Malware Analysis Report

2024-11-30 02:26

Sample ID 241018-l43z8s1bqa
Target 406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0.msi
SHA256 406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0
Tags
rhadamanthys discovery persistence privilege_escalation stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0

Threat Level: Known bad

The file 406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0.msi was found to be: Known bad.

Malicious Activity Summary

rhadamanthys discovery persistence privilege_escalation stealer

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Enumerates connected drives

Suspicious use of SetThreadContext

Executes dropped EXE

Drops file in Windows directory

Loads dropped DLL

Event Triggered Execution: Installer Packages

System Location Discovery: System Language Discovery

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 10:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 10:06

Reported

2024-10-18 10:08

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0.msi

Signatures

Rhadamanthys

stealer rhadamanthys

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3032 set thread context of 2416 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\SysWOW64\cmd.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8BDB.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f768b32.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f768b2f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f768b2f.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f768b30.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f768b30.ipi C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CentralProcessor\0\ C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CentralProcessor\0\ C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2712 wrote to memory of 3024 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe
PID 2712 wrote to memory of 3024 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe
PID 2712 wrote to memory of 3024 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe
PID 2712 wrote to memory of 3024 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe
PID 3024 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe
PID 3024 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe
PID 3024 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe
PID 3024 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe
PID 3032 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 1608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2416 wrote to memory of 1608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2416 wrote to memory of 1608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2416 wrote to memory of 1608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2416 wrote to memory of 1608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000064" "0000000000000068"

C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe

"C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe"

C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe

C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

N/A

Files

C:\Config.Msi\f768b31.rbs

MD5 709d9c295fce02a9dbf4f5700fc081db
SHA1 0803871609c7581cf14c5c9226657a044ac96b5d
SHA256 249db23a8d2c88c9a3a46f12988e565068c7124cd8e72b3f7b895e97242e43d0
SHA512 b4f671bc3cc15890ff7fc4765657291d868fb6b8b9003ee18f56fe58f4c6a49b5bf53c13860e14be1c874557e50925e208fab2221534e929f0f53f15a97f5025

C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe

MD5 ba699791249c311883baa8ce3432703b
SHA1 f8734601f9397cb5ebb8872af03f5b0639c2eac6
SHA256 7c4eb51a737a81c163f95b50ec54518b82fcf91389d0560e855f3e26cec07282
SHA512 6a0386424c61fbf525625ebe53bb2193accd51c2be9a2527fd567d0a6e112b0d1a047d8f7266d706b726e9c41ea77496e1ede186a5e59f5311eeea829a302325

C:\Windows\Installer\f768b2f.msi

MD5 e0808992ec58411df693995c7edae88c
SHA1 00e02a807c815debbdfec793f785aaa4b7d1609e
SHA256 406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0
SHA512 bf2a3eb0fbba84cfab2e04250a888a0bfbdac53d632ca77bbad23908eb93ec8a97bf14c41773276e47f7c202930153e29ce2fbd6f4600dd27da39ef6b2511ed2

C:\Users\Admin\AppData\Local\Eponychium\cximagecrt.dll

MD5 c36f6e088c6457a43adb7edcd17803f3
SHA1 b25b9fb4c10b8421c8762c7e7b3747113d5702de
SHA256 8e1243454a29998cc7dc89caecfadc0d29e00e5776a8b5777633238b8cd66f72
SHA512 87cad4c3059bd7de02338922cf14e515af5cad663d473b19dd66a4c8befc8bce61c9c2b5a14671bc71951fdff345e4ca7a799250d622e2c9236ec03d74d4fe4e

C:\Users\Admin\AppData\Local\Eponychium\cxcore099.dll

MD5 286284d4ae1c67d0d5666b1417dcd575
SHA1 8b8a32577051823b003c78c86054874491e9ecfa
SHA256 37d9a8057d58b043ad037e9905797c215cd0832d48a29731c1687b23447ce298
SHA512 2efc47a8e104baa13e19bee3b3b3364da09cea80601bc87492de348f1c8d61008002540ba8f0df99b2d20e333d09ea8e097a87c97e91910d7d592d11a953917a

C:\Users\Admin\AppData\Local\Eponychium\cv099.dll

MD5 2a8b33fee2f84490d52a3a7c75254971
SHA1 16ce2b1632a17949b92ce32a6211296fee431dca
SHA256 faff6a0745e1720413a028f77583fff013c3f4682756dc717a0549f1be3fefc2
SHA512 8daf104582547d6b3a6d8698836e279d88ad9a870e9fdd66c319ecada3757a3997f411976461ed30a5d24436baa7504355b49d4acec2f7cdfe10e1e392e0f7fb

memory/3024-38-0x0000000000130000-0x000000000021C000-memory.dmp

C:\Users\Admin\AppData\Local\Eponychium\highgui099.dll

MD5 a354c42fcb37a50ecad8dde250f6119e
SHA1 0eb4ad5e90d28a4a8553d82cec53072279af1961
SHA256 89db6973f4ec5859792bcd8a50cd10db6b847613f2cea5adef740eec141673b2
SHA512 981c82f6334961c54c80009b14a0c2cd48067baf6d502560d508be86f5185374a422609c7fdc9a2cde9b98a7061efab7fd9b1f4f421436a9112833122bc35059

memory/3024-42-0x00000000002D0000-0x000000000037D000-memory.dmp

memory/3024-46-0x0000000000380000-0x00000000003E2000-memory.dmp

C:\Users\Admin\AppData\Local\Eponychium\dbghelp.dll

MD5 aa1594596fa19609555e317d9b64be6a
SHA1 924b08d85b537be52142965c3ad33c01b457ea83
SHA256 5139413ea54dee9ec4f13b193d88ccae9adb8f0d8c1e2ba1aee460d8a0d5bb79
SHA512 759209846039d1efb2f6ddf3501f1f868989e81752bb7d617afd9fd4238c52162167b1a1732ec81bdfce469856c78439cc7c8d173b1f48de499dfee725b192dc

\Users\Admin\AppData\Local\Eponychium\CrashRpt.dll

MD5 b2d1f5e4a1f0e8d85f0a8aeb7b8148c7
SHA1 871078213fcc0ce143f518bd69caa3156b385415
SHA256 c28e0aec124902e948c554436c0ebbebba9fc91c906ce2cd887fada0c64e3386
SHA512 1f6d97e02cd684cf4f4554b0e819196bd2811e19b964a680332268bcbb6dee0e17b2b35b6e66f0fe5622dffb0a734f39f8e49637a38e4fe7f10d3b5182b30260

C:\Users\Admin\AppData\Local\Eponychium\gxfiogr

MD5 b590c33dd2a4c8ddedda46028181a405
SHA1 b0949a3396d84b8e4dca5d5026eb3b6c0679f7e3
SHA256 862aadcb096647394a5f6f5e646bf57b52567180505b6026e59539f6ded1eaa8
SHA512 e72b33ca405b551532a855a74f99aab1850756cbaefb9421d6e480e719b6ceead1d728dbc786d76d91532f0bbdcc241039dac35479bf90f7d2d665c6ab9f8da7

C:\Users\Admin\AppData\Local\Eponychium\rsjddfw

MD5 666447d9f86fa84149f374c0f1eb2f90
SHA1 9eb18eb892756e48428767d11435750ca458c9fb
SHA256 a25f6e74e4742ec3837ba08b63b89b05e66cd8b00e2c209b2adc9242cd8e7011
SHA512 dd78afe71ad80ac8788f8aed81d3538c904da76fa62f9fecb6c54bee545e6e7816ff30dd6e2fcc1999508a62c327afcbf8cf586830104abe5fb6b18ac1a87fff

memory/3024-54-0x0000000074760000-0x00000000748D4000-memory.dmp

memory/3024-55-0x00000000774B0000-0x0000000077659000-memory.dmp

memory/3032-77-0x0000000000AC0000-0x0000000000BAC000-memory.dmp

memory/3032-81-0x00000000001F0000-0x000000000029D000-memory.dmp

memory/3032-85-0x0000000000BB0000-0x0000000000C12000-memory.dmp

memory/3032-93-0x0000000074740000-0x00000000748B4000-memory.dmp

memory/3032-94-0x00000000774B0000-0x0000000077659000-memory.dmp

memory/3032-95-0x0000000074740000-0x00000000748B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5286bcd0

MD5 ca8d98f5c4ea062787c3ddf5fe61b3db
SHA1 eb3bd7153200ec272fa17356e63228823063db35
SHA256 a68722f21a65b1e2ce4cb69692aef59d0e64e043aae3611bcc5589db91558b10
SHA512 ab21fd333b089daf3cde0b74e4732e0a3e55718a4186ec89e0105fa48475525a601eed476f4f547312929a773c15daf36d4a6c9621f3b0b6aa545cf6ebfc9eed

memory/2416-98-0x00000000774B0000-0x0000000077659000-memory.dmp

memory/2416-99-0x0000000074740000-0x00000000748B4000-memory.dmp

memory/1608-101-0x0000000000150000-0x00000000001D0000-memory.dmp

memory/1608-102-0x00000000774B0000-0x0000000077659000-memory.dmp

memory/1608-103-0x0000000000150000-0x00000000001D0000-memory.dmp

memory/1608-105-0x0000000000150000-0x00000000001D0000-memory.dmp

memory/1608-106-0x0000000000150000-0x00000000001D0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 10:06

Reported

2024-10-18 10:08

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

116s

Command Line

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4020 created 2656 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\svchost.exe

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4612 set thread context of 4340 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\SysWOW64\cmd.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e57f0bb.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57f0b9.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57f0b9.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{7A84B6BD-F238-4306-86B9-231CF904EE0C} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF194.tmp C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\openwith.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e6cf55ff94a5976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e6cf55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e6cf55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de6cf55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e6cf55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CentralProcessor\0\ C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CentralProcessor\0\ C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1348 wrote to memory of 3228 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1348 wrote to memory of 3228 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1348 wrote to memory of 1908 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe
PID 1348 wrote to memory of 1908 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe
PID 1348 wrote to memory of 1908 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe
PID 1908 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe C:\Windows\system32\pcaui.exe
PID 1908 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe C:\Windows\system32\pcaui.exe
PID 1908 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe
PID 1908 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe
PID 1908 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe
PID 4612 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\system32\pcaui.exe
PID 4612 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\system32\pcaui.exe
PID 4612 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\SysWOW64\cmd.exe
PID 4340 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 4340 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 4340 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 4340 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 4020 wrote to memory of 5016 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\openwith.exe
PID 4020 wrote to memory of 5016 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\openwith.exe
PID 4020 wrote to memory of 5016 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\openwith.exe
PID 4020 wrote to memory of 5016 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\openwith.exe
PID 4020 wrote to memory of 5016 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\openwith.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe

"C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe"

C:\Windows\system32\pcaui.exe

"C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe"

C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe

C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe

C:\Windows\system32\pcaui.exe

"C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\openwith.exe

"C:\Windows\system32\openwith.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 167.205.23.2.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Config.Msi\e57f0ba.rbs

MD5 81e2f57d2ef8118a505771508f1c031a
SHA1 5cd2f55b53b0cdc4207cb78f2efc3e6c1960bd93
SHA256 814cd5a29dc7fdacdcb09c03282a3d1d1a4d6bdce3d76beb771149159a07dba3
SHA512 31694947ed7749bf4f10337ca1c735c9846c217e121dcd271959ce5f6940814a38e699bb16841fcf27913ea665252aa2b627e53d6a06ebb0b4a84ad0da2b33db

C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe

MD5 ba699791249c311883baa8ce3432703b
SHA1 f8734601f9397cb5ebb8872af03f5b0639c2eac6
SHA256 7c4eb51a737a81c163f95b50ec54518b82fcf91389d0560e855f3e26cec07282
SHA512 6a0386424c61fbf525625ebe53bb2193accd51c2be9a2527fd567d0a6e112b0d1a047d8f7266d706b726e9c41ea77496e1ede186a5e59f5311eeea829a302325

C:\Windows\Installer\e57f0b9.msi

MD5 e0808992ec58411df693995c7edae88c
SHA1 00e02a807c815debbdfec793f785aaa4b7d1609e
SHA256 406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0
SHA512 bf2a3eb0fbba84cfab2e04250a888a0bfbdac53d632ca77bbad23908eb93ec8a97bf14c41773276e47f7c202930153e29ce2fbd6f4600dd27da39ef6b2511ed2

\??\Volume{ff55cfe6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c8a850c7-8bea-4a1c-85bb-2b2dea785610}_OnDiskSnapshotProp

MD5 e8bac231baccea7ac4769494df1fff84
SHA1 602cd2f83a7f57ef5897f9b7de535c90e630c462
SHA256 b8fd821f58daf81a3f3d98c0d12b5804c7553e691b6a74622357a03186a25f16
SHA512 fa01e2e21d413e48df50b6ed409f021402b03bc9994ff5a80c1a9abe76254c1fb8fc84f0a9f66340deea4767c90c3298acd7239faf0ce8efd56d54318c12021b

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 46c57a9ecd7e7e0b697cca1da2b34bbb
SHA1 78f0089fde19549ed7b289da07f7bd4e917348c3
SHA256 43045b7d2705912333199d88d537cbab8b8d35cc7c243998f8c05a9fdf9ab2da
SHA512 6e799c878d487b18bbc01ab55cbb8df490b86657394c23fc297cf716c7a03c52c98f34d023480b96e4c95a159e68a2ed7139afbd3e93c0998b1a10f63a9889c4

C:\Users\Admin\AppData\Local\Eponychium\cxcore099.dll

MD5 286284d4ae1c67d0d5666b1417dcd575
SHA1 8b8a32577051823b003c78c86054874491e9ecfa
SHA256 37d9a8057d58b043ad037e9905797c215cd0832d48a29731c1687b23447ce298
SHA512 2efc47a8e104baa13e19bee3b3b3364da09cea80601bc87492de348f1c8d61008002540ba8f0df99b2d20e333d09ea8e097a87c97e91910d7d592d11a953917a

C:\Users\Admin\AppData\Local\Eponychium\cximagecrt.dll

MD5 c36f6e088c6457a43adb7edcd17803f3
SHA1 b25b9fb4c10b8421c8762c7e7b3747113d5702de
SHA256 8e1243454a29998cc7dc89caecfadc0d29e00e5776a8b5777633238b8cd66f72
SHA512 87cad4c3059bd7de02338922cf14e515af5cad663d473b19dd66a4c8befc8bce61c9c2b5a14671bc71951fdff345e4ca7a799250d622e2c9236ec03d74d4fe4e

C:\Users\Admin\AppData\Local\Eponychium\CrashRpt.dll

MD5 b2d1f5e4a1f0e8d85f0a8aeb7b8148c7
SHA1 871078213fcc0ce143f518bd69caa3156b385415
SHA256 c28e0aec124902e948c554436c0ebbebba9fc91c906ce2cd887fada0c64e3386
SHA512 1f6d97e02cd684cf4f4554b0e819196bd2811e19b964a680332268bcbb6dee0e17b2b35b6e66f0fe5622dffb0a734f39f8e49637a38e4fe7f10d3b5182b30260

memory/1908-54-0x0000000001D90000-0x0000000001DF2000-memory.dmp

C:\Users\Admin\AppData\Local\Eponychium\highgui099.dll

MD5 a354c42fcb37a50ecad8dde250f6119e
SHA1 0eb4ad5e90d28a4a8553d82cec53072279af1961
SHA256 89db6973f4ec5859792bcd8a50cd10db6b847613f2cea5adef740eec141673b2
SHA512 981c82f6334961c54c80009b14a0c2cd48067baf6d502560d508be86f5185374a422609c7fdc9a2cde9b98a7061efab7fd9b1f4f421436a9112833122bc35059

memory/1908-51-0x0000000001CA0000-0x0000000001D8C000-memory.dmp

memory/1908-48-0x0000000001BF0000-0x0000000001C9D000-memory.dmp

C:\Users\Admin\AppData\Local\Eponychium\cv099.dll

MD5 2a8b33fee2f84490d52a3a7c75254971
SHA1 16ce2b1632a17949b92ce32a6211296fee431dca
SHA256 faff6a0745e1720413a028f77583fff013c3f4682756dc717a0549f1be3fefc2
SHA512 8daf104582547d6b3a6d8698836e279d88ad9a870e9fdd66c319ecada3757a3997f411976461ed30a5d24436baa7504355b49d4acec2f7cdfe10e1e392e0f7fb

C:\Users\Admin\AppData\Local\Eponychium\dbghelp.dll

MD5 aa1594596fa19609555e317d9b64be6a
SHA1 924b08d85b537be52142965c3ad33c01b457ea83
SHA256 5139413ea54dee9ec4f13b193d88ccae9adb8f0d8c1e2ba1aee460d8a0d5bb79
SHA512 759209846039d1efb2f6ddf3501f1f868989e81752bb7d617afd9fd4238c52162167b1a1732ec81bdfce469856c78439cc7c8d173b1f48de499dfee725b192dc

C:\Users\Admin\AppData\Local\Eponychium\gxfiogr

MD5 b590c33dd2a4c8ddedda46028181a405
SHA1 b0949a3396d84b8e4dca5d5026eb3b6c0679f7e3
SHA256 862aadcb096647394a5f6f5e646bf57b52567180505b6026e59539f6ded1eaa8
SHA512 e72b33ca405b551532a855a74f99aab1850756cbaefb9421d6e480e719b6ceead1d728dbc786d76d91532f0bbdcc241039dac35479bf90f7d2d665c6ab9f8da7

C:\Users\Admin\AppData\Local\Eponychium\rsjddfw

MD5 666447d9f86fa84149f374c0f1eb2f90
SHA1 9eb18eb892756e48428767d11435750ca458c9fb
SHA256 a25f6e74e4742ec3837ba08b63b89b05e66cd8b00e2c209b2adc9242cd8e7011
SHA512 dd78afe71ad80ac8788f8aed81d3538c904da76fa62f9fecb6c54bee545e6e7816ff30dd6e2fcc1999508a62c327afcbf8cf586830104abe5fb6b18ac1a87fff

memory/1908-58-0x0000000074290000-0x000000007440B000-memory.dmp

memory/1908-59-0x00007FF9F7B50000-0x00007FF9F7D45000-memory.dmp

memory/4612-95-0x0000000074290000-0x000000007440B000-memory.dmp

memory/4612-96-0x00007FF9F7B50000-0x00007FF9F7D45000-memory.dmp

memory/4612-91-0x0000000001830000-0x0000000001892000-memory.dmp

memory/4612-88-0x0000000001740000-0x000000000182C000-memory.dmp

memory/4612-85-0x0000000001690000-0x000000000173D000-memory.dmp

memory/4612-97-0x0000000074290000-0x000000007440B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b15873e0

MD5 300012e9a9b98ca0dff2c6be3e842524
SHA1 2f71221ea35c78baa49f88b464af29ad90a10295
SHA256 5a6ba76b157f07f8f152c8f5bbd76dca9fcc4e40c1622f54644dae639d5f2a68
SHA512 fcdb28ea94e7c7cb21d1c369abb19b237969a9749e54906c23122acff5b3b57475a4c7f241efb932a0893dbdee15fd69833e14b3b8e601b14b95c81a4d420e63

memory/4340-100-0x00007FF9F7B50000-0x00007FF9F7D45000-memory.dmp

memory/4340-101-0x0000000074290000-0x000000007440B000-memory.dmp

memory/4020-103-0x0000000000C30000-0x0000000000CB0000-memory.dmp

memory/4020-104-0x00007FF9F7B50000-0x00007FF9F7D45000-memory.dmp

memory/4020-105-0x0000000000C30000-0x0000000000CB0000-memory.dmp

memory/4020-110-0x0000000000C30000-0x0000000000CB0000-memory.dmp

memory/4020-111-0x0000000003F30000-0x0000000004330000-memory.dmp

memory/4020-112-0x0000000003F30000-0x0000000004330000-memory.dmp

memory/4020-115-0x0000000075680000-0x0000000075895000-memory.dmp

memory/5016-116-0x0000000000480000-0x0000000000489000-memory.dmp

memory/4020-117-0x0000000000C30000-0x0000000000CB0000-memory.dmp

memory/5016-120-0x00007FF9F7B50000-0x00007FF9F7D45000-memory.dmp

memory/5016-122-0x0000000075680000-0x0000000075895000-memory.dmp

memory/5016-119-0x0000000002140000-0x0000000002540000-memory.dmp