Analysis Overview
SHA256
406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0
Threat Level: Known bad
The file 406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0.msi was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Enumerates connected drives
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy service COM API
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Checks processor information in registry
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-19 01:28
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-19 01:28
Reported
2024-10-19 01:31
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5064 created 2608 | N/A | C:\Windows\SysWOW64\explorer.exe | C:\Windows\system32\sihost.exe |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4304 set thread context of 3828 | N/A | C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe | C:\Windows\SysWOW64\cmd.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\e57e1c5.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e57e1c5.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{7A84B6BD-F238-4306-86B9-231CF904EE0C} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE290.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57e1c7.msi | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe | N/A |
Loads dropped DLL
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\openwith.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000041ba55ff39bb976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000041ba55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090041ba55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d41ba55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000041ba55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CentralProcessor\0\ | C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CentralProcessor\0\ | C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\openwith.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\openwith.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\openwith.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\openwith.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe
"C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe"
C:\Windows\system32\pcaui.exe
"C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe"
C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe
C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe
C:\Windows\system32\pcaui.exe
"C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.197.219.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
C:\Config.Msi\e57e1c6.rbs
| MD5 | 9cae235b383f1d99edcb98e4b3f2c467 |
| SHA1 | 07df35a5935c51e0b34679a50f0fdcf903ad4e78 |
| SHA256 | 801045360122fb6f27bc0e7231a1669005bb8b2879683d89e6432ea0bf78f655 |
| SHA512 | c1bc970afe472b51c4dcb10609d6dc1935f89eebf8bf49f59fc4298c9c2e495b1b0c2d905a6e39ceba5e2657aaaeb31a67f4d17821f7a7c6d6b8fd707b44f585 |
C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe
| MD5 | ba699791249c311883baa8ce3432703b |
| SHA1 | f8734601f9397cb5ebb8872af03f5b0639c2eac6 |
| SHA256 | 7c4eb51a737a81c163f95b50ec54518b82fcf91389d0560e855f3e26cec07282 |
| SHA512 | 6a0386424c61fbf525625ebe53bb2193accd51c2be9a2527fd567d0a6e112b0d1a047d8f7266d706b726e9c41ea77496e1ede186a5e59f5311eeea829a302325 |
C:\Windows\Installer\e57e1c5.msi
| MD5 | e0808992ec58411df693995c7edae88c |
| SHA1 | 00e02a807c815debbdfec793f785aaa4b7d1609e |
| SHA256 | 406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0 |
| SHA512 | bf2a3eb0fbba84cfab2e04250a888a0bfbdac53d632ca77bbad23908eb93ec8a97bf14c41773276e47f7c202930153e29ce2fbd6f4600dd27da39ef6b2511ed2 |
C:\Users\Admin\AppData\Local\Eponychium\cximagecrt.dll
| MD5 | c36f6e088c6457a43adb7edcd17803f3 |
| SHA1 | b25b9fb4c10b8421c8762c7e7b3747113d5702de |
| SHA256 | 8e1243454a29998cc7dc89caecfadc0d29e00e5776a8b5777633238b8cd66f72 |
| SHA512 | 87cad4c3059bd7de02338922cf14e515af5cad663d473b19dd66a4c8befc8bce61c9c2b5a14671bc71951fdff345e4ca7a799250d622e2c9236ec03d74d4fe4e |
C:\Users\Admin\AppData\Local\Eponychium\highgui099.dll
| MD5 | a354c42fcb37a50ecad8dde250f6119e |
| SHA1 | 0eb4ad5e90d28a4a8553d82cec53072279af1961 |
| SHA256 | 89db6973f4ec5859792bcd8a50cd10db6b847613f2cea5adef740eec141673b2 |
| SHA512 | 981c82f6334961c54c80009b14a0c2cd48067baf6d502560d508be86f5185374a422609c7fdc9a2cde9b98a7061efab7fd9b1f4f421436a9112833122bc35059 |
memory/1880-52-0x0000000001D40000-0x0000000001DA2000-memory.dmp
memory/1880-49-0x0000000001C50000-0x0000000001D3C000-memory.dmp
C:\Users\Admin\AppData\Local\Eponychium\cxcore099.dll
| MD5 | 286284d4ae1c67d0d5666b1417dcd575 |
| SHA1 | 8b8a32577051823b003c78c86054874491e9ecfa |
| SHA256 | 37d9a8057d58b043ad037e9905797c215cd0832d48a29731c1687b23447ce298 |
| SHA512 | 2efc47a8e104baa13e19bee3b3b3364da09cea80601bc87492de348f1c8d61008002540ba8f0df99b2d20e333d09ea8e097a87c97e91910d7d592d11a953917a |
memory/1880-46-0x0000000001BA0000-0x0000000001C4D000-memory.dmp
C:\Users\Admin\AppData\Local\Eponychium\gxfiogr
| MD5 | b590c33dd2a4c8ddedda46028181a405 |
| SHA1 | b0949a3396d84b8e4dca5d5026eb3b6c0679f7e3 |
| SHA256 | 862aadcb096647394a5f6f5e646bf57b52567180505b6026e59539f6ded1eaa8 |
| SHA512 | e72b33ca405b551532a855a74f99aab1850756cbaefb9421d6e480e719b6ceead1d728dbc786d76d91532f0bbdcc241039dac35479bf90f7d2d665c6ab9f8da7 |
memory/1880-56-0x0000000074FE0000-0x000000007515B000-memory.dmp
memory/4304-93-0x0000000074FE0000-0x000000007515B000-memory.dmp
memory/4304-94-0x00007FF9A5B70000-0x00007FF9A5D65000-memory.dmp
C:\Users\Admin\AppData\Roaming\browserservice_op5\rsjddfw
| MD5 | 666447d9f86fa84149f374c0f1eb2f90 |
| SHA1 | 9eb18eb892756e48428767d11435750ca458c9fb |
| SHA256 | a25f6e74e4742ec3837ba08b63b89b05e66cd8b00e2c209b2adc9242cd8e7011 |
| SHA512 | dd78afe71ad80ac8788f8aed81d3538c904da76fa62f9fecb6c54bee545e6e7816ff30dd6e2fcc1999508a62c327afcbf8cf586830104abe5fb6b18ac1a87fff |
memory/4304-89-0x0000000000B90000-0x0000000000BF2000-memory.dmp
memory/4304-86-0x00000000017F0000-0x000000000189D000-memory.dmp
C:\Users\Admin\AppData\Roaming\browserservice_op5\cv099.dll
| MD5 | 2a8b33fee2f84490d52a3a7c75254971 |
| SHA1 | 16ce2b1632a17949b92ce32a6211296fee431dca |
| SHA256 | faff6a0745e1720413a028f77583fff013c3f4682756dc717a0549f1be3fefc2 |
| SHA512 | 8daf104582547d6b3a6d8698836e279d88ad9a870e9fdd66c319ecada3757a3997f411976461ed30a5d24436baa7504355b49d4acec2f7cdfe10e1e392e0f7fb |
memory/4304-83-0x0000000001700000-0x00000000017EC000-memory.dmp
C:\Users\Admin\AppData\Roaming\browserservice_op5\dbghelp.dll
| MD5 | aa1594596fa19609555e317d9b64be6a |
| SHA1 | 924b08d85b537be52142965c3ad33c01b457ea83 |
| SHA256 | 5139413ea54dee9ec4f13b193d88ccae9adb8f0d8c1e2ba1aee460d8a0d5bb79 |
| SHA512 | 759209846039d1efb2f6ddf3501f1f868989e81752bb7d617afd9fd4238c52162167b1a1732ec81bdfce469856c78439cc7c8d173b1f48de499dfee725b192dc |
C:\Users\Admin\AppData\Roaming\browserservice_op5\CrashRpt.dll
| MD5 | b2d1f5e4a1f0e8d85f0a8aeb7b8148c7 |
| SHA1 | 871078213fcc0ce143f518bd69caa3156b385415 |
| SHA256 | c28e0aec124902e948c554436c0ebbebba9fc91c906ce2cd887fada0c64e3386 |
| SHA512 | 1f6d97e02cd684cf4f4554b0e819196bd2811e19b964a680332268bcbb6dee0e17b2b35b6e66f0fe5622dffb0a734f39f8e49637a38e4fe7f10d3b5182b30260 |
\??\Volume{ff55ba41-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{663902a1-6dca-46d6-b86c-04cd2b62b63c}_OnDiskSnapshotProp
| MD5 | 9b536db816cc96e989ce0a8faa351aaa |
| SHA1 | 03ecaa7281d738aab0dff73a06b9b2ad6404b4b3 |
| SHA256 | 0ff3bf531fe5c91b9974b0df2eb424a03c0c96778c2b1e1aac78c4decde8eead |
| SHA512 | e21149cfe1b288463852ee630fbbf740ec230253273a432d14052d608dd982196a9dff5e7a46671d2c9eba3f303e9ae207c19bc1c261572dda32bfca9ede2f7b |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 4fbecada29f31ab3ca2eb77e5901b50d |
| SHA1 | 4975b588a5f22b595cae9d0b137cdf383ed1bcf9 |
| SHA256 | f98cc93b1c3d3ae462e66a42ae489fee040668f5a66272ce029c635a095377e7 |
| SHA512 | 12ba950357f8afe3e9e9866bcff42f6fc6fee4be515f3c27049718847ed331e602175413c49086332c31ae3f11f244f0350a8a1431e980dae3284f721985e941 |
memory/1880-57-0x00007FF9A5B70000-0x00007FF9A5D65000-memory.dmp
memory/4304-97-0x0000000074FE0000-0x000000007515B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\91378e1d
| MD5 | c853b92ba4c045d8b1745109159ad815 |
| SHA1 | 2a0761e234e58930e54807ecce8198a862bf35c6 |
| SHA256 | 03e774dc5c5294acc49b5d8ae3587928e79daf2901f983c9ccf5ca3054b42092 |
| SHA512 | 69c6f950342cf0238ccbe72ef87a5d03f6aded7cc6410a07889c0b772c64adcdf6c8d2c3bbe5d58f7d1175f38f3baa84b9ac453d01551ab9fd45e10bfa32ab1e |
memory/3828-100-0x00007FF9A5B70000-0x00007FF9A5D65000-memory.dmp
memory/3828-101-0x0000000074FE0000-0x000000007515B000-memory.dmp
memory/5064-103-0x00000000009A0000-0x0000000000A20000-memory.dmp
memory/5064-104-0x00007FF9A5B70000-0x00007FF9A5D65000-memory.dmp
memory/5064-105-0x00000000009A0000-0x0000000000A20000-memory.dmp
memory/5064-107-0x00000000009A0000-0x0000000000A20000-memory.dmp
memory/5064-108-0x00000000041C0000-0x00000000045C0000-memory.dmp
memory/5064-109-0x00000000041C0000-0x00000000045C0000-memory.dmp
memory/5064-112-0x0000000077AE0000-0x0000000077CF5000-memory.dmp
memory/3932-113-0x0000000000FD0000-0x0000000000FD9000-memory.dmp
memory/3932-117-0x0000000002E80000-0x0000000003280000-memory.dmp
memory/5064-116-0x00000000009A0000-0x0000000000A20000-memory.dmp
memory/3932-120-0x0000000077AE0000-0x0000000077CF5000-memory.dmp
memory/3932-118-0x00007FF9A5B70000-0x00007FF9A5D65000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-19 01:28
Reported
2024-10-19 01:31
Platform
win7-20241010-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Rhadamanthys
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2776 set thread context of 1808 | N/A | C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe | C:\Windows\SysWOW64\cmd.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI3D3F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f773aee.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f773aee.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f773aef.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f773aef.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f773af1.msi | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe | N/A |
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CentralProcessor\0\ | C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CentralProcessor\0\ | C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000404" "00000000000003E0"
C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe
"C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe"
C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe
C:\Users\Admin\AppData\Roaming\browserservice_op5\ManyCam.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
Files
C:\Config.Msi\f773af0.rbs
| MD5 | d0fdaa33c3ddd010713b7e764ce95606 |
| SHA1 | e858c00548dcdbdb5c58c33a7b6ba2679938ebf1 |
| SHA256 | f4dd3532b87d20bc1b30b5dd499eb278efde36dc79ab1b1161fe961ee6e64b80 |
| SHA512 | 6b11f23bc4139aefa9e5a346a4b25416167f73c713f6f423c31600c9cb676fb24aa005d398442f15ed08e643abbcf714d858abea6c9b18238029bb4a18c801fd |
C:\Users\Admin\AppData\Local\Eponychium\ManyCam.exe
| MD5 | ba699791249c311883baa8ce3432703b |
| SHA1 | f8734601f9397cb5ebb8872af03f5b0639c2eac6 |
| SHA256 | 7c4eb51a737a81c163f95b50ec54518b82fcf91389d0560e855f3e26cec07282 |
| SHA512 | 6a0386424c61fbf525625ebe53bb2193accd51c2be9a2527fd567d0a6e112b0d1a047d8f7266d706b726e9c41ea77496e1ede186a5e59f5311eeea829a302325 |
C:\Windows\Installer\f773aee.msi
| MD5 | e0808992ec58411df693995c7edae88c |
| SHA1 | 00e02a807c815debbdfec793f785aaa4b7d1609e |
| SHA256 | 406a4764d296c18cb477a8c3d1ae1a585207e701239533c01ecb4988ef8809a0 |
| SHA512 | bf2a3eb0fbba84cfab2e04250a888a0bfbdac53d632ca77bbad23908eb93ec8a97bf14c41773276e47f7c202930153e29ce2fbd6f4600dd27da39ef6b2511ed2 |
C:\Users\Admin\AppData\Local\Eponychium\cximagecrt.dll
| MD5 | c36f6e088c6457a43adb7edcd17803f3 |
| SHA1 | b25b9fb4c10b8421c8762c7e7b3747113d5702de |
| SHA256 | 8e1243454a29998cc7dc89caecfadc0d29e00e5776a8b5777633238b8cd66f72 |
| SHA512 | 87cad4c3059bd7de02338922cf14e515af5cad663d473b19dd66a4c8befc8bce61c9c2b5a14671bc71951fdff345e4ca7a799250d622e2c9236ec03d74d4fe4e |
C:\Users\Admin\AppData\Local\Eponychium\cxcore099.dll
| MD5 | 286284d4ae1c67d0d5666b1417dcd575 |
| SHA1 | 8b8a32577051823b003c78c86054874491e9ecfa |
| SHA256 | 37d9a8057d58b043ad037e9905797c215cd0832d48a29731c1687b23447ce298 |
| SHA512 | 2efc47a8e104baa13e19bee3b3b3364da09cea80601bc87492de348f1c8d61008002540ba8f0df99b2d20e333d09ea8e097a87c97e91910d7d592d11a953917a |
C:\Users\Admin\AppData\Local\Eponychium\cv099.dll
| MD5 | 2a8b33fee2f84490d52a3a7c75254971 |
| SHA1 | 16ce2b1632a17949b92ce32a6211296fee431dca |
| SHA256 | faff6a0745e1720413a028f77583fff013c3f4682756dc717a0549f1be3fefc2 |
| SHA512 | 8daf104582547d6b3a6d8698836e279d88ad9a870e9fdd66c319ecada3757a3997f411976461ed30a5d24436baa7504355b49d4acec2f7cdfe10e1e392e0f7fb |
memory/1880-38-0x0000000000130000-0x000000000021C000-memory.dmp
memory/1880-42-0x00000000002A0000-0x000000000034D000-memory.dmp
C:\Users\Admin\AppData\Local\Eponychium\highgui099.dll
| MD5 | a354c42fcb37a50ecad8dde250f6119e |
| SHA1 | 0eb4ad5e90d28a4a8553d82cec53072279af1961 |
| SHA256 | 89db6973f4ec5859792bcd8a50cd10db6b847613f2cea5adef740eec141673b2 |
| SHA512 | 981c82f6334961c54c80009b14a0c2cd48067baf6d502560d508be86f5185374a422609c7fdc9a2cde9b98a7061efab7fd9b1f4f421436a9112833122bc35059 |
memory/1880-46-0x0000000000360000-0x00000000003C2000-memory.dmp
C:\Users\Admin\AppData\Local\Eponychium\CrashRpt.dll
| MD5 | b2d1f5e4a1f0e8d85f0a8aeb7b8148c7 |
| SHA1 | 871078213fcc0ce143f518bd69caa3156b385415 |
| SHA256 | c28e0aec124902e948c554436c0ebbebba9fc91c906ce2cd887fada0c64e3386 |
| SHA512 | 1f6d97e02cd684cf4f4554b0e819196bd2811e19b964a680332268bcbb6dee0e17b2b35b6e66f0fe5622dffb0a734f39f8e49637a38e4fe7f10d3b5182b30260 |
\Users\Admin\AppData\Local\Eponychium\dbghelp.dll
| MD5 | aa1594596fa19609555e317d9b64be6a |
| SHA1 | 924b08d85b537be52142965c3ad33c01b457ea83 |
| SHA256 | 5139413ea54dee9ec4f13b193d88ccae9adb8f0d8c1e2ba1aee460d8a0d5bb79 |
| SHA512 | 759209846039d1efb2f6ddf3501f1f868989e81752bb7d617afd9fd4238c52162167b1a1732ec81bdfce469856c78439cc7c8d173b1f48de499dfee725b192dc |
C:\Users\Admin\AppData\Local\Eponychium\gxfiogr
| MD5 | b590c33dd2a4c8ddedda46028181a405 |
| SHA1 | b0949a3396d84b8e4dca5d5026eb3b6c0679f7e3 |
| SHA256 | 862aadcb096647394a5f6f5e646bf57b52567180505b6026e59539f6ded1eaa8 |
| SHA512 | e72b33ca405b551532a855a74f99aab1850756cbaefb9421d6e480e719b6ceead1d728dbc786d76d91532f0bbdcc241039dac35479bf90f7d2d665c6ab9f8da7 |
C:\Users\Admin\AppData\Local\Eponychium\rsjddfw
| MD5 | 666447d9f86fa84149f374c0f1eb2f90 |
| SHA1 | 9eb18eb892756e48428767d11435750ca458c9fb |
| SHA256 | a25f6e74e4742ec3837ba08b63b89b05e66cd8b00e2c209b2adc9242cd8e7011 |
| SHA512 | dd78afe71ad80ac8788f8aed81d3538c904da76fa62f9fecb6c54bee545e6e7816ff30dd6e2fcc1999508a62c327afcbf8cf586830104abe5fb6b18ac1a87fff |
memory/1880-54-0x0000000074A50000-0x0000000074BC4000-memory.dmp
memory/1880-55-0x00000000777A0000-0x0000000077949000-memory.dmp
memory/2776-77-0x0000000000AC0000-0x0000000000BAC000-memory.dmp
memory/2776-81-0x0000000000BB0000-0x0000000000C5D000-memory.dmp
memory/2776-85-0x00000000001D0000-0x0000000000232000-memory.dmp
memory/2776-93-0x00000000749C0000-0x0000000074B34000-memory.dmp
memory/2776-94-0x00000000777A0000-0x0000000077949000-memory.dmp
memory/2776-95-0x00000000749C0000-0x0000000074B34000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2357abf6
| MD5 | 77e37b5a3b9d46b6d059b0292a64e0ab |
| SHA1 | 38314685820ce9278c7ac94b0016147bd8b6ae58 |
| SHA256 | d734228d26eabc716028359599c4b3588874523a6e0330d85a68d0d6b02123ec |
| SHA512 | cede3c41664c4d7f0bf9f0ad6904dce442370d9c4362aaa1e36ecfc3e4e600a8b6ee6f8568f54cbe397133d2d9253515083e9a590302a39c87d66c40d40138d5 |
memory/1808-98-0x00000000777A0000-0x0000000077949000-memory.dmp
memory/1808-99-0x00000000749C0000-0x0000000074B34000-memory.dmp
memory/3032-101-0x0000000000080000-0x0000000000100000-memory.dmp
memory/3032-108-0x00000000777A0000-0x0000000077949000-memory.dmp
memory/3032-109-0x0000000000080000-0x0000000000100000-memory.dmp
memory/3032-111-0x0000000000080000-0x0000000000100000-memory.dmp
memory/3032-112-0x0000000000080000-0x0000000000100000-memory.dmp