msi
| MD5 | 4fff2618d8f4f571bd0fed70db95a6a2 |
| SHA1 | 0c2dc8df585ef1fb3d963820d4b9a5c5a41ad0f6 |
| SHA256 | d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6 |
| SHA512 | b05a8627f52943f5b1beacfdbc45c49c9cc70c9a12e8a165b8587d6a7bab18edf1bb7d90231c404a4be7c0c7b73856056a5d11d642eefd83a8d2cf236636dfc8 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\ImageUtility.dll
| MD5 | b3dd45104ad801bc9186c2bf5c44beaf |
| SHA1 | 6849399a9910412f4726779188dd855e17b786d3 |
| SHA256 | 1e1526e44f06f2d3f2518e4f81f3ae08eceb48a8c5fb361f9eb4489798bd62a0 |
| SHA512 | a0a1e645ef27317e692ea99124dcfd426907ced0918c0e6576f5a90594fd0df2ec338805981a972e533ea20c4d893e3a8420ddc9665a18298580f5e5e21029b9 |
memory/4416-159-0x0000000073180000-0x00000000731FB000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\containers\temp.wav
| MD5 | b2bee4ca7c5919a4dcd783301aab69f1 |
| SHA1 | e408168d5a3f7da81a3b3a235a0d9f25976a7fe3 |
| SHA256 | ae6688f5cbd92c00035cc9858743c11326a3024c5b733d3795fa052e15f1474b |
| SHA512 | ca4589482a2a5cd64525e7ab30dc6e21a7448d176f311e9f9874bdd3054e101c51d210e96d7caeedf07848823a1bb1acea9eb3a787901d3281c2f38e59e5f493 |
\Users\Admin\AppData\Local\Programs\Network MPluginManager\Unrar.dll
| MD5 | 2f1c4f707f985ebf08d469e2bccef1b9 |
| SHA1 | b5a4abbceef05dae8ac53772f7f2237a7b0e2e7a |
| SHA256 | 0982b342033c4715024d6baf4c9b8ec11354e68913684e9ddd1b9730dbf3693d |
| SHA512 | 6cba2ef7f30a311faf87dab40c81824369bacc423a20351b03b23b9a6300606bb6b9758ce9de98f492dccacb3053d6948f60cc73f762e6cf9be479e8c8411d15 |
memory/4416-160-0x0000000005B20000-0x0000000005C79000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\license_En.txt
| MD5 | 707cbbb07cc3d4a379391a04a0c8e477 |
| SHA1 | 35dec34bd8189cdc1640e38413fb312936148242 |
| SHA256 | edb62536c5c814b5c66977e8cd08316f4596f6c5acc11c195a697831ed7f42a2 |
| SHA512 | ead93bdf25f806cf8a9630e1728a1d87917bc071cbc27131546619fda45562684c658ca4d1b693d5b528c98915995d7b43af6909c39cfb23e7d9ad8414720dfe |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\Error.raw
| MD5 | 1cc5ef6614632b8d91bebf248c891c25 |
| SHA1 | 1b60f75ebe6d03d3d589a15758ab5aa7f430c1b0 |
| SHA256 | 05d59eb6a94e12226dc71d0b3700a69318066841485bcdc92879967db7d7d2f8 |
| SHA512 | d4a333413ad69813b5fbe3fa3270e9156cea5a01f84c98b2cad8546ceb19631281ee643c67a7a11efdf1d24d1132e806365e3c83b0968099ff301eff59249752 |
C:\Users\Admin\AppData\Local\Programs\Network MPluginManager\curl-ca-bundle.crt
| MD5 | e48e896b4c1d16f92885e580fb2a3d08 |
| SHA1 | 42272157c20f4e00a1a3797dbf7db44fa0eeb478 |
| SHA256 | 313d562594ebd07846ad6b840dd18993f22e0f8b3f275d9aacfae118f4f00fb7 |
| SHA512 | d4e6573b3bbd6c5c63c5e77ffa79b05171f59c27c0ed458ebb00b42fef300dd17e42df2c91fa8da44cc37420785ce5a4bb083487ba66d3cac9d858b129fd3745 |
memory/4416-170-0x0000000005B20000-0x0000000005C79000-memory.dmp
memory/4416-168-0x0000000005B20000-0x0000000005C79000-memory.dmp
memory/4416-173-0x0000000062480000-0x00000000624A5000-memory.dmp
memory/4416-176-0x0000000073DB0000-0x0000000073ED1000-memory.dmp
memory/4416-178-0x0000000073AC0000-0x0000000073D18000-memory.dmp
memory/4416-177-0x0000000073D20000-0x0000000073DA4000-memory.dmp
memory/4416-174-0x0000000070F40000-0x00000000712A4000-memory.dmp
memory/4416-175-0x0000000062E80000-0x0000000062EA2000-memory.dmp
memory/4416-191-0x0000000005B20000-0x0000000005C79000-memory.dmp
memory/4416-198-0x0000000007060000-0x00000000070E8000-memory.dmp
memory/4416-200-0x0000000005B20000-0x0000000005C79000-memory.dmp
memory/4416-203-0x0000000006DE0000-0x0000000006E60000-memory.dmp
memory/4416-204-0x0000000005B20000-0x0000000005C79000-memory.dmp
memory/4416-199-0x0000000005B20000-0x0000000005C79000-memory.dmp
memory/4416-197-0x0000000005B20000-0x0000000005C79000-memory.dmp
memory/4416-205-0x0000000006DE0000-0x0000000006E60000-memory.dmp
memory/4416-207-0x0000000006DE0000-0x0000000006E60000-memory.dmp
memory/4416-211-0x0000000006DE0000-0x0000000006E60000-memory.dmp
memory/4416-210-0x0000000006DE0000-0x0000000006E60000-memory.dmp
memory/4416-212-0x0000000006DE0000-0x0000000006E60000-memory.dmp
memory/4416-213-0x0000000006DE0000-0x0000000006E60000-memory.dmp
memory/4416-214-0x0000000006DE0000-0x0000000006E60000-memory.dmp
memory/4416-216-0x0000000006DE0000-0x0000000006E60000-memory.dmp
memory/4416-237-0x0000000006DE0000-0x0000000006E60000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | bc9ff968b5157e317091fc7c5c0292a1 |
| SHA1 | 8f23c959457cf6ce6e953e081c9dbf9023382249 |
| SHA256 | 1cfb1ee4f986dfce5ad8da0c537824bd199250f0fb55e3149f236053534ffe20 |
| SHA512 | 3c39a3dab2a8c1b66bd6ca093f6022c234a619c98c412c093382803b3afe20d6a26415bce152d487767f933c4cc20d066243c455578e0d50c86bd49b64c8f284 |
memory/4416-262-0x0000000073180000-0x00000000731FB000-memory.dmp
memory/808-271-0x0000000002B90000-0x0000000002BC6000-memory.dmp
memory/808-272-0x0000000006FB0000-0x00000000075D8000-memory.dmp
memory/808-274-0x0000000006D90000-0x0000000006DB2000-memory.dmp
memory/808-275-0x0000000006E30000-0x0000000006E96000-memory.dmp
memory/808-276-0x00000000076E0000-0x0000000007746000-memory.dmp
memory/808-277-0x0000000007750000-0x0000000007AA0000-memory.dmp
memory/808-278-0x0000000007B20000-0x0000000007B3C000-memory.dmp
memory/808-279-0x0000000008050000-0x000000000809B000-memory.dmp
memory/808-280-0x0000000007DD0000-0x0000000007E46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5mjttyh1.p0o.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/808-297-0x0000000008F40000-0x0000000008F73000-memory.dmp
memory/808-298-0x0000000070A90000-0x0000000070ADB000-memory.dmp
memory/808-299-0x0000000008F00000-0x0000000008F1E000-memory.dmp
memory/808-304-0x0000000009070000-0x0000000009115000-memory.dmp
memory/808-305-0x0000000009240000-0x00000000092D4000-memory.dmp
memory/808-504-0x00000000091D0000-0x00000000091EA000-memory.dmp
memory/808-509-0x00000000091C0000-0x00000000091C8000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 389ba364bc8ed45eab3c15d079831347 |
| SHA1 | 54adbaa86d95802997e6db97902867ed8be7825a |
| SHA256 | 8628b8228c8469069d5494aa0e63df42aaedc56b2921fa359ed15acc90651100 |
| SHA512 | 79f288edd8e032e91dfeb0893863b5bf81d172f582d04b230351ea566c81726fb362b1f0bbb5556318dc44ecb2da79a41d1dd513a191e239c44aad73d8f3d45f |