remcos | cc0244b4c258e97fbf0b8f502294162e664a37258c9ece4c7643568d62c033ce

Analysis

max time kernel
149s
max time network
151s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
17-01-2025 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

formulario_agendamiento_citas.msi
Size

9.0MB
MD5

b9f79ee9ec0f51e63b1ac46c20219654
SHA1

9f0633a95a0c82753967aa767e60c0e06ecf9e51
SHA256

cc0244b4c258e97fbf0b8f502294162e664a37258c9ece4c7643568d62c033ce
SHA512

36833b0f690a4fdbb27c91ef875d7e1685ee81c4bf910501c6f23dcb138c395dcfbaca6b415f82a9a21fed370bfc72825b3c9d329d5ecab77b44cb34882292e0
SSDEEP

196608:cmNuMO+3noWOAZml68MnJ6tdGeHzpNTxlSWtnngXdpikdFn2zBsBaS6e4xI3VpsB:9n/3oWdZml9nngV3n2zm4JVz

Score

10^/10

remcos noviembre 07 muchacha discovery persistence privilege_escalation rat

Malware Config

Extracted

Family

remcos

Botnet

NOVIEMBRE 07 MUCHACHA

imaxatmonk.imaxatmonk.com:2204

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Acobatlg.exe
copy_folder
edqelofh
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
rochilds
mouse_option
false
mutex
gesinfrapr-6YDCRB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1320 set thread context of 4840	1320	ManyCam.exe	101

Executes dropped EXE 12 IoCs

pid	Process
3920	ISBEW64.exe
864	ISBEW64.exe
1516	ISBEW64.exe
2432	ISBEW64.exe
3704	ISBEW64.exe
5084	ISBEW64.exe
3624	ISBEW64.exe
2324	ISBEW64.exe
1020	ISBEW64.exe
4976	ISBEW64.exe
3716	ManyCam.exe
1320	ManyCam.exe

Loads dropped DLL 24 IoCs

pid	Process
2528	MsiExec.exe
2528	MsiExec.exe
2528	MsiExec.exe
2528	MsiExec.exe
2528	MsiExec.exe
3716	ManyCam.exe
3716	ManyCam.exe
3716	ManyCam.exe
3716	ManyCam.exe
3716	ManyCam.exe
3716	ManyCam.exe
3716	ManyCam.exe
3716	ManyCam.exe
3716	ManyCam.exe
1320	ManyCam.exe
1320	ManyCam.exe
1320	ManyCam.exe
1320	ManyCam.exe
1320	ManyCam.exe
1320	ManyCam.exe
1320	ManyCam.exe
1320	ManyCam.exe
1320	ManyCam.exe
1760	Ultracheck.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3588	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ManyCam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultracheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ManyCam.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CentralProcessor\0\	ManyCam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ManyCam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CentralProcessor\0\	ManyCam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ManyCam.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3716	ManyCam.exe
1320	ManyCam.exe
1320	ManyCam.exe
4840	cmd.exe
4840	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1320	ManyCam.exe
4840	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3588	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3588	msiexec.exe
Token: SeSecurityPrivilege	3628	msiexec.exe
Token: SeCreateTokenPrivilege	3588	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3588	msiexec.exe
Token: SeLockMemoryPrivilege	3588	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3588	msiexec.exe
Token: SeMachineAccountPrivilege	3588	msiexec.exe
Token: SeTcbPrivilege	3588	msiexec.exe
Token: SeSecurityPrivilege	3588	msiexec.exe
Token: SeTakeOwnershipPrivilege	3588	msiexec.exe
Token: SeLoadDriverPrivilege	3588	msiexec.exe
Token: SeSystemProfilePrivilege	3588	msiexec.exe
Token: SeSystemtimePrivilege	3588	msiexec.exe
Token: SeProfSingleProcessPrivilege	3588	msiexec.exe
Token: SeIncBasePriorityPrivilege	3588	msiexec.exe
Token: SeCreatePagefilePrivilege	3588	msiexec.exe
Token: SeCreatePermanentPrivilege	3588	msiexec.exe
Token: SeBackupPrivilege	3588	msiexec.exe
Token: SeRestorePrivilege	3588	msiexec.exe
Token: SeShutdownPrivilege	3588	msiexec.exe
Token: SeDebugPrivilege	3588	msiexec.exe
Token: SeAuditPrivilege	3588	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3588	msiexec.exe
Token: SeChangeNotifyPrivilege	3588	msiexec.exe
Token: SeRemoteShutdownPrivilege	3588	msiexec.exe
Token: SeUndockPrivilege	3588	msiexec.exe
Token: SeSyncAgentPrivilege	3588	msiexec.exe
Token: SeEnableDelegationPrivilege	3588	msiexec.exe
Token: SeManageVolumePrivilege	3588	msiexec.exe
Token: SeImpersonatePrivilege	3588	msiexec.exe
Token: SeCreateGlobalPrivilege	3588	msiexec.exe
Token: SeCreateTokenPrivilege	3588	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3588	msiexec.exe
Token: SeLockMemoryPrivilege	3588	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3588	msiexec.exe
Token: SeMachineAccountPrivilege	3588	msiexec.exe
Token: SeTcbPrivilege	3588	msiexec.exe
Token: SeSecurityPrivilege	3588	msiexec.exe
Token: SeTakeOwnershipPrivilege	3588	msiexec.exe
Token: SeLoadDriverPrivilege	3588	msiexec.exe
Token: SeSystemProfilePrivilege	3588	msiexec.exe
Token: SeSystemtimePrivilege	3588	msiexec.exe
Token: SeProfSingleProcessPrivilege	3588	msiexec.exe
Token: SeIncBasePriorityPrivilege	3588	msiexec.exe
Token: SeCreatePagefilePrivilege	3588	msiexec.exe
Token: SeCreatePermanentPrivilege	3588	msiexec.exe
Token: SeBackupPrivilege	3588	msiexec.exe
Token: SeRestorePrivilege	3588	msiexec.exe
Token: SeShutdownPrivilege	3588	msiexec.exe
Token: SeDebugPrivilege	3588	msiexec.exe
Token: SeAuditPrivilege	3588	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3588	msiexec.exe
Token: SeChangeNotifyPrivilege	3588	msiexec.exe
Token: SeRemoteShutdownPrivilege	3588	msiexec.exe
Token: SeUndockPrivilege	3588	msiexec.exe
Token: SeSyncAgentPrivilege	3588	msiexec.exe
Token: SeEnableDelegationPrivilege	3588	msiexec.exe
Token: SeManageVolumePrivilege	3588	msiexec.exe
Token: SeImpersonatePrivilege	3588	msiexec.exe
Token: SeCreateGlobalPrivilege	3588	msiexec.exe
Token: SeCreateTokenPrivilege	3588	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3588	msiexec.exe
Token: SeLockMemoryPrivilege	3588	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3588	msiexec.exe
3588	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1760	Ultracheck.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 2528	3628	msiexec.exe	85
PID 3628 wrote to memory of 2528	3628	msiexec.exe	85
PID 3628 wrote to memory of 2528	3628	msiexec.exe	85
PID 2528 wrote to memory of 3920	2528	MsiExec.exe	87
PID 2528 wrote to memory of 3920	2528	MsiExec.exe	87
PID 2528 wrote to memory of 864	2528	MsiExec.exe	88
PID 2528 wrote to memory of 864	2528	MsiExec.exe	88
PID 2528 wrote to memory of 1516	2528	MsiExec.exe	89
PID 2528 wrote to memory of 1516	2528	MsiExec.exe	89
PID 2528 wrote to memory of 2432	2528	MsiExec.exe	90
PID 2528 wrote to memory of 2432	2528	MsiExec.exe	90
PID 2528 wrote to memory of 3704	2528	MsiExec.exe	91
PID 2528 wrote to memory of 3704	2528	MsiExec.exe	91
PID 2528 wrote to memory of 5084	2528	MsiExec.exe	92
PID 2528 wrote to memory of 5084	2528	MsiExec.exe	92
PID 2528 wrote to memory of 3624	2528	MsiExec.exe	93
PID 2528 wrote to memory of 3624	2528	MsiExec.exe	93
PID 2528 wrote to memory of 2324	2528	MsiExec.exe	94
PID 2528 wrote to memory of 2324	2528	MsiExec.exe	94
PID 2528 wrote to memory of 1020	2528	MsiExec.exe	95
PID 2528 wrote to memory of 1020	2528	MsiExec.exe	95
PID 2528 wrote to memory of 4976	2528	MsiExec.exe	96
PID 2528 wrote to memory of 4976	2528	MsiExec.exe	96
PID 2528 wrote to memory of 3716	2528	MsiExec.exe	97
PID 2528 wrote to memory of 3716	2528	MsiExec.exe	97
PID 2528 wrote to memory of 3716	2528	MsiExec.exe	97
PID 3716 wrote to memory of 4140	3716	ManyCam.exe	98
PID 3716 wrote to memory of 4140	3716	ManyCam.exe	98
PID 3716 wrote to memory of 1320	3716	ManyCam.exe	99
PID 3716 wrote to memory of 1320	3716	ManyCam.exe	99
PID 3716 wrote to memory of 1320	3716	ManyCam.exe	99
PID 1320 wrote to memory of 3396	1320	ManyCam.exe	100
PID 1320 wrote to memory of 3396	1320	ManyCam.exe	100
PID 1320 wrote to memory of 4840	1320	ManyCam.exe	101
PID 1320 wrote to memory of 4840	1320	ManyCam.exe	101
PID 1320 wrote to memory of 4840	1320	ManyCam.exe	101
PID 1320 wrote to memory of 4840	1320	ManyCam.exe	101
PID 4840 wrote to memory of 1760	4840	cmd.exe	103
PID 4840 wrote to memory of 1760	4840	cmd.exe	103
PID 4840 wrote to memory of 1760	4840	cmd.exe	103
PID 4840 wrote to memory of 1760	4840	cmd.exe	103
PID 4840 wrote to memory of 1760	4840	cmd.exe	103
PID 4840 wrote to memory of 1760	4840	cmd.exe	103

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\formulario_agendamiento_citas.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3588

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B5F3930BCBFADFFBA168DCE97AE64CA0 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\{73AB6745-7824-413B-876F-0AF63A831038}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{73AB6745-7824-413B-876F-0AF63A831038}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4D022382-833A-438C-87A5-327B4E2FD21A}
    3⤵
    - Executes dropped EXE
    PID:3920
- - C:\Users\Admin\AppData\Local\Temp\{73AB6745-7824-413B-876F-0AF63A831038}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{73AB6745-7824-413B-876F-0AF63A831038}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9DCBB10E-289E-40D8-AE5A-E7A895F59F40}
    3⤵
    - Executes dropped EXE
    PID:864
- - C:\Users\Admin\AppData\Local\Temp\{73AB6745-7824-413B-876F-0AF63A831038}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{73AB6745-7824-413B-876F-0AF63A831038}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A1DDF2B0-C6D1-4BCA-8055-233BFCCF13EF}
    3⤵
    - Executes dropped EXE
    PID:1516
- - C:\Users\Admin\AppData\Local\Temp\{73AB6745-7824-413B-876F-0AF63A831038}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{73AB6745-7824-413B-876F-0AF63A831038}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{812C2957-CC8C-4BE3-B67F-C8E5F9B3A3D9}
    3⤵
    - Executes dropped EXE
    PID:2432
- - C:\Users\Admin\AppData\Local\Temp\{73AB6745-7824-413B-876F-0AF63A831038}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{73AB6745-7824-413B-876F-0AF63A831038}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2ED595DC-614B-4F19-9AC5-67FD02E02365}
    3⤵
    - Executes dropped EXE
    PID:3704
- - C:\Users\Admin\AppData\Local\Temp\{73AB6745-7824-413B-876F-0AF63A831038}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{73AB6745-7824-413B-876F-0AF63A831038}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9B423F56-2D90-4A3E-9F18-C9D28FB630D5}
    3⤵
    - Executes dropped EXE
    PID:5084
- - C:\Users\Admin\AppData\Local\Temp\{73AB6745-7824-413B-876F-0AF63A831038}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{73AB6745-7824-413B-876F-0AF63A831038}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6EEDF449-851C-47D7-AB00-1F708023A5FF}
    3⤵
    - Executes dropped EXE
    PID:3624
- - C:\Users\Admin\AppData\Local\Temp\{73AB6745-7824-413B-876F-0AF63A831038}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{73AB6745-7824-413B-876F-0AF63A831038}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5EF8ACA8-7C6B-4222-AF9B-FB5A7ACFF73B}
    3⤵
    - Executes dropped EXE
    PID:2324
- - C:\Users\Admin\AppData\Local\Temp\{73AB6745-7824-413B-876F-0AF63A831038}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{73AB6745-7824-413B-876F-0AF63A831038}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{14DA658E-EC4C-4213-9BF4-4484A983A7AD}
    3⤵
    - Executes dropped EXE
    PID:1020
- - C:\Users\Admin\AppData\Local\Temp\{73AB6745-7824-413B-876F-0AF63A831038}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{73AB6745-7824-413B-876F-0AF63A831038}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FB0C56EC-4CD3-4BB8-AA8F-ABCBD1C55EE1}
    3⤵
    - Executes dropped EXE
    PID:4976
- - C:\Users\Admin\AppData\Local\Temp\{08D6BDA5-A591-4CD9-A50C-7EE946D5DE23}\ManyCam.exe
    C:\Users\Admin\AppData\Local\Temp\{08D6BDA5-A591-4CD9-A50C-7EE946D5DE23}\ManyCam.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - C:\Windows\system32\pcaui.exe
      "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\Admin\AppData\Local\Temp\{08D6BDA5-A591-4CD9-A50C-7EE946D5DE23}\ManyCam.exe"
      4⤵
      PID:4140
  - - C:\Users\Admin\AppData\Roaming\patchcontrol_debug\ManyCam.exe
      C:\Users\Admin\AppData\Roaming\patchcontrol_debug\ManyCam.exe
      4⤵
      Suspicious use of SetThreadContext
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1320
    - - C:\Windows\system32\pcaui.exe
        
        "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\Admin\AppData\Roaming\patchcontrol_debug\ManyCam.exe"
        5⤵
        
        PID:3396
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4840
      - C:\Users\Admin\AppData\Local\Temp\Ultracheck.exe
        
        C:\Users\Admin\AppData\Local\Temp\Ultracheck.exe
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\rochilds\logs.dat

Filesize
144B

MD5
6cde43e9cbb409e409361bdcb288ee82

SHA1
0ec4137e6e75d7dc8696800a43edb6ff6fd03aea

SHA256
5accc6bf93682730de8901ff26f10fbafe553eebb58ce0fe7fad7948c67cddfa

SHA512
56891994fc8857dde4c684af492cfdd2df9cbef091db8b5bd012c30b2e71e196c5c378a5202cf152adfa349fc7f187e494794e5270bec6fdf92c53354637991e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6B6C.tmp

Filesize
171KB

MD5
a0e940a3d3c1523416675125e3b0c07e

SHA1
2e29eeba6da9a4023bc8071158feee3b0277fd1b

SHA256
b8fa7aa425e4084ea3721780a13d11e08b8d53d1c5414b73f22faeca1bfd314f

SHA512
736ea06824388372aeef1938c6b11e66f4595e0b0589d7b4a87ff4abbabe52e82dff64d916293eab47aa869cf372ced2c66755dd8a8471b2ab0d3a37ba91d0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6D22.tmp

Filesize
2.5MB

MD5
524ea69173bc295b694017284ce48018

SHA1
9ffd38778c64c4349663c5391c69cb4d2dca7636

SHA256
9a79a303e6522d6d8c7e05ab021cd6108c8ae5124230e6b28ffe2ebcdd544237

SHA512
8db3a62f21fee08d4cc1909e04840327161e1aa83f6513f34bdd09a3dbb8d7fee0391ed1687119dfe8d084fb89da997303174b2bfa9acc6b4d7fa2921c8ebd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ultracheck.exe

Filesize
433KB

MD5
fea067901f48a5f1faf7ca3b373f1a8f

SHA1
e8abe0deb87de9fe3bb3a611234584e9a9b17cce

SHA256
bf24b2f3e3a3c60ed116791b99e5421a4de34ac9c6e2201d34ab487e448ce152

SHA512
07c83a2d3d5dd475bc8aa48eba9b03e8fb742dbbd7bd623ed05dc1086efed7dfd1c1b8f037ee2e81efba1de58ea3243d7c84ac8b484e808cd28765f9c7517023

Download Submit
C:\Users\Admin\AppData\Local\Temp\fec169e

Filesize
1.6MB

MD5
73ca15bb1de2b01572a7998326676f36

SHA1
7d3390d3f5547159fd80a70bfa4c8f61c277bdf8

SHA256
30d3d35b1d1ebf695850677a91ac343da9b997d357be7283f35364bb1cb6cfa6

SHA512
053a8755bb6bf7916e3b4b576b21c7c84a77c79f73c7cd0515b96bf250a0a960ea5e1691ed3929c1138fd03067abae32b3efc55e826536753f5061c382344916

Download Submit
C:\Users\Admin\AppData\Local\Temp\{08D6BDA5-A591-4CD9-A50C-7EE946D5DE23}\CrashRpt.dll

Filesize
121KB

MD5
a52d40015658eaf04921b334a1a406ef

SHA1
8d9a0d77db4dc6511a5d1e2744e43977339d18cb

SHA256
0b6559a8a1edfaf4985955ae2b48c8998c57c93a1876ecc4acdf0b7cf9be0fce

SHA512
a1df8fdaf1bc970ef3455f4571feb4b1c6687aa930685d776e210f400e4fe028dc3e2abe04aec469ca3398de1833e83e68186ca05ac56141d2e05cb20632b1aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\{08D6BDA5-A591-4CD9-A50C-7EE946D5DE23}\ManyCam.exe

Filesize
1.7MB

MD5
ba699791249c311883baa8ce3432703b

SHA1
f8734601f9397cb5ebb8872af03f5b0639c2eac6

SHA256
7c4eb51a737a81c163f95b50ec54518b82fcf91389d0560e855f3e26cec07282

SHA512
6a0386424c61fbf525625ebe53bb2193accd51c2be9a2527fd567d0a6e112b0d1a047d8f7266d706b726e9c41ea77496e1ede186a5e59f5311eeea829a302325

Download Submit
C:\Users\Admin\AppData\Local\Temp\{08D6BDA5-A591-4CD9-A50C-7EE946D5DE23}\cv099.dll

Filesize
664KB

MD5
2a8b33fee2f84490d52a3a7c75254971

SHA1
16ce2b1632a17949b92ce32a6211296fee431dca

SHA256
faff6a0745e1720413a028f77583fff013c3f4682756dc717a0549f1be3fefc2

SHA512
8daf104582547d6b3a6d8698836e279d88ad9a870e9fdd66c319ecada3757a3997f411976461ed30a5d24436baa7504355b49d4acec2f7cdfe10e1e392e0f7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{08D6BDA5-A591-4CD9-A50C-7EE946D5DE23}\cxcore099.dll

Filesize
908KB

MD5
286284d4ae1c67d0d5666b1417dcd575

SHA1
8b8a32577051823b003c78c86054874491e9ecfa

SHA256
37d9a8057d58b043ad037e9905797c215cd0832d48a29731c1687b23447ce298

SHA512
2efc47a8e104baa13e19bee3b3b3364da09cea80601bc87492de348f1c8d61008002540ba8f0df99b2d20e333d09ea8e097a87c97e91910d7d592d11a953917a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{08D6BDA5-A591-4CD9-A50C-7EE946D5DE23}\cximagecrt.dll

Filesize
487KB

MD5
c36f6e088c6457a43adb7edcd17803f3

SHA1
b25b9fb4c10b8421c8762c7e7b3747113d5702de

SHA256
8e1243454a29998cc7dc89caecfadc0d29e00e5776a8b5777633238b8cd66f72

SHA512
87cad4c3059bd7de02338922cf14e515af5cad663d473b19dd66a4c8befc8bce61c9c2b5a14671bc71951fdff345e4ca7a799250d622e2c9236ec03d74d4fe4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{08D6BDA5-A591-4CD9-A50C-7EE946D5DE23}\dbghelp.dll

Filesize
478KB

MD5
e458d88c71990f545ef941cd16080bad

SHA1
cd24ccec2493b64904cf3c139cd8d58d28d5993b

SHA256
5ec121730240548a85b7ef1f7e30d5fdbee153bb20dd92c2d44bf37395294ec0

SHA512
b1755e3db10b1d12d6eaffd1d91f5ca5e0f9f8ae1350675bc44ae7a4af4a48090a9828a8acbbc69c5813eac23e02576478113821cb2e04b6288e422f923b446f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{08D6BDA5-A591-4CD9-A50C-7EE946D5DE23}\epxdlsk

Filesize
23KB

MD5
f90cd186803566548cdac592e6aa0b7f

SHA1
d1f9cc8bac95522463d32071e963f6eb8e9c869e

SHA256
960306266bc82c990aae1ab70e112a8d7d2074a4c047c5ca693f54cd501b32f0

SHA512
482401bd4a1ce1623fdf9830a366083b99a813188e661270f22b2df7a3030c3c243ca274cfd0449359c4a35688e98a39626ed6e52e72149382687ee539418269

Download Submit
C:\Users\Admin\AppData\Local\Temp\{08D6BDA5-A591-4CD9-A50C-7EE946D5DE23}\highgui099.dll

Filesize
388KB

MD5
a354c42fcb37a50ecad8dde250f6119e

SHA1
0eb4ad5e90d28a4a8553d82cec53072279af1961

SHA256
89db6973f4ec5859792bcd8a50cd10db6b847613f2cea5adef740eec141673b2

SHA512
981c82f6334961c54c80009b14a0c2cd48067baf6d502560d508be86f5185374a422609c7fdc9a2cde9b98a7061efab7fd9b1f4f421436a9112833122bc35059

Download Submit
C:\Users\Admin\AppData\Local\Temp\{08D6BDA5-A591-4CD9-A50C-7EE946D5DE23}\xovw

Filesize
1.1MB

MD5
1e84a85e2dbc0927be7987c09210a4d9

SHA1
96f64a812d8e2999998762e4a9b565283b0024d2

SHA256
27dcac1e6bef4ccfd261676c23d753551e98b26891d229987c359309883cdd98

SHA512
b65d25dbdf6e525aa5e0cb3a941f5b8ad997e8c1915edb832e5308b190b97fb1198df56d18df385fc2f0a0d15479ecc151cf4dee9f0a509b7bb0a71da931f3b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{73AB6745-7824-413B-876F-0AF63A831038}\ISBEW64.exe

Filesize
178KB

MD5
40f3a092744e46f3531a40b917cca81e

SHA1
c73f62a44cb3a75933cecf1be73a48d0d623039b

SHA256
561f14cdece85b38617403e1c525ff0b1b752303797894607a4615d0bd66f97f

SHA512
1589b27db29051c772e5ba56953d9f798efbf74d75e0524fa8569df092d28960972779811a7916198d0707d35b1093d3e0dd7669a8179c412cfa7df7120733b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{73AB6745-7824-413B-876F-0AF63A831038}\ISRT.dll

Filesize
426KB

MD5
8af02bf8e358e11caec4f2e7884b43cc

SHA1
16badc6c610eeb08de121ab268093dd36b56bf27

SHA256
58a724d23c63387a2dda27ccfdbc8ca87fd4db671bea8bb636247667f6a5a11e

SHA512
d0228a8cc93ff6647c2f4ba645fa224dc9d114e2adb5b5d01670b6dafc2258b5b1be11629868748e77b346e291974325e8e8e1192042d7c04a35fc727ad4e3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{73AB6745-7824-413B-876F-0AF63A831038}\_isres_0x0409.dll

Filesize
1.8MB

MD5
7de024bc275f9cdeaf66a865e6fd8e58

SHA1
5086e4a26f9b80699ea8d9f2a33cead28a1819c0

SHA256
bd32468ee7e8885323f22eabbff9763a0f6ffef3cc151e0bd0481df5888f4152

SHA512
191c57e22ea13d13806dd390c4039029d40c7532918618d185d8a627aabc3969c7af2e532e3c933bde8f652b4723d951bf712e9ba0cc0d172dde693012f5ef1a

Download Submit
memory/1320-108-0x0000000075070000-0x00000000751EB000-memory.dmp

Filesize
1.5MB

Download
memory/1320-99-0x0000000000C10000-0x0000000000C72000-memory.dmp

Filesize
392KB

Download
memory/1320-107-0x00007FFCCE510000-0x00007FFCCE708000-memory.dmp

Filesize
2.0MB

Download
memory/1320-106-0x0000000075070000-0x00000000751EB000-memory.dmp

Filesize
1.5MB

Download
memory/1320-104-0x0000000001D80000-0x0000000001E6C000-memory.dmp

Filesize
944KB

Download
memory/1320-101-0x0000000000B60000-0x0000000000C0D000-memory.dmp

Filesize
692KB

Download
memory/1760-123-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1760-138-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1760-156-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1760-153-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1760-150-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1760-147-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1760-144-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1760-141-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1760-135-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1760-122-0x00007FFCCE510000-0x00007FFCCE708000-memory.dmp

Filesize
2.0MB

Download
memory/1760-132-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1760-126-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1760-129-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2528-37-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/2528-42-0x0000000003400000-0x00000000035C7000-memory.dmp

Filesize
1.8MB

Download
memory/3716-68-0x0000000000B90000-0x0000000000C08000-memory.dmp

Filesize
480KB

Download
memory/3716-89-0x00007FFCCE510000-0x00007FFCCE708000-memory.dmp

Filesize
2.0MB

Download
memory/3716-74-0x0000000001CE0000-0x0000000001DCC000-memory.dmp

Filesize
944KB

Download
memory/3716-71-0x0000000001C70000-0x0000000001CD2000-memory.dmp

Filesize
392KB

Download
memory/3716-88-0x0000000075A50000-0x0000000075BCB000-memory.dmp

Filesize
1.5MB

Download
memory/4840-115-0x0000000075070000-0x00000000751EB000-memory.dmp

Filesize
1.5MB

Download
memory/4840-112-0x0000000075070000-0x00000000751EB000-memory.dmp

Filesize
1.5MB

Download
memory/4840-111-0x00007FFCCE510000-0x00007FFCCE708000-memory.dmp

Filesize
2.0MB

Download