Windows Analysis Report
d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi.zip

Overview

General Information

Sample name:	d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi.zip
Analysis ID:	1532102
MD5:	2e68d1dbedf3e80f938a305ada936c8d
SHA1:	81cac25a0e566d7741961dd0f9c93bdd16c81e88
SHA256:	8e36968274e6eff65a02d776953af1147ad72b682bb340457d119a5512365605
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Yara detected Remcos RAT

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Found API chain indicative of debugger detection

Loading BitLocker PowerShell Module

PE file has a writeable .text section

Sigma detected: Suspicious PowerShell Parameter Substring

Uses whoami command line tool to query computer and username

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Signatures

AV Detection

Found malware configuration

Source: 15.3.Coolmuster PDF Image Extractor.exe.532aea2.6.raw.unpack

Malware Configuration Extractor: Remcos {"Version": "5.1.1 Pro", "Host:Port:Password": "45.133.74.183:2404", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "Rmc-1QFIL0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for domain / URL

Source: 45.133.74.183

Virustotal: Detection: 8%

Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 15.3.Coolmuster PDF Image Extractor.exe.57f3ce2.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Coolmuster PDF Image Extractor.exe.34185ae.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Coolmuster PDF Image Extractor.exe.33a0686.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Coolmuster PDF Image Extractor.exe.34185bf.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Coolmuster PDF Image Extractor.exe.34185bf.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Coolmuster PDF Image Extractor.exe.532aea2.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Coolmuster PDF Image Extractor.exe.52b2896.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Coolmuster PDF Image Extractor.exe.5239f2a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Coolmuster PDF Image Extractor.exe.33a12b6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Coolmuster PDF Image Extractor.exe.532aea2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Coolmuster PDF Image Extractor.exe.34185ae.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Coolmuster PDF Image Extractor.exe.5779caa.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Coolmuster PDF Image Extractor.exe.33a12b6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Coolmuster PDF Image Extractor.exe.5779caa.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Coolmuster PDF Image Extractor.exe.52b2896.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Coolmuster PDF Image Extractor.exe.5239f2a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Coolmuster PDF Image Extractor.exe.33a0686.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.Coolmuster PDF Image Extractor.exe.57f3ce2.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000003.1745283637.00000000033A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1748957291.0000000003418000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1750127063.0000000003418000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1742404659.00000000051C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1749417346.00000000052AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1753919014.00000000057F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1764870232.00000000033A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1750585922.0000000005778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1751129561.000000000532A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Coolmuster PDF Image Extractor.exe PID: 4680, type: MEMORYSTR

Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1745283637.00000000033A1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_6c98e2b3-3

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\license_En.txt

Source:	Binary string: E:\Project\Software\Common\tags\102.libBasic-2.6\msw\2017\libBasic\Win32\Release\lib\libBasic.pdbBB%GCTL source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1799114042.0000000073D7C000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\software\110.pdfimage-extractor-gui-2.2\projects\gui\Release\Module.View.pdb>>#GCTL source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1791496099.000000006CB77000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: E:\Project\Software\Common\tags\103.libUpdate-1.6\msw\2017\Release\libUpdate.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1791049275.000000006CB3C000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: E:\software\Lib\common\glog-20161230\src\build\vsprojects\libglog\Release\libglog.pdb"" source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1792741802.000000006CC0D000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: E:\Project\Software\Common\tags\104.libI18n-1.3\msw\2017\I18n\Release\libI18n.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1800329373.0000000074AC6000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\software\110.pdfimage-extractor-gui-2.2\projects\gui\Release\Module.View.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1791496099.000000006CB77000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: E:\software\Lib\common\glog-20161230\src\build\vsprojects\libglog\Release\libglog.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1792741802.000000006CC0D000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: ucrtbase.pdb source: ucrtbase.dll.14.dr
Source:	Binary string: E:\Project\Software\Common\tags\17.register-1.1\msw-2017\Release\libRG.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1799526500.0000000073DEB000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: E:\Project\Software\Common\tags\102.libBasic-2.6\msw\2017\libBasic\Win32\Release\lib\libBasic.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1799114042.0000000073D7C000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1799804567.00000000747F1000.00000020.00000001.01000000.0000000D.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1798016768.0000000073CE1000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\PDR14_AutoBuild\LayerTemplate_9\Generic\Trunk\bin\Win32\Release\ImageUtility.pdb2 source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1773080344.000000006BC5F000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\software\110.pdfimage-extractor-gui-2.2\projects\gui\Win32\Release\Bin\FileProcessManager.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000000.1709763138.0000000000214000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: E:\Project\Software\Common\tags\103.libUpdate-1.6\msw\2017\Release\libUpdate.pdb$$ source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1791049275.000000006CB3C000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\vccorlib140.i386.pdb source: vccorlib140.dll.14.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\vccorlib140.i386.pdbGCTL source: vccorlib140.dll.14.dr
Source:	Binary string: D:\DGProject\bin\Win32\Release\GuardEassosRestoreBoot.pdb source: GuardEassosRestoreBoot,1.exe.14.dr
Source:	Binary string: D:\software\110.pdfimage-extractor-gui-2.2\projects\gui\Release\Module.Helper.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1788395528.000000006C9BC000.00000002.00000001.01000000.00000016.sdmp, Module.Helper.dll.14.dr
Source:	Binary string: C:\PDR14_AutoBuild\LayerTemplate_9\Generic\Trunk\bin\Win32\Release\ImageUtility.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1773080344.000000006BC5F000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: E:\Project\Software\Common\tags\104.libI18n-1.3\msw\2017\I18n\Release\libI18n.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1800329373.0000000074AC6000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\software\110.pdfimage-extractor-gui-2.2\projects\gui\Win32\Release\Bin\FileProcessManager.pdbJJ2 source: Coolmuster PDF Image Extractor.exe, 0000000F.00000000.1709763138.0000000000214000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: E:\Project\Software\Common\tags\85.groceryc-1.1\msw\2017\temp\link\groceryc\Release\groceryc.pdb source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1792221350.000000006CBD6000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: api-ms-win-core-xstate-l2-1-0.pdb source: API-MS-Win-core-xstate-l2-1-0.dll.14.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.14.dr
Source:	Binary string: E:\Project\Software\Common\tags\85.groceryc-1.1\msw\2017\temp\link\groceryc\Release\groceryc.pdbEE"GCTL source: Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1792221350.000000006CBD6000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.14.dr
Source:	Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.14.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: 15.3.Coolmuster PDF Image Extractor.exe.57f3ce2.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.3.Coolmuster PDF Image Extractor.exe.34185ae.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.Coolmuster PDF Image Extractor.exe.33a0686.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.3.Coolmuster PDF Image Extractor.exe.34185bf.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.3.Coolmuster PDF Image Extractor.exe.34185bf.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.3.Coolmuster PDF Image Extractor.exe.532aea2.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.3.Coolmuster PDF Image Extractor.exe.52b2896.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.3.Coolmuster PDF Image Extractor.exe.5239f2a.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.3.Coolmuster PDF Image Extractor.exe.33a12b6.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.3.Coolmuster PDF Image Extractor.exe.532aea2.6.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.3.Coolmuster PDF Image Extractor.exe.34185ae.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.3.Coolmuster PDF Image Extractor.exe.5779caa.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.3.Coolmuster PDF Image Extractor.exe.33a12b6.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.3.Coolmuster PDF Image Extractor.exe.5779caa.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.3.Coolmuster PDF Image Extractor.exe.52b2896.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.3.Coolmuster PDF Image Extractor.exe.5239f2a.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.Coolmuster PDF Image Extractor.exe.33a0686.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.3.Coolmuster PDF Image Extractor.exe.57f3ce2.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5f925e.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{4A194FDC-5FC7-428C-83CA-BC4A750D530B}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9665.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5f9260.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5f9260.msi	Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_2_624868CC	15_2_624868CC
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_2_6248D2D4	15_2_6248D2D4
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_2_62E81A7C	15_2_62E81A7C
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_2_62E83A1C	15_2_62E83A1C
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_2_62E8F7E0	15_2_62E8F7E0
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_2_62E81794	15_2_62E81794
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_2_62E87F24	15_2_62E87F24
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_2_62E934C4	15_2_62E934C4
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_2_62E8B0B0	15_2_62E8B0B0
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_2_62E86D4C	15_2_62E86D4C
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_2_62E89D51	15_2_62E89D51
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_2_6BC5C7CB	15_2_6BC5C7CB
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_2_6BC08FD0	15_2_6BC08FD0
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_2_6BC2C3D0	15_2_6BC2C3D0
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_2_6BC1C7F0	15_2_6BC1C7F0
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_2_6BC5A78B	15_2_6BC5A78B
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_2_6BC37BB0	15_2_6BC37BB0
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_2_6BC09F50	15_2_6BC09F50
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_2_6BC14750	15_2_6BC14750
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_2_6BC34F50	15_2_6BC34F50
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_2_6BC5E750	15_2_6BC5E750
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_2_6BC06F70	15_2_6BC06F70
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_2_6BC5BF70	15_2_6BC5BF70

Source: Module.Helper.dll.14.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: Module.View.dll.14.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: libpng14-14.dll.14.dr	Static PE information: Number of sections : 18 > 10
Source: libcurl.dll.14.dr	Static PE information: Number of sections : 11 > 10
Source: libssl-1_1.dll.14.dr	Static PE information: Number of sections : 11 > 10
Source: libxml2-2.dll.14.dr	Static PE information: Number of sections : 19 > 10
Source: pthreadGC2.dll.14.dr	Static PE information: Number of sections : 21 > 10
Source: libgccfree.dll.14.dr	Static PE information: Number of sections : 14 > 10
Source: zlib1.dll.14.dr	Static PE information: Number of sections : 11 > 10
Source: libcrypto-1_1.dll.14.dr	Static PE information: Number of sections : 11 > 10

Source: api-ms-win-core-libraryloader-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-2-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-louserzation-l1-2-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: API-MS-Win-core-xstate-l2-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.14.dr	Static PE information: No import functions for PE file found

Source: 15.3.Coolmuster PDF Image Extractor.exe.57f3ce2.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.Coolmuster PDF Image Extractor.exe.34185ae.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.Coolmuster PDF Image Extractor.exe.33a0686.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.Coolmuster PDF Image Extractor.exe.34185bf.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.Coolmuster PDF Image Extractor.exe.34185bf.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.Coolmuster PDF Image Extractor.exe.532aea2.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.Coolmuster PDF Image Extractor.exe.52b2896.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.Coolmuster PDF Image Extractor.exe.5239f2a.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.Coolmuster PDF Image Extractor.exe.33a12b6.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.Coolmuster PDF Image Extractor.exe.532aea2.6.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.Coolmuster PDF Image Extractor.exe.34185ae.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.Coolmuster PDF Image Extractor.exe.5779caa.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.Coolmuster PDF Image Extractor.exe.33a12b6.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.Coolmuster PDF Image Extractor.exe.5779caa.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.Coolmuster PDF Image Extractor.exe.52b2896.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.Coolmuster PDF Image Extractor.exe.5239f2a.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.Coolmuster PDF Image Extractor.exe.33a0686.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.Coolmuster PDF Image Extractor.exe.57f3ce2.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\PSReadLineHistoryFile_762381681
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Mutant created: \Sessions\1\BaseNamedObjects\59035925
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global_Coolmuster PDF Image Extractor_2.2.27

Source: Coolmuster PDF Image Extractor.exe	String found in binary or memory: set-addPolicy
Source: Coolmuster PDF Image Extractor.exe	String found in binary or memory: id-cmc-addExtensions

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi\" -spe -an -ai#7zMap15499:192:7zEvent20179
Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi\d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe "C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe"
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1228
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c powershell -ep bypass
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep bypass
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /all
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe "C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c powershell -ep bypass	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep bypass	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe" /all	Jump to behavior

Source: libBasic.dll.14.dr	Static PE information: real checksum: 0x0 should be: 0x43159
Source: libI18n.dll.14.dr	Static PE information: real checksum: 0x0 should be: 0x8c9e
Source: libglog.dll.14.dr	Static PE information: real checksum: 0x0 should be: 0x31892
Source: groceryc.dll.14.dr	Static PE information: real checksum: 0x0 should be: 0x5d60f
Source: ImageUtility.dll.14.dr	Static PE information: real checksum: 0x7a6e6 should be: 0x826e6
Source: libIPC.dll.14.dr	Static PE information: real checksum: 0x0 should be: 0x12eb2
Source: Module.Helper.dll.14.dr	Static PE information: real checksum: 0x0 should be: 0x1706a
Source: libRG.dll.14.dr	Static PE information: real checksum: 0x0 should be: 0x14e23
Source: libUpdate.dll.14.dr	Static PE information: real checksum: 0x0 should be: 0x12584
Source: Module.View.dll.14.dr	Static PE information: real checksum: 0x0 should be: 0x433a1
Source: Unrar.dll.14.dr	Static PE information: real checksum: 0x0 should be: 0xab3d7

Source: libpng14-14.dll.14.dr	Static PE information: section name: /4
Source: libpng14-14.dll.14.dr	Static PE information: section name: /14
Source: libpng14-14.dll.14.dr	Static PE information: section name: /29
Source: libpng14-14.dll.14.dr	Static PE information: section name: /41
Source: libpng14-14.dll.14.dr	Static PE information: section name: /55
Source: libpng14-14.dll.14.dr	Static PE information: section name: /67
Source: libpng14-14.dll.14.dr	Static PE information: section name: /80
Source: libpng14-14.dll.14.dr	Static PE information: section name: /91
Source: libpng14-14.dll.14.dr	Static PE information: section name: /102
Source: zlib1.dll.14.dr	Static PE information: section name: /4
Source: libgccfree.dll.14.dr	Static PE information: section name: /4
Source: libgccfree.dll.14.dr	Static PE information: section name: /14
Source: libgccfree.dll.14.dr	Static PE information: section name: /29
Source: libgccfree.dll.14.dr	Static PE information: section name: /41
Source: libgccfree.dll.14.dr	Static PE information: section name: /55
Source: libcrypto-1_1.dll.14.dr	Static PE information: section name: /4
Source: libcurl.dll.14.dr	Static PE information: section name: .eh_fram
Source: libssl-1_1.dll.14.dr	Static PE information: section name: /4
Source: libxml2-2.dll.14.dr	Static PE information: section name: /4
Source: libxml2-2.dll.14.dr	Static PE information: section name: /14
Source: libxml2-2.dll.14.dr	Static PE information: section name: /29
Source: libxml2-2.dll.14.dr	Static PE information: section name: /45
Source: libxml2-2.dll.14.dr	Static PE information: section name: /57
Source: libxml2-2.dll.14.dr	Static PE information: section name: /71
Source: libxml2-2.dll.14.dr	Static PE information: section name: /83
Source: libxml2-2.dll.14.dr	Static PE information: section name: /96
Source: libxml2-2.dll.14.dr	Static PE information: section name: /107
Source: libxml2-2.dll.14.dr	Static PE information: section name: /118
Source: ImageUtility.dll.14.dr	Static PE information: section name: .data1
Source: ImageUtility.dll.14.dr	Static PE information: section name: .trace
Source: ImageUtility.dll.14.dr	Static PE information: section name: _RDATA
Source: pthreadGC2.dll.14.dr	Static PE information: section name: /4
Source: pthreadGC2.dll.14.dr	Static PE information: section name: /14
Source: pthreadGC2.dll.14.dr	Static PE information: section name: /29
Source: pthreadGC2.dll.14.dr	Static PE information: section name: /45
Source: pthreadGC2.dll.14.dr	Static PE information: section name: /61
Source: pthreadGC2.dll.14.dr	Static PE information: section name: /73
Source: pthreadGC2.dll.14.dr	Static PE information: section name: /87
Source: pthreadGC2.dll.14.dr	Static PE information: section name: /99
Source: pthreadGC2.dll.14.dr	Static PE information: section name: /112
Source: pthreadGC2.dll.14.dr	Static PE information: section name: /123
Source: pthreadGC2.dll.14.dr	Static PE information: section name: /134
Source: msvcp140.dll.14.dr	Static PE information: section name: .didat

Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC90 push ebx; iretd	15_3_009AAC92
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC90 push ebx; iretd	15_3_009AAC92
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC90 push ebx; iretd	15_3_009AAC92
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC90 push ebx; iretd	15_3_009AAC92
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC90 push ebx; iretd	15_3_009AAC92
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC90 push ebx; iretd	15_3_009AAC92
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC90 push ebx; iretd	15_3_009AAC92
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC90 push ebx; iretd	15_3_009AAC92
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC31 push ebx; ret	15_3_009AAC32
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC31 push ebx; ret	15_3_009AAC32
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC31 push ebx; ret	15_3_009AAC32
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC31 push ebx; ret	15_3_009AAC32
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC31 push ebx; ret	15_3_009AAC32
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC31 push ebx; ret	15_3_009AAC32
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC31 push ebx; ret	15_3_009AAC32
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC31 push ebx; ret	15_3_009AAC32
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC90 push ebx; iretd	15_3_009AAC92
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC90 push ebx; iretd	15_3_009AAC92
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC90 push ebx; iretd	15_3_009AAC92
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC90 push ebx; iretd	15_3_009AAC92
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC90 push ebx; iretd	15_3_009AAC92
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC90 push ebx; iretd	15_3_009AAC92
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC90 push ebx; iretd	15_3_009AAC92
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC90 push ebx; iretd	15_3_009AAC92
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC31 push ebx; ret	15_3_009AAC32
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC31 push ebx; ret	15_3_009AAC32
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC31 push ebx; ret	15_3_009AAC32
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC31 push ebx; ret	15_3_009AAC32
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC31 push ebx; ret	15_3_009AAC32
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC31 push ebx; ret	15_3_009AAC32
Source: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Code function: 15_3_009AAC31 push ebx; ret	15_3_009AAC32

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libexpat.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\msvcp140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\DGBCDX64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libpng14-14.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\groceryc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\vccorlib140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\OfflineReg.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libUpdate.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Module.Helper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-console-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\pthreadGC2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Module.View.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Unrar.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\ucrtbase.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\concrt140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libglog.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libRG.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\ImageUtility.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\API-MS-Win-core-xstate-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libIPC.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\GuardEassosRestoreBoot,2.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-louserzation-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\zlib1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libdrive.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\GuardEassosRestoreBoot,1.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libI18n.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libssl-1_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libxml2-2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libcurl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libBasic.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\msvcp140_atomic_wait.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libgccfree.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\Coolmuster PDF Image Extractor.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Programs\Network MPluginManager\msvcp140_2.dll	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1262	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8616	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 974	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8829	Jump to behavior

Windows Analysis Report d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi.zip

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted URLs

Windows Analysis Report
d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi.zip

Malware Threat Intel
Provided by

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\msvcp140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\DGBCDX64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libpng14-14.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\vccorlib140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\OfflineReg.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-console-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\concrt140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\API-MS-Win-core-xstate-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libIPC.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\GuardEassosRestoreBoot,2.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-louserzation-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\GuardEassosRestoreBoot,1.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\msvcp140_atomic_wait.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\libgccfree.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Network MPluginManager\msvcp140_2.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe TID: 6812	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6172	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6168	Thread sleep count: 974 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7108	Thread sleep count: 8829 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4300	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1746540298.0000000000999000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1711656176.0000000000995000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW{G~
Source: Coolmuster PDF Image Extractor.exe, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1714864839.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1711656176.0000000000995000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1746540298.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1762660383.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1713159155.00000000009F6000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1714864839.00000000009F6000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1711656176.00000000009F6000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1742260027.00000000009F6000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000002.1762660383.00000000009F6000.00000004.00000020.00020000.00000000.sdmp, Coolmuster PDF Image Extractor.exe, 0000000F.00000003.1712121777.00000000009F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug	Jump to behavior

ID:	1532102
Product:	CloudBasic
Start time:	10:25:11
Start date:	12.10.2024
Sample:	d7816ba6ddda0c4e833d9bba85864de6b1bd289246fcedae84b8a6581db3f5b6.msi.zip
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	2e68d1dbedf3e80f938a305ada936c8d
SHA1:	81cac25a0e566d7741961dd0f9c93bdd16c81e88
SHA256:	8e36968274e6eff65a02d776953af1147ad72b682bb340457d119a5512365605
Filetype:	ZIP compressed archive (8000/1) 99.91%