Windows Analysis Report
62f928.msi

Overview

General Information

Sample name: 62f928.msi
Analysis ID: 1579315
MD5: a2a7ff35bd33480418bd39e0832d0875
SHA1: 8cd2ec2310b1240ffa9944631c409e658cea03a7
SHA256: 46004e5408d63486737753e360a3c9ef74246163497c920d1ac7aa504c488e54
Tags: msiRemcosuser-smica83
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Launches processes in debugging mode, may be used to hinder debugging
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\srpcrmxgav Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Temp\krdqojnmbomp Avira: detection malicious, Label: BDS/Backdoor.Gen
Found malware configuration
Source: 28.2.cmd.exe.59500c8.7.raw.unpack Malware Configuration Extractor: Remcos {"Host:Port:Password": ["adminitpal.com:8080:1", "adminitpal.com:443:1"], "Assigned name": "Teddy", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "tRvr-YKFHJK", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Enable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;chrome;edge;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Putty", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "5", "Copy folder": "Remcos", "Keylog folder": "putty"}
Multi AV Scanner detection for submitted file
Source: 62f928.msi Virustotal: Detection: 16% Perma Link
Yara detected Remcos RAT
Source: Yara match File source: 28.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.59d00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.59d00c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000019.00000002.2927530214.0000000000457000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3387760105.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2929009454.00000000059D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 1460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Demowordpad.exe PID: 2960, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6472, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\krdqojnmbomp, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\srpcrmxgav, type: DROPPED
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\srpcrmxgav Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\krdqojnmbomp Joe Sandbox ML: detected
Source: cmd.exe, 00000013.00000002.2929009454.00000000059D0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_e4c92b46-e

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 28.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.ManyCam.exe.9b525ce.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.Demowordpad.exe.2f4ea8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.cmd.exe.5352a8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.ManyCam.exe.9c419ce.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.4f0aa8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.4f50757.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.Demowordpad.exe.2f93b57.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.cmd.exe.5398757.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.ManyCam.exe.9c425ce.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ManyCam.exe.9b929ce.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.Demowordpad.exe.2f94757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.ManyCam.exe.9b0c901.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ManyCam.exe.9b4d901.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.cmd.exe.5397b57.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.59d00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.59d00c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.ManyCam.exe.9b519ce.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.4f4fb57.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.ManyCam.exe.9bfc901.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ManyCam.exe.9b935ce.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000019.00000002.2927530214.0000000000457000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3387760105.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2929009454.00000000059D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ManyCam.exe PID: 2760, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ManyCam.exe PID: 4136, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 1460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Demowordpad.exe PID: 2960, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ManyCam.exe PID: 5892, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6472, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\krdqojnmbomp, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\srpcrmxgav, type: DROPPED
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: Binary string: d:\branch_2.5\bin\cximagecrt.pdb0 source: ManyCam.exe, 00000004.00000002.2385618467.0000000010062000.00000002.00000001.01000000.00000004.sdmp, ManyCam.exe, 0000000F.00000002.2647092406.0000000010062000.00000002.00000001.01000000.0000000D.sdmp, ManyCam.exe, 0000001A.00000002.3214938143.0000000010062000.00000002.00000001.01000000.0000000D.sdmp, cximagecrt.dll.3.dr
Source: Binary string: d:\branch_2.5\bin\cximagecrt.pdb source: ManyCam.exe, 00000004.00000002.2385618467.0000000010062000.00000002.00000001.01000000.00000004.sdmp, ManyCam.exe, 0000000F.00000002.2647092406.0000000010062000.00000002.00000001.01000000.0000000D.sdmp, ManyCam.exe, 0000001A.00000002.3214938143.0000000010062000.00000002.00000001.01000000.0000000D.sdmp, cximagecrt.dll.3.dr
Source: Binary string: tracefmt.pdb source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000000.2843853626.00000000000E1000.00000020.00000001.01000000.00000016.sdmp, Demowordpad.exe, 00000019.00000002.2927208005.00000000000E1000.00000020.00000001.01000000.00000016.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000021.00000002.3385818366.00000000000E1000.00000020.00000001.01000000.00000016.sdmp
Source: Binary string: c:\Program Files\OpenCV\bin\highgui099.pdb8` source: ManyCam.exe, 0000000F.00000002.2640900189.000000000185D000.00000002.00000001.01000000.00000012.sdmp, ManyCam.exe, 0000001A.00000002.3209857150.0000000000D8D000.00000002.00000001.01000000.00000012.sdmp, highgui099.dll.3.dr
Source: Binary string: c:\Program Files\OpenCV\bin\cxcore099.pdb source: ManyCam.exe, 00000004.00000002.2377886414.0000000001741000.00000002.00000001.01000000.00000007.sdmp, ManyCam.exe, 0000000F.00000002.2640115558.00000000011D1000.00000002.00000001.01000000.0000000E.sdmp, ManyCam.exe, 0000001A.00000002.3209116933.0000000000BC1000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: \tracef@mt.pdbv source: ManyCam.exe, 00000004.00000002.2382949102.0000000009843000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645530055.000000000997E000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213620478.0000000009A71000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: ManyCam.exe, 00000004.00000002.2384692934.000000000A000000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 00000004.00000002.2384125666.0000000009CAB000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645938626.0000000009C6B000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2646367318.0000000009FC0000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2646569631.000000000A37D000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928027730.0000000004B51000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928401666.0000000005060000.00000004.00001000.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928454078.00000000030A0000.00000004.00001000.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928110123.0000000002B9E000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3214442930.000000000A46E000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3214231631.000000000A0B0000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213896105.0000000009D58000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387399217.00000000054A0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3386847725.0000000004FA8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: ManyCam.exe, 00000004.00000002.2384692934.000000000A000000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 00000004.00000002.2384125666.0000000009CAB000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645938626.0000000009C6B000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2646367318.0000000009FC0000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2646569631.000000000A37D000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928027730.0000000004B51000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928401666.0000000005060000.00000004.00001000.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928454078.00000000030A0000.00000004.00001000.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928110123.0000000002B9E000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3214442930.000000000A46E000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3214231631.000000000A0B0000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213896105.0000000009D58000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387399217.00000000054A0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3386847725.0000000004FA8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .pdbload <modname> - you must specify a module to load source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000000.2843853626.00000000000E1000.00000020.00000001.01000000.00000016.sdmp, Demowordpad.exe, 00000019.00000002.2927208005.00000000000E1000.00000020.00000001.01000000.00000016.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000021.00000002.3385818366.00000000000E1000.00000020.00000001.01000000.00000016.sdmp
Source: Binary string: c:\Program Files\OpenCV\bin\highgui099.pdb8`} source: ManyCam.exe, 00000004.00000002.2378044776.00000000017CD000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: c:\Program Files\OpenCV\bin\highgui099.pdb source: ManyCam.exe, 00000004.00000002.2378044776.00000000017CD000.00000002.00000001.01000000.00000008.sdmp, ManyCam.exe, 0000000F.00000002.2640900189.000000000185D000.00000002.00000001.01000000.00000012.sdmp, ManyCam.exe, 0000001A.00000002.3209857150.0000000000D8D000.00000002.00000001.01000000.00000012.sdmp, highgui099.dll.3.dr
Source: Binary string: c:\Program Files\OpenCV\bin\cv099.pdb source: ManyCam.exe, 00000004.00000003.2373737632.0000000000C11000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000004.00000002.2378309489.000000000187F000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 0000000F.00000002.2640529435.00000000012AF000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000001A.00000002.3209564446.0000000000D1F000.00000002.00000001.01000000.00000011.sdmp, cv099.dll.4.dr
Source: Binary string: c:\Program Files\OpenCV\bin\cxcore099.pdbu source: ManyCam.exe, 00000004.00000002.2377886414.0000000001741000.00000002.00000001.01000000.00000007.sdmp, ManyCam.exe, 0000000F.00000002.2640115558.00000000011D1000.00000002.00000001.01000000.0000000E.sdmp, ManyCam.exe, 0000001A.00000002.3209116933.0000000000BC1000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: d:\branch_2.5\bin\ManyCam.pdb source: ManyCam.exe, 00000004.00000002.2377310419.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000004.00000003.2375015382.0000000000C11000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000004.00000000.2151979907.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 0000000F.00000000.2376267252.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000000F.00000002.2639043702.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000000.2946855490.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000002.3208311962.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe.3.dr
Source: Binary string: d:\branch_2.5\Bin\CrashRpt.pdb source: ManyCam.exe, 00000004.00000002.2378693094.0000000002012000.00000002.00000001.01000000.00000005.sdmp, ManyCam.exe, 0000000F.00000002.2641911704.0000000002012000.00000002.00000001.01000000.0000000F.sdmp, ManyCam.exe, 0000001A.00000002.3210844805.0000000002012000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: dbghelp.pdb source: ManyCam.exe, 00000004.00000002.2386054055.000000006D511000.00000020.00000001.01000000.00000006.sdmp, ManyCam.exe, 0000000F.00000002.2647197974.000000006D511000.00000020.00000001.01000000.00000010.sdmp, ManyCam.exe, 0000001A.00000002.3215308587.000000006D511000.00000020.00000001.01000000.00000010.sdmp
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_004164A0 lstrlenW,FindFirstFileW,GetFullPathNameW,SetLastError, 4_2_004164A0
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_004164A0 lstrlenW,FindFirstFileW,GetFullPathNameW,SetLastError, 15_2_004164A0
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: adminitpal.com
Source: Malware configuration extractor URLs: adminitpal.com
Source: ManyCam.exe, 0000001A.00000002.3213620478.0000000009A71000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://c0rl.m%L
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: ManyCam.exe, 00000004.00000002.2382949102.0000000009843000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645530055.000000000997E000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213620478.0000000009A71000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.m
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: ManyCam.exe, 00000004.00000002.2377447633.00000000005A4000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000004.00000003.2375015382.0000000000C11000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2639408265.00000000005A4000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000000.2946945665.00000000005A4000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: http://download.manycam.com
Source: ManyCam.exe, 00000004.00000002.2377310419.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000004.00000000.2151979907.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 0000000F.00000000.2376267252.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000000F.00000002.2639043702.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000000.2946855490.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000002.3208311962.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe.3.dr String found in binary or memory: http://download.manycam.com/effects/%s/%s?v=%sBackgroundsDynamicDynamic
Source: ManyCam.exe, 00000004.00000002.2377310419.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000004.00000000.2151979907.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 0000000F.00000000.2376267252.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000000F.00000002.2639043702.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000000.2946855490.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000002.3208311962.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe.3.dr String found in binary or memory: http://download.manycam.com/effects/%s/%s?v=%sManyCam
Source: ManyCam.exe, 00000004.00000002.2377310419.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000004.00000000.2151979907.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 0000000F.00000000.2376267252.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000000F.00000002.2639043702.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000000.2946855490.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000002.3208311962.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe.3.dr String found in binary or memory: http://download.manycam.comNew
Source: ManyCam.exe, 00000004.00000002.2377310419.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000004.00000000.2151979907.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 0000000F.00000000.2376267252.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000000F.00000002.2639043702.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000000.2946855490.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000002.3208311962.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe.3.dr String found in binary or memory: http://download.manycam.comVerdanaThis
Source: ManyCam.exe String found in binary or memory: http://manycam.com/feedback/?version=%s
Source: ManyCam.exe, ManyCam.exe, 0000000F.00000000.2376267252.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000000F.00000002.2639043702.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000000.2946855490.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000002.3208311962.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe.3.dr String found in binary or memory: http://manycam.com/help/effects
Source: ManyCam.exe, 00000004.00000002.2377310419.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000004.00000000.2151979907.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 0000000F.00000000.2376267252.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000000F.00000002.2639043702.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000000.2946855490.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000002.3208311962.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe.3.dr String found in binary or memory: http://manycam.com/upload_effect?filepath=ManyCam
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: ManyCam.exe, 00000004.00000002.2382949102.0000000009843000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645530055.000000000997E000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213620478.0000000009A71000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0L
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s2.symcb.com0
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009AF0000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009AAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004EBB000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009B9F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.0000000005303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.info-zip.org/
Source: ManyCam.exe, ManyCam.exe, 0000000F.00000002.2639408265.00000000005A4000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000000.2946945665.00000000005A4000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe.3.dr String found in binary or memory: http://www.manycam.com
Source: ManyCam.exe, ManyCam.exe, 0000000F.00000002.2639408265.00000000005A4000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000000.2946945665.00000000005A4000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: http://www.manycam.com/codec
Source: ManyCam.exe, 00000004.00000002.2377310419.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000004.00000000.2151979907.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 0000000F.00000000.2376267252.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000000F.00000002.2639043702.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000000.2946855490.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000002.3208311962.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe.3.dr String found in binary or memory: http://www.manycam.com/codecVerdanaThis
Source: ManyCam.exe, 00000004.00000002.2377310419.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000004.00000000.2151979907.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 0000000F.00000000.2376267252.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000000F.00000002.2639043702.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000000.2946855490.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000002.3208311962.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe.3.dr String found in binary or memory: http://www.manycam.com/codecVerdanaTo
Source: ManyCam.exe, 00000004.00000002.2377310419.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000004.00000000.2151979907.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 0000000F.00000000.2376267252.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000000F.00000002.2639043702.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000000.2946855490.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000002.3208311962.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe.3.dr String found in binary or memory: http://www.manycam.com/help/effects/snapshot/these
Source: ManyCam.exe, 00000004.00000003.2375015382.0000000000C11000.00000004.00000020.00020000.00000000.sdmp, cximagecrt.dll.3.dr String found in binary or memory: http://www.manycam.com0
Source: ManyCam.exe, 00000004.00000002.2377310419.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000004.00000000.2151979907.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 0000000F.00000000.2376267252.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000000F.00000002.2639043702.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000000.2946855490.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000002.3208311962.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe.3.dr String found in binary or memory: http://www.manycam.comhttp://manycam.com/feedback/?version=%sAnchor
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: ManyCam.exe, 00000004.00000002.2382949102.0000000009843000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645530055.000000000997E000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213620478.0000000009A71000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0/
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: ManyCam.exe, 00000004.00000002.2382949102.0000000009843000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645530055.000000000997E000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213620478.0000000009A71000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.c
Source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Yara detected Keylogger Generic
Source: Yara match File source: 28.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.59d00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.59d00c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000019.00000002.2927530214.0000000000457000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3387760105.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2929009454.00000000059D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 1460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Demowordpad.exe PID: 2960, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6472, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\krdqojnmbomp, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\srpcrmxgav, type: DROPPED

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 28.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.59d00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.59d00c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000019.00000002.2927530214.0000000000457000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3387760105.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2929009454.00000000059D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 1460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Demowordpad.exe PID: 2960, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6472, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\krdqojnmbomp, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\srpcrmxgav, type: DROPPED

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 28.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 28.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.ManyCam.exe.9b525ce.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 25.2.Demowordpad.exe.2f4ea8a.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.cmd.exe.5352a8a.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.ManyCam.exe.9c419ce.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 28.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 19.2.cmd.exe.4f0aa8a.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 19.2.cmd.exe.4f50757.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 25.2.Demowordpad.exe.2f93b57.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.cmd.exe.5398757.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.ManyCam.exe.9c425ce.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.ManyCam.exe.9b929ce.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 25.2.Demowordpad.exe.2f94757.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.ManyCam.exe.9b0c901.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.ManyCam.exe.9b4d901.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.cmd.exe.5397b57.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 19.2.cmd.exe.59d00c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 19.2.cmd.exe.59d00c8.7.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.cmd.exe.59d00c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 19.2.cmd.exe.59d00c8.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 19.2.cmd.exe.59d00c8.7.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.cmd.exe.59d00c8.7.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.ManyCam.exe.9b519ce.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 19.2.cmd.exe.4f4fb57.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.ManyCam.exe.9bfc901.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.ManyCam.exe.9b935ce.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000019.00000002.2927530214.0000000000457000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001C.00000002.3387760105.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000013.00000002.2929009454.00000000059D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 1460, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Demowordpad.exe PID: 2960, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 6472, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\krdqojnmbomp, type: DROPPED Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\krdqojnmbomp, type: DROPPED Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\krdqojnmbomp, type: DROPPED Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\srpcrmxgav, type: DROPPED Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\srpcrmxgav, type: DROPPED Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\srpcrmxgav, type: DROPPED Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\6e2515.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{9C7064B9-89ED-41DD-86B6-540DFCC59041} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI265D.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\6e2517.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\6e2517.msi Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\6e2517.msi Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_0050EC90 4_2_0050EC90
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016FD160 4_2_016FD160
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016DE120 4_2_016DE120
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016FE110 4_2_016FE110
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_0173B1D0 4_2_0173B1D0
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016AB1A0 4_2_016AB1A0
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016E0180 4_2_016E0180
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016AB030 4_2_016AB030
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016DD000 4_2_016DD000
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_017000D0 4_2_017000D0
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016AC0D0 4_2_016AC0D0
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_01739090 4_2_01739090
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_0172C360 4_2_0172C360
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016F3340 4_2_016F3340
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016B9338 4_2_016B9338
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016AB310 4_2_016AB310
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_017283B0 4_2_017283B0
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016B63A7 4_2_016B63A7
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_01699380 4_2_01699380
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016F7390 4_2_016F7390
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016B727E 4_2_016B727E
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_01693240 4_2_01693240
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016ED240 4_2_016ED240
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_0172E240 4_2_0172E240
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_01702230 4_2_01702230
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016E0209 4_2_016E0209
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016982F0 4_2_016982F0
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016B32F4 4_2_016B32F4
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016942C0 4_2_016942C0
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_017302C0 4_2_017302C0
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016962A0 4_2_016962A0
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016AE2A0 4_2_016AE2A0
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016D02A0 4_2_016D02A0
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016F12A0 4_2_016F12A0
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_01713520 4_2_01713520
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_0171A523 4_2_0171A523
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016F65F0 4_2_016F65F0
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016AE5A0 4_2_016AE5A0
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_0172E5A0 4_2_0172E5A0
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_01729470 4_2_01729470
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016BD422 4_2_016BD422
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016F5420 4_2_016F5420
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016BD430 4_2_016BD430
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016F04F0 4_2_016F04F0
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_0173E4D0 4_2_0173E4D0
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_016AB4C0 4_2_016AB4C0
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_0050EC90 15_2_0050EC90
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_0118E110 15_2_0118E110
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_0116E120 15_2_0116E120
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_01170180 15_2_01170180
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_0113C0D0 15_2_0113C0D0
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_011900D0 15_2_011900D0
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_011BC360 15_2_011BC360
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_011B83B0 15_2_011B83B0
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_011463A7 15_2_011463A7
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_01170209 15_2_01170209
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_01192230 15_2_01192230
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_011BE240 15_2_011BE240
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_011262A0 15_2_011262A0
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_0113E2A0 15_2_0113E2A0
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_011602A0 15_2_011602A0
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_011242C0 15_2_011242C0
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_011C02C0 15_2_011C02C0
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_011282F0 15_2_011282F0
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_011AA523 15_2_011AA523
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_0113E5A0 15_2_0113E5A0
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_011BE5A0 15_2_011BE5A0
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_011865F0 15_2_011865F0
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_011CE4D0 15_2_011CE4D0
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_011804F0 15_2_011804F0
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_01164710 15_2_01164710
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_01188700 15_2_01188700
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_011CC790 15_2_011CC790
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_0113A650 15_2_0113A650
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_0117C670 15_2_0117C670
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_01184660 15_2_01184660
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_011A46B3 15_2_011A46B3
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_011486A9 15_2_011486A9
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_0113A6CE 15_2_0113A6CE
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_011266E0 15_2_011266E0
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_01168970 15_2_01168970
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_011BE970 15_2_011BE970
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_0113A9D0 15_2_0113A9D0
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_0117E9C0 15_2_0117E9C0
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_0113A810 15_2_0113A810
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_011A4860 15_2_011A4860
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_0116A890 15_2_0116A890
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_0119A883 15_2_0119A883
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_0113A88E 15_2_0113A88E
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_0113E8B0 15_2_0113E8B0
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_011448F8 15_2_011448F8
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_0118A8E0 15_2_0118A8E0
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_0113AB40 15_2_0113AB40
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Regma\CrashRpt.dll C28E0AEC124902E948C554436C0EBBEBBA9FC91C906CE2CD887FADA0C64E3386
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: String function: 00416740 appears 60 times
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: String function: 004B77A0 appears 100 times
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: String function: 016D6DF0 appears 304 times
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: String function: 004B76D0 appears 36 times
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: String function: 0047BCF0 appears 141 times
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: String function: 00416740 appears 60 times
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: String function: 004B77A0 appears 101 times
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: String function: 01166DF0 appears 280 times
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: String function: 004B76D0 appears 36 times
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: String function: 0047BCF0 appears 141 times
PE file contains executable resources (Code or Archives)
Source: CrashRpt.dll.3.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: CrashRpt.dll.4.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Yara signature match
Source: 28.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 28.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.ManyCam.exe.9b525ce.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 25.2.Demowordpad.exe.2f4ea8a.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.cmd.exe.5352a8a.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.ManyCam.exe.9c419ce.10.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 28.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 19.2.cmd.exe.4f0aa8a.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 19.2.cmd.exe.4f50757.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 25.2.Demowordpad.exe.2f93b57.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.cmd.exe.5398757.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.ManyCam.exe.9c425ce.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.ManyCam.exe.9b929ce.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 25.2.Demowordpad.exe.2f94757.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.ManyCam.exe.9b0c901.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.ManyCam.exe.9b4d901.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.cmd.exe.5397b57.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 19.2.cmd.exe.59d00c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 19.2.cmd.exe.59d00c8.7.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.cmd.exe.59d00c8.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 19.2.cmd.exe.59d00c8.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 19.2.cmd.exe.59d00c8.7.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.cmd.exe.59d00c8.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.ManyCam.exe.9b519ce.10.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 19.2.cmd.exe.4f4fb57.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.ManyCam.exe.9bfc901.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.ManyCam.exe.9b935ce.10.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000019.00000002.2927530214.0000000000457000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001C.00000002.3387760105.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000013.00000002.2929009454.00000000059D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 1460, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Demowordpad.exe PID: 2960, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 6472, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\krdqojnmbomp, type: DROPPED Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\krdqojnmbomp, type: DROPPED Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\krdqojnmbomp, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: C:\Users\user\AppData\Local\Temp\srpcrmxgav, type: DROPPED Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\srpcrmxgav, type: DROPPED Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\srpcrmxgav, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: classification engine Classification label: mal100.troj.expl.evad.winMSI@23/43@0/0
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_004B7920 GetLastError,FormatMessageW,GlobalFree, 4_2_004B7920
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_004B2100 CoCreateInstance, 4_2_004B2100
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_00488A00 FindResourceW,GetLastError,SizeofResource,GetLastError,GetLastError, 4_2_00488A00
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Microsoft\CML26CA.tmp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5140:120:WilError_03
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DF922745D2A5985678.TMP Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 62f928.msi Static file information: TRID: Microsoft Windows Installer (60509/1) 88.31%
Source: 62f928.msi Virustotal: Detection: 16%
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\62f928.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Users\user\AppData\Local\Regma\ManyCam.exe "C:\Users\user\AppData\Local\Regma\ManyCam.exe"
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Local\Regma\ManyCam.exe"
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Process created: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe"
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\Demowordpad.exe C:\Users\user\AppData\Local\Temp\Demowordpad.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe "C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe"
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe"
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\Demowordpad.exe C:\Users\user\AppData\Local\Temp\Demowordpad.exe
Source: C:\Windows\System32\msiexec.exe Process created: C:\Users\user\AppData\Local\Regma\ManyCam.exe "C:\Users\user\AppData\Local\Regma\ManyCam.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Local\Regma\ManyCam.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Process created: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\Demowordpad.exe C:\Users\user\AppData\Local\Temp\Demowordpad.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\Demowordpad.exe C:\Users\user\AppData\Local\Temp\Demowordpad.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: cximagecrt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: cxcore099.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: cv099.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: highgui099.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: crashrpt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: opengl32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: glu32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: glu32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: avifil32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\pcaui.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\pcaui.exe Section loaded: pcaui.dll Jump to behavior
Source: C:\Windows\System32\pcaui.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\System32\pcaui.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\System32\pcaui.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: cximagecrt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: cxcore099.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: cv099.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: highgui099.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: crashrpt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: opengl32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: glu32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: glu32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: avifil32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\pcaui.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\pcaui.exe Section loaded: pcaui.dll Jump to behavior
Source: C:\Windows\System32\pcaui.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\System32\pcaui.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\System32\pcaui.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Demowordpad.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Demowordpad.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Demowordpad.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Demowordpad.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Demowordpad.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Demowordpad.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Demowordpad.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Demowordpad.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: cximagecrt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: cxcore099.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: cv099.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: highgui099.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: crashrpt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: opengl32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: glu32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: glu32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: avifil32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\pcaui.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\pcaui.exe Section loaded: pcaui.dll Jump to behavior
Source: C:\Windows\System32\pcaui.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\System32\pcaui.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\System32\pcaui.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: wwaxt.19.dr LNK file: ..\..\Roaming\SyncvalidKil3\ManyCam.exe
Source: 62f928.msi Static file information: File size 2957312 > 1048576
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: Binary string: d:\branch_2.5\bin\cximagecrt.pdb0 source: ManyCam.exe, 00000004.00000002.2385618467.0000000010062000.00000002.00000001.01000000.00000004.sdmp, ManyCam.exe, 0000000F.00000002.2647092406.0000000010062000.00000002.00000001.01000000.0000000D.sdmp, ManyCam.exe, 0000001A.00000002.3214938143.0000000010062000.00000002.00000001.01000000.0000000D.sdmp, cximagecrt.dll.3.dr
Source: Binary string: d:\branch_2.5\bin\cximagecrt.pdb source: ManyCam.exe, 00000004.00000002.2385618467.0000000010062000.00000002.00000001.01000000.00000004.sdmp, ManyCam.exe, 0000000F.00000002.2647092406.0000000010062000.00000002.00000001.01000000.0000000D.sdmp, ManyCam.exe, 0000001A.00000002.3214938143.0000000010062000.00000002.00000001.01000000.0000000D.sdmp, cximagecrt.dll.3.dr
Source: Binary string: tracefmt.pdb source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000000.2843853626.00000000000E1000.00000020.00000001.01000000.00000016.sdmp, Demowordpad.exe, 00000019.00000002.2927208005.00000000000E1000.00000020.00000001.01000000.00000016.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000021.00000002.3385818366.00000000000E1000.00000020.00000001.01000000.00000016.sdmp
Source: Binary string: c:\Program Files\OpenCV\bin\highgui099.pdb8` source: ManyCam.exe, 0000000F.00000002.2640900189.000000000185D000.00000002.00000001.01000000.00000012.sdmp, ManyCam.exe, 0000001A.00000002.3209857150.0000000000D8D000.00000002.00000001.01000000.00000012.sdmp, highgui099.dll.3.dr
Source: Binary string: c:\Program Files\OpenCV\bin\cxcore099.pdb source: ManyCam.exe, 00000004.00000002.2377886414.0000000001741000.00000002.00000001.01000000.00000007.sdmp, ManyCam.exe, 0000000F.00000002.2640115558.00000000011D1000.00000002.00000001.01000000.0000000E.sdmp, ManyCam.exe, 0000001A.00000002.3209116933.0000000000BC1000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: \tracef@mt.pdbv source: ManyCam.exe, 00000004.00000002.2382949102.0000000009843000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645530055.000000000997E000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213620478.0000000009A71000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: ManyCam.exe, 00000004.00000002.2384692934.000000000A000000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 00000004.00000002.2384125666.0000000009CAB000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645938626.0000000009C6B000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2646367318.0000000009FC0000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2646569631.000000000A37D000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928027730.0000000004B51000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928401666.0000000005060000.00000004.00001000.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928454078.00000000030A0000.00000004.00001000.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928110123.0000000002B9E000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3214442930.000000000A46E000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3214231631.000000000A0B0000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213896105.0000000009D58000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387399217.00000000054A0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3386847725.0000000004FA8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: ManyCam.exe, 00000004.00000002.2384692934.000000000A000000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 00000004.00000002.2384125666.0000000009CAB000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645938626.0000000009C6B000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2646367318.0000000009FC0000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2646569631.000000000A37D000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928027730.0000000004B51000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928401666.0000000005060000.00000004.00001000.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928454078.00000000030A0000.00000004.00001000.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928110123.0000000002B9E000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3214442930.000000000A46E000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3214231631.000000000A0B0000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000001A.00000002.3213896105.0000000009D58000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387399217.00000000054A0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3386847725.0000000004FA8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .pdbload <modname> - you must specify a module to load source: ManyCam.exe, 00000004.00000002.2383862619.0000000009B47000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000F.00000002.2645623231.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000002.2928233026.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000002.2928298393.0000000002F48000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000019.00000000.2843853626.00000000000E1000.00000020.00000001.01000000.00000016.sdmp, Demowordpad.exe, 00000019.00000002.2927208005.00000000000E1000.00000020.00000001.01000000.00000016.sdmp, ManyCam.exe, 0000001A.00000002.3213715800.0000000009BF6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp, Demowordpad.exe, 00000021.00000002.3385818366.00000000000E1000.00000020.00000001.01000000.00000016.sdmp
Source: Binary string: c:\Program Files\OpenCV\bin\highgui099.pdb8`} source: ManyCam.exe, 00000004.00000002.2378044776.00000000017CD000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: c:\Program Files\OpenCV\bin\highgui099.pdb source: ManyCam.exe, 00000004.00000002.2378044776.00000000017CD000.00000002.00000001.01000000.00000008.sdmp, ManyCam.exe, 0000000F.00000002.2640900189.000000000185D000.00000002.00000001.01000000.00000012.sdmp, ManyCam.exe, 0000001A.00000002.3209857150.0000000000D8D000.00000002.00000001.01000000.00000012.sdmp, highgui099.dll.3.dr
Source: Binary string: c:\Program Files\OpenCV\bin\cv099.pdb source: ManyCam.exe, 00000004.00000003.2373737632.0000000000C11000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000004.00000002.2378309489.000000000187F000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 0000000F.00000002.2640529435.00000000012AF000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000001A.00000002.3209564446.0000000000D1F000.00000002.00000001.01000000.00000011.sdmp, cv099.dll.4.dr
Source: Binary string: c:\Program Files\OpenCV\bin\cxcore099.pdbu source: ManyCam.exe, 00000004.00000002.2377886414.0000000001741000.00000002.00000001.01000000.00000007.sdmp, ManyCam.exe, 0000000F.00000002.2640115558.00000000011D1000.00000002.00000001.01000000.0000000E.sdmp, ManyCam.exe, 0000001A.00000002.3209116933.0000000000BC1000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: d:\branch_2.5\bin\ManyCam.pdb source: ManyCam.exe, 00000004.00000002.2377310419.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000004.00000003.2375015382.0000000000C11000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000004.00000000.2151979907.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 0000000F.00000000.2376267252.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000000F.00000002.2639043702.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000000.2946855490.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000001A.00000002.3208311962.000000000053B000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe.3.dr
Source: Binary string: d:\branch_2.5\Bin\CrashRpt.pdb source: ManyCam.exe, 00000004.00000002.2378693094.0000000002012000.00000002.00000001.01000000.00000005.sdmp, ManyCam.exe, 0000000F.00000002.2641911704.0000000002012000.00000002.00000001.01000000.0000000F.sdmp, ManyCam.exe, 0000001A.00000002.3210844805.0000000002012000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: dbghelp.pdb source: ManyCam.exe, 00000004.00000002.2386054055.000000006D511000.00000020.00000001.01000000.00000006.sdmp, ManyCam.exe, 0000000F.00000002.2647197974.000000006D511000.00000020.00000001.01000000.00000010.sdmp, ManyCam.exe, 0000001A.00000002.3215308587.000000006D511000.00000020.00000001.01000000.00000010.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_0052309D IsProcessorFeaturePresent,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapAlloc,InterlockedCompareExchange,GetProcessHeap,HeapFree, 4_2_0052309D
PE file contains an invalid checksum
Source: krdqojnmbomp.19.dr Static PE information: real checksum: 0x0 should be: 0x7afa9
Source: cxcore099.dll.3.dr Static PE information: real checksum: 0xe6401 should be: 0xe3cd7
Source: cxcore099.dll.4.dr Static PE information: real checksum: 0xe6401 should be: 0xe3cd7
Source: srpcrmxgav.28.dr Static PE information: real checksum: 0x0 should be: 0x7afa9
PE file contains sections with non-standard names
Source: krdqojnmbomp.19.dr Static PE information: section name: nrdpr
Source: srpcrmxgav.28.dr Static PE information: section name: nrdpr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_005242D1 push ecx; ret 4_2_005242E4
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_01740361 push ecx; ret 4_2_01740374
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_005242D1 push ecx; ret 15_2_005242E4
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_011D0361 push ecx; ret 15_2_011D0374
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Regma\cxcore099.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Regma\CrashRpt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe File created: C:\Users\user\AppData\Roaming\SyncvalidKil3\highgui099.dll Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\srpcrmxgav Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Regma\cv099.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe File created: C:\Users\user\AppData\Roaming\SyncvalidKil3\CrashRpt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe File created: C:\Users\user\AppData\Roaming\SyncvalidKil3\cv099.dll Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\Demowordpad.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe File created: C:\Users\user\AppData\Roaming\SyncvalidKil3\dbghelp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Regma\ManyCam.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Regma\dbghelp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe File created: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe File created: C:\Users\user\AppData\Roaming\SyncvalidKil3\cximagecrt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe File created: C:\Users\user\AppData\Roaming\SyncvalidKil3\cxcore099.dll Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\krdqojnmbomp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Regma\cximagecrt.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Regma\highgui099.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\krdqojnmbomp Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\srpcrmxgav Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Found hidden mapped module (file has been removed from disk)
Source: C:\Windows\SysWOW64\cmd.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\KRDQOJNMBOMP
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe API/Special instruction interceptor: Address: 6C897C44
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe API/Special instruction interceptor: Address: 6C897C44
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe API/Special instruction interceptor: Address: 6C897945
Source: C:\Windows\SysWOW64\cmd.exe API/Special instruction interceptor: Address: 6C893B54
Source: C:\Users\user\AppData\Local\Temp\Demowordpad.exe API/Special instruction interceptor: Address: 1288A6
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\srpcrmxgav Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\krdqojnmbomp Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe API coverage: 0.3 %
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe API coverage: 0.3 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\cmd.exe Last function: Thread delayed
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_004164A0 lstrlenW,FindFirstFileW,GetFullPathNameW,SetLastError, 4_2_004164A0
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_004164A0 lstrlenW,FindFirstFileW,GetFullPathNameW,SetLastError, 15_2_004164A0
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_0173D5E0 GetSystemInfo,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,QueryPerformanceFrequency, 4_2_0173D5E0
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noreply@vmware.com0
Source: cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0
Source: ManyCam.exe, 0000001A.00000002.3213620478.0000000009A71000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6vmware
Source: cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1!0
Source: cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0/
Source: cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1
Source: cmd.exe, 0000001C.00000002.3387133385.000000000534C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.0
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\Demowordpad.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_00523722 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 4_2_00523722
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_0052309D IsProcessorFeaturePresent,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapAlloc,InterlockedCompareExchange,GetProcessHeap,HeapFree, 4_2_0052309D
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_00523077 GetProcessHeap,HeapFree, 4_2_00523077
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\msiexec.exe Process created: C:\Users\user\AppData\Local\Regma\ManyCam.exe "C:\Users\user\AppData\Local\Regma\ManyCam.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_00523722 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 4_2_00523722
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Code function: 15_2_00523722 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 15_2_00523722

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe NtQuerySystemInformation: Direct from: 0x173FFC0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe NtProtectVirtualMemory: Direct from: 0x6D172E48 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe NtProtectVirtualMemory: Direct from: 0x6C802970 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Demowordpad.exe NtQuerySystemInformation: Direct from: 0x2EFF020 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe NtQuerySystemInformation: Direct from: 0x11CFFC0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe NtQuerySystemInformation: Direct from: 0xBBFFC0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Demowordpad.exe NtCreateFile: Direct from: 0x128C30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe NtSetInformationThread: Direct from: 0x6D51245D Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Demowordpad.exe NtSetInformationProcess: Direct from: 0x77377B2E Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Demowordpad.exe NtAllocateVirtualMemory: Direct from: 0x129B63 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\Demowordpad.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Users\user\AppData\Local\Temp\Demowordpad.exe base: 125F4F Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Users\user\AppData\Local\Temp\Demowordpad.exe base: C98008 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Users\user\AppData\Local\Temp\Demowordpad.exe base: 400000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\Demowordpad.exe C:\Users\user\AppData\Local\Temp\Demowordpad.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\Demowordpad.exe C:\Users\user\AppData\Local\Temp\Demowordpad.exe Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\local\regma\manycam.exe"
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\roaming\syncvalidkil3\manycam.exe"
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\roaming\syncvalidkil3\manycam.exe"
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\local\regma\manycam.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\roaming\syncvalidkil3\manycam.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\SyncvalidKil3\ManyCam.exe Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\roaming\syncvalidkil3\manycam.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_00524748 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 4_2_00524748
Source: C:\Users\user\AppData\Local\Regma\ManyCam.exe Code function: 4_2_004170D0 memset,GetVersionExW, 4_2_004170D0

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 28.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.59d00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.59d00c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000019.00000002.2927530214.0000000000457000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3387760105.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2929009454.00000000059D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 1460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Demowordpad.exe PID: 2960, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6472, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\krdqojnmbomp, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\srpcrmxgav, type: DROPPED

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: 28.2.cmd.exe.59500c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.cmd.exe.59500c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.59d00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.cmd.exe.59d00c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000019.00000002.2927530214.0000000000457000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3387760105.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2929009454.00000000059D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 1460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Demowordpad.exe PID: 2960, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6472, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\krdqojnmbomp, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\srpcrmxgav, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579315 Sample: 62f928.msi Startdate: 21/12/2024 Architecture: WINDOWS Score: 100 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus detection for dropped file 2->71 73 6 other signatures 2->73 9 msiexec.exe 83 43 2->9         started        12 ManyCam.exe 1 2->12         started        15 msiexec.exe 3 2->15         started        process3 file4 59 C:\Users\user\AppData\...\highgui099.dll, PE32 9->59 dropped 61 C:\Users\user\AppData\...\cximagecrt.dll, PE32 9->61 dropped 63 C:\Users\user\AppData\Local\...\cxcore099.dll, PE32 9->63 dropped 65 4 other files (3 malicious) 9->65 dropped 17 ManyCam.exe 10 9->17         started        101 Maps a DLL or memory area into another process 12->101 103 Found direct / indirect Syscall (likely to bypass EDR) 12->103 21 cmd.exe 2 12->21         started        23 pcaui.exe 12->23         started        signatures5 process6 file7 45 C:\Users\user\AppData\...\highgui099.dll, PE32 17->45 dropped 47 C:\Users\user\AppData\...\cximagecrt.dll, PE32 17->47 dropped 49 C:\Users\user\AppData\...\cxcore099.dll, PE32 17->49 dropped 53 4 other files (3 malicious) 17->53 dropped 75 Found API chain indicative of debugger detection 17->75 77 Switches to a custom stack to bypass stack traces 17->77 79 Found direct / indirect Syscall (likely to bypass EDR) 17->79 25 ManyCam.exe 1 17->25         started        28 pcaui.exe 17->28         started        51 C:\Users\user\AppData\Local\Temp\srpcrmxgav, PE32 21->51 dropped 30 conhost.exe 21->30         started        32 Demowordpad.exe 21->32         started        signatures8 process9 signatures10 93 Found API chain indicative of debugger detection 25->93 95 Maps a DLL or memory area into another process 25->95 97 Switches to a custom stack to bypass stack traces 25->97 99 Found direct / indirect Syscall (likely to bypass EDR) 25->99 34 cmd.exe 5 25->34         started        38 pcaui.exe 25->38         started        process11 file12 55 C:\Users\user\AppData\Local\...\krdqojnmbomp, PE32 34->55 dropped 57 C:\Users\user\AppData\...\Demowordpad.exe, PE32 34->57 dropped 81 Writes to foreign memory regions 34->81 83 Found hidden mapped module (file has been removed from disk) 34->83 85 Maps a DLL or memory area into another process 34->85 87 Switches to a custom stack to bypass stack traces 34->87 40 Demowordpad.exe 34->40         started        43 conhost.exe 34->43         started        signatures13 process14 signatures15 89 Switches to a custom stack to bypass stack traces 40->89 91 Found direct / indirect Syscall (likely to bypass EDR) 40->91
No contacted IP infos

Contacted Domains

Name IP Active
fp2e7a.wpc.phicdn.net 192.229.221.95 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
adminitpal.com true
    		unknown