Malware Analysis Report

2024-11-30 02:27

Sample ID 241019-bvzaksydnb
Target 406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0.msi
SHA256 406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0
Tags
rhadamanthys discovery persistence privilege_escalation stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0

Threat Level: Known bad

The file 406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0.msi was found to be: Known bad.

Malicious Activity Summary

rhadamanthys discovery persistence privilege_escalation stealer

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Enumerates connected drives

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Event Triggered Execution: Installer Packages

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Checks processor information in registry

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 01:28

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 01:28

Reported

2024-10-19 01:31

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 5064 created 2608 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\sihost.exe

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4304 set thread context of 3828 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\SysWOW64\cmd.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e57e1c5.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57e1c5.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{7A84B6BD-F238-4306-86B9-231CF904EE0C} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE290.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57e1c7.msi C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\openwith.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000041ba55ff39bb976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000041ba55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090041ba55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d41ba55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000041ba55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CentralProcessor\0\ C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CentralProcessor\0\ C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 624 wrote to memory of 372 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 624 wrote to memory of 372 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 624 wrote to memory of 1880 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe
PID 624 wrote to memory of 1880 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe
PID 624 wrote to memory of 1880 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe
PID 1880 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe C:\Windows\system32\pcaui.exe
PID 1880 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe C:\Windows\system32\pcaui.exe
PID 1880 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe
PID 1880 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe
PID 1880 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe
PID 4304 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\system32\pcaui.exe
PID 4304 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\system32\pcaui.exe
PID 4304 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\SysWOW64\cmd.exe
PID 4304 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\SysWOW64\cmd.exe
PID 4304 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\SysWOW64\cmd.exe
PID 4304 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\SysWOW64\cmd.exe
PID 3828 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 3828 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 3828 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 3828 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 5064 wrote to memory of 3932 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\openwith.exe
PID 5064 wrote to memory of 3932 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\openwith.exe
PID 5064 wrote to memory of 3932 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\openwith.exe
PID 5064 wrote to memory of 3932 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\openwith.exe
PID 5064 wrote to memory of 3932 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\openwith.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe

"C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe"

C:\Windows\system32\pcaui.exe

"C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe"

C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe

C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe

C:\Windows\system32\pcaui.exe

"C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\openwith.exe

"C:\Windows\system32\openwith.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 246.197.219.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

C:\Config.Msi\e57e1c6.rbs

MD5 9cae235b383f1d99edcb98e4b3f2c467
SHA1 07df35a5935c51e0b34679a50f0fdcf903ad4e78
SHA256 801045360122fb6f27bc0e7231a1669005bb8b2879683d89e6432ea0bf78f655
SHA512 c1bc970afe472b51c4dcb10609d6dc1935f89eebf8bf49f59fc4298c9c2e495b1b0c2d905a6e39ceba5e2657aaaeb31a67f4d17821f7a7c6d6b8fd707b44f585

C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe

MD5 ba699791249c311883baa8ce3432703b
SHA1 f8734601f9397cb5ebb8872af03f5b0639c2eac6
SHA256 7c4eb51a737a81c163f95b50ec54518b82fcf91389d0560e855f3e26cec07282
SHA512 6a0386424c61fbf525625ebe53bb2193accd51c2be9a2527fd567d0a6e112b0d1a047d8f7266d706b726e9c41ea77496e1ede186a5e59f5311eeea829a302325

C:\Windows\Installer\e57e1c5.msi

MD5 e0808992ec58411df693995c7edae88c
SHA1 00e02a807c815debbdfec793f785aaa4b7d1609e
SHA256 406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0
SHA512 bf2a3eb0fbba84cfab2e04250a888a0bfbdac53d632ca77bbad23908eb93ec8a97bf14c41773276e47f7c202930153e29ce2fbd6f4600dd27da39ef6b2511ed2

C:\Users\Admin\AppData\Local\Eponychium\cximagecrt.dll

MD5 c36f6e088c6457a43adb7edcd17803f3
SHA1 b25b9fb4c10b8421c8762c7e7b3747113d5702de
SHA256 8e1243454a29998cc7dc89caecfadc0d29e00e5776a8b5777633238b8cd66f72
SHA512 87cad4c3059bd7de02338922cf14e515af5cad663d473b19dd66a4c8befc8bce61c9c2b5a14671bc71951fdff345e4ca7a799250d622e2c9236ec03d74d4fe4e

C:\Users\Admin\AppData\Local\Eponychium\highgui099.dll

MD5 a354c42fcb37a50ecad8dde250f6119e
SHA1 0eb4ad5e90d28a4a8553d82cec53072279af1961
SHA256 89db6973f4ec5859792bcd8a50cd10db6b847613f2cea5adef740eec141673b2
SHA512 981c82f6334961c54c80009b14a0c2cd48067baf6d502560d508be86f5185374a422609c7fdc9a2cde9b98a7061efab7fd9b1f4f421436a9112833122bc35059

memory/1880-52-0x0000000001D40000-0x0000000001DA2000-memory.dmp

memory/1880-49-0x0000000001C50000-0x0000000001D3C000-memory.dmp

C:\Users\Admin\AppData\Local\Eponychium\cxcore099.dll

MD5 286284d4ae1c67d0d5666b1417dcd575
SHA1 8b8a32577051823b003c78c86054874491e9ecfa
SHA256 37d9a8057d58b043ad037e9905797c215cd0832d48a29731c1687b23447ce298
SHA512 2efc47a8e104baa13e19bee3b3b3364da09cea80601bc87492de348f1c8d61008002540ba8f0df99b2d20e333d09ea8e097a87c97e91910d7d592d11a953917a

memory/1880-46-0x0000000001BA0000-0x0000000001C4D000-memory.dmp

C:\Users\Admin\AppData\Local\Eponychium\gxfiogr

MD5 b590c33dd2a4c8ddedda46028181a405
SHA1 b0949a3396d84b8e4dca5d5026eb3b6c0679f7e3
SHA256 862aadcb096647394a5f6f5e646bf57b52567180505b6026e59539f6ded1eaa8
SHA512 e72b33ca405b551532a855a74f99aab1850756cbaefb9421d6e480e719b6ceead1d728dbc786d76d91532f0bbdcc241039dac35479bf90f7d2d665c6ab9f8da7

memory/1880-56-0x0000000074FE0000-0x000000007515B000-memory.dmp

memory/4304-93-0x0000000074FE0000-0x000000007515B000-memory.dmp

memory/4304-94-0x00007FF9A5B70000-0x00007FF9A5D65000-memory.dmp

C:\Users\Admin\AppData\Roaming\browserservice_op5\rsjddfw

MD5 666447d9f86fa84149f374c0f1eb2f90
SHA1 9eb18eb892756e48428767d11435750ca458c9fb
SHA256 a25f6e74e4742ec3837ba08b63b89b05e66cd8b00e2c209b2adc9242cd8e7011
SHA512 dd78afe71ad80ac8788f8aed81d3538c904da76fa62f9fecb6c54bee545e6e7816ff30dd6e2fcc1999508a62c327afcbf8cf586830104abe5fb6b18ac1a87fff

memory/4304-89-0x0000000000B90000-0x0000000000BF2000-memory.dmp

memory/4304-86-0x00000000017F0000-0x000000000189D000-memory.dmp

C:\Users\Admin\AppData\Roaming\browserservice_op5\cv099.dll

MD5 2a8b33fee2f84490d52a3a7c75254971
SHA1 16ce2b1632a17949b92ce32a6211296fee431dca
SHA256 faff6a0745e1720413a028f77583fff013c3f4682756dc717a0549f1be3fefc2
SHA512 8daf104582547d6b3a6d8698836e279d88ad9a870e9fdd66c319ecada3757a3997f411976461ed30a5d24436baa7504355b49d4acec2f7cdfe10e1e392e0f7fb

memory/4304-83-0x0000000001700000-0x00000000017EC000-memory.dmp

C:\Users\Admin\AppData\Roaming\browserservice_op5\dbghelp.dll

MD5 aa1594596fa19609555e317d9b64be6a
SHA1 924b08d85b537be52142965c3ad33c01b457ea83
SHA256 5139413ea54dee9ec4f13b193d88ccae9adb8f0d8c1e2ba1aee460d8a0d5bb79
SHA512 759209846039d1efb2f6ddf3501f1f868989e81752bb7d617afd9fd4238c52162167b1a1732ec81bdfce469856c78439cc7c8d173b1f48de499dfee725b192dc

C:\Users\Admin\AppData\Roaming\browserservice_op5\CrashRpt.dll

MD5 b2d1f5e4a1f0e8d85f0a8aeb7b8148c7
SHA1 871078213fcc0ce143f518bd69caa3156b385415
SHA256 c28e0aec124902e948c554436c0ebbebba9fc91c906ce2cd887fada0c64e3386
SHA512 1f6d97e02cd684cf4f4554b0e819196bd2811e19b964a680332268bcbb6dee0e17b2b35b6e66f0fe5622dffb0a734f39f8e49637a38e4fe7f10d3b5182b30260

\??\Volume{ff55ba41-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{663902a1-6dca-46d6-b86c-04cd2b62b63c}_OnDiskSnapshotProp

MD5 9b536db816cc96e989ce0a8faa351aaa
SHA1 03ecaa7281d738aab0dff73a06b9b2ad6404b4b3
SHA256 0ff3bf531fe5c91b9974b0df2eb424a03c0c96778c2b1e1aac78c4decde8eead
SHA512 e21149cfe1b288463852ee630fbbf740ec230253273a432d14052d608dd982196a9dff5e7a46671d2c9eba3f303e9ae207c19bc1c261572dda32bfca9ede2f7b

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 4fbecada29f31ab3ca2eb77e5901b50d
SHA1 4975b588a5f22b595cae9d0b137cdf383ed1bcf9
SHA256 f98cc93b1c3d3ae462e66a42ae489fee040668f5a66272ce029c635a095377e7
SHA512 12ba950357f8afe3e9e9866bcff42f6fc6fee4be515f3c27049718847ed331e602175413c49086332c31ae3f11f244f0350a8a1431e980dae3284f721985e941

memory/1880-57-0x00007FF9A5B70000-0x00007FF9A5D65000-memory.dmp

memory/4304-97-0x0000000074FE0000-0x000000007515B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\91378e1d

MD5 c853b92ba4c045d8b1745109159ad815
SHA1 2a0761e234e58930e54807ecce8198a862bf35c6
SHA256 03e774dc5c5294acc49b5d8ae3587928e79daf2901f983c9ccf5ca3054b42092
SHA512 69c6f950342cf0238ccbe72ef87a5d03f6aded7cc6410a07889c0b772c64adcdf6c8d2c3bbe5d58f7d1175f38f3baa84b9ac453d01551ab9fd45e10bfa32ab1e

memory/3828-100-0x00007FF9A5B70000-0x00007FF9A5D65000-memory.dmp

memory/3828-101-0x0000000074FE0000-0x000000007515B000-memory.dmp

memory/5064-103-0x00000000009A0000-0x0000000000A20000-memory.dmp

memory/5064-104-0x00007FF9A5B70000-0x00007FF9A5D65000-memory.dmp

memory/5064-105-0x00000000009A0000-0x0000000000A20000-memory.dmp

memory/5064-107-0x00000000009A0000-0x0000000000A20000-memory.dmp

memory/5064-108-0x00000000041C0000-0x00000000045C0000-memory.dmp

memory/5064-109-0x00000000041C0000-0x00000000045C0000-memory.dmp

memory/5064-112-0x0000000077AE0000-0x0000000077CF5000-memory.dmp

memory/3932-113-0x0000000000FD0000-0x0000000000FD9000-memory.dmp

memory/3932-117-0x0000000002E80000-0x0000000003280000-memory.dmp

memory/5064-116-0x00000000009A0000-0x0000000000A20000-memory.dmp

memory/3932-120-0x0000000077AE0000-0x0000000077CF5000-memory.dmp

memory/3932-118-0x00007FF9A5B70000-0x00007FF9A5D65000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 01:28

Reported

2024-10-19 01:31

Platform

win7-20241010-en

Max time kernel

120s

Max time network

126s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0.msi

Signatures

Rhadamanthys

stealer rhadamanthys

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2776 set thread context of 1808 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\SysWOW64\cmd.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI3D3F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f773aee.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f773aee.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f773aef.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f773aef.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f773af1.msi C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CentralProcessor\0\ C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CentralProcessor\0\ C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2616 wrote to memory of 1880 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe
PID 2616 wrote to memory of 1880 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe
PID 2616 wrote to memory of 1880 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe
PID 2616 wrote to memory of 1880 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe
PID 1880 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe
PID 1880 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe
PID 1880 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe
PID 1880 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe
PID 2776 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1808 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1808 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1808 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1808 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000404" "00000000000003E0"

C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe

"C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe"

C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe

C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

N/A

Files

C:\Config.Msi\f773af0.rbs

MD5 d0fdaa33c3ddd010713b7e764ce95606
SHA1 e858c00548dcdbdb5c58c33a7b6ba2679938ebf1
SHA256 f4dd3532b87d20bc1b30b5dd499eb278efde36dc79ab1b1161fe961ee6e64b80
SHA512 6b11f23bc4139aefa9e5a346a4b25416167f73c713f6f423c31600c9cb676fb24aa005d398442f15ed08e643abbcf714d858abea6c9b18238029bb4a18c801fd

C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe

MD5 ba699791249c311883baa8ce3432703b
SHA1 f8734601f9397cb5ebb8872af03f5b0639c2eac6
SHA256 7c4eb51a737a81c163f95b50ec54518b82fcf91389d0560e855f3e26cec07282
SHA512 6a0386424c61fbf525625ebe53bb2193accd51c2be9a2527fd567d0a6e112b0d1a047d8f7266d706b726e9c41ea77496e1ede186a5e59f5311eeea829a302325

C:\Windows\Installer\f773aee.msi

MD5 e0808992ec58411df693995c7edae88c
SHA1 00e02a807c815debbdfec793f785aaa4b7d1609e
SHA256 406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0
SHA512 bf2a3eb0fbba84cfab2e04250a888a0bfbdac53d632ca77bbad23908eb93ec8a97bf14c41773276e47f7c202930153e29ce2fbd6f4600dd27da39ef6b2511ed2

C:\Users\Admin\AppData\Local\Eponychium\cximagecrt.dll

MD5 c36f6e088c6457a43adb7edcd17803f3
SHA1 b25b9fb4c10b8421c8762c7e7b3747113d5702de
SHA256 8e1243454a29998cc7dc89caecfadc0d29e00e5776a8b5777633238b8cd66f72
SHA512 87cad4c3059bd7de02338922cf14e515af5cad663d473b19dd66a4c8befc8bce61c9c2b5a14671bc71951fdff345e4ca7a799250d622e2c9236ec03d74d4fe4e

C:\Users\Admin\AppData\Local\Eponychium\cxcore099.dll

MD5 286284d4ae1c67d0d5666b1417dcd575
SHA1 8b8a32577051823b003c78c86054874491e9ecfa
SHA256 37d9a8057d58b043ad037e9905797c215cd0832d48a29731c1687b23447ce298
SHA512 2efc47a8e104baa13e19bee3b3b3364da09cea80601bc87492de348f1c8d61008002540ba8f0df99b2d20e333d09ea8e097a87c97e91910d7d592d11a953917a

C:\Users\Admin\AppData\Local\Eponychium\cv099.dll

MD5 2a8b33fee2f84490d52a3a7c75254971
SHA1 16ce2b1632a17949b92ce32a6211296fee431dca
SHA256 faff6a0745e1720413a028f77583fff013c3f4682756dc717a0549f1be3fefc2
SHA512 8daf104582547d6b3a6d8698836e279d88ad9a870e9fdd66c319ecada3757a3997f411976461ed30a5d24436baa7504355b49d4acec2f7cdfe10e1e392e0f7fb

memory/1880-38-0x0000000000130000-0x000000000021C000-memory.dmp

memory/1880-42-0x00000000002A0000-0x000000000034D000-memory.dmp

C:\Users\Admin\AppData\Local\Eponychium\highgui099.dll

MD5 a354c42fcb37a50ecad8dde250f6119e
SHA1 0eb4ad5e90d28a4a8553d82cec53072279af1961
SHA256 89db6973f4ec5859792bcd8a50cd10db6b847613f2cea5adef740eec141673b2
SHA512 981c82f6334961c54c80009b14a0c2cd48067baf6d502560d508be86f5185374a422609c7fdc9a2cde9b98a7061efab7fd9b1f4f421436a9112833122bc35059

memory/1880-46-0x0000000000360000-0x00000000003C2000-memory.dmp

C:\Users\Admin\AppData\Local\Eponychium\CrashRpt.dll

MD5 b2d1f5e4a1f0e8d85f0a8aeb7b8148c7
SHA1 871078213fcc0ce143f518bd69caa3156b385415
SHA256 c28e0aec124902e948c554436c0ebbebba9fc91c906ce2cd887fada0c64e3386
SHA512 1f6d97e02cd684cf4f4554b0e819196bd2811e19b964a680332268bcbb6dee0e17b2b35b6e66f0fe5622dffb0a734f39f8e49637a38e4fe7f10d3b5182b30260

\Users\Admin\AppData\Local\Eponychium\dbghelp.dll

MD5 aa1594596fa19609555e317d9b64be6a
SHA1 924b08d85b537be52142965c3ad33c01b457ea83
SHA256 5139413ea54dee9ec4f13b193d88ccae9adb8f0d8c1e2ba1aee460d8a0d5bb79
SHA512 759209846039d1efb2f6ddf3501f1f868989e81752bb7d617afd9fd4238c52162167b1a1732ec81bdfce469856c78439cc7c8d173b1f48de499dfee725b192dc

C:\Users\Admin\AppData\Local\Eponychium\gxfiogr

MD5 b590c33dd2a4c8ddedda46028181a405
SHA1 b0949a3396d84b8e4dca5d5026eb3b6c0679f7e3
SHA256 862aadcb096647394a5f6f5e646bf57b52567180505b6026e59539f6ded1eaa8
SHA512 e72b33ca405b551532a855a74f99aab1850756cbaefb9421d6e480e719b6ceead1d728dbc786d76d91532f0bbdcc241039dac35479bf90f7d2d665c6ab9f8da7

C:\Users\Admin\AppData\Local\Eponychium\rsjddfw

MD5 666447d9f86fa84149f374c0f1eb2f90
SHA1 9eb18eb892756e48428767d11435750ca458c9fb
SHA256 a25f6e74e4742ec3837ba08b63b89b05e66cd8b00e2c209b2adc9242cd8e7011
SHA512 dd78afe71ad80ac8788f8aed81d3538c904da76fa62f9fecb6c54bee545e6e7816ff30dd6e2fcc1999508a62c327afcbf8cf586830104abe5fb6b18ac1a87fff

memory/1880-54-0x0000000074A50000-0x0000000074BC4000-memory.dmp

memory/1880-55-0x00000000777A0000-0x0000000077949000-memory.dmp

memory/2776-77-0x0000000000AC0000-0x0000000000BAC000-memory.dmp

memory/2776-81-0x0000000000BB0000-0x0000000000C5D000-memory.dmp

memory/2776-85-0x00000000001D0000-0x0000000000232000-memory.dmp

memory/2776-93-0x00000000749C0000-0x0000000074B34000-memory.dmp

memory/2776-94-0x00000000777A0000-0x0000000077949000-memory.dmp

memory/2776-95-0x00000000749C0000-0x0000000074B34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2357abf6

MD5 77e37b5a3b9d46b6d059b0292a64e0ab
SHA1 38314685820ce9278c7ac94b0016147bd8b6ae58
SHA256 d734228d26eabc716028359599c4b3588874523a6e0330d85a68d0d6b02123ec
SHA512 cede3c41664c4d7f0bf9f0ad6904dce442370d9c4362aaa1e36ecfc3e4e600a8b6ee6f8568f54cbe397133d2d9253515083e9a590302a39c87d66c40d40138d5

memory/1808-98-0x00000000777A0000-0x0000000077949000-memory.dmp

memory/1808-99-0x00000000749C0000-0x0000000074B34000-memory.dmp

memory/3032-101-0x0000000000080000-0x0000000000100000-memory.dmp

memory/3032-108-0x00000000777A0000-0x0000000077949000-memory.dmp

memory/3032-109-0x0000000000080000-0x0000000000100000-memory.dmp

memory/3032-111-0x0000000000080000-0x0000000000100000-memory.dmp

memory/3032-112-0x0000000000080000-0x0000000000100000-memory.dmp