rhadamanthys | 89676715c9429098e3e34a0ce0122d19d52e90153971c31665500f77c937daf6

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27/03/2025, 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YouTubePartnerPolicyUpdate-Feb2025.msi
Size

4.0MB
MD5

d96d9b0b72cafb9650a38844082e3429
SHA1

89e5fca28a4c11249672e0d9c25c3cb6c1ece301
SHA256

89676715c9429098e3e34a0ce0122d19d52e90153971c31665500f77c937daf6
SHA512

9dbceaa6136b139a8d0e6c2aafeee8f3908fd8ea984e72e1488a6a0cddefb9753380814e7f7f029d65f0150ecaa3ab59cf78a0554a4cc9016c790d942e80a810
SSDEEP

98304:cXN4t7ieVigQEVcZsa/EBCmf725w8MPUTO/7od9D:EN4ttiglmZs/72e8XyS

Score

10^/10

rhadamanthys discovery persistence privilege_escalation stealer

Malware Config

Signatures

Detects Rhadamanthys payload 1 IoCs

resource	yara_rule
behavioral1/memory/1812-78-0x0000000000400000-0x0000000000522000-memory.dmp	Rhadamanthys_v8

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1812 created 1204	1812	MSBuild.exe	21

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 484 set thread context of 1564	484	CamMenuMaker.exe	37
PID 1564 set thread context of 1812	1564	cmd.exe	39

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSID0B7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76cfde.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76cfdd.msi	msiexec.exe
File created	C:\Windows\Installer\f76cfde.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f76cfe0.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76cfdd.msi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
2644	CamMenuMaker.exe
484	CamMenuMaker.exe

Loads dropped DLL 9 IoCs

pid	Process
2644	CamMenuMaker.exe
2644	CamMenuMaker.exe
2644	CamMenuMaker.exe
2644	CamMenuMaker.exe
2644	CamMenuMaker.exe
484	CamMenuMaker.exe
484	CamMenuMaker.exe
484	CamMenuMaker.exe
484	CamMenuMaker.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3052	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CamMenuMaker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CamMenuMaker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2464	msiexec.exe
2464	msiexec.exe
2644	CamMenuMaker.exe
484	CamMenuMaker.exe
484	CamMenuMaker.exe
1564	cmd.exe
1564	cmd.exe
1812	MSBuild.exe
1812	MSBuild.exe
1812	MSBuild.exe
1812	MSBuild.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe
2288	dialer.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
484	CamMenuMaker.exe
1564	cmd.exe
1564	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3052	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3052	msiexec.exe
Token: SeRestorePrivilege	2464	msiexec.exe
Token: SeTakeOwnershipPrivilege	2464	msiexec.exe
Token: SeSecurityPrivilege	2464	msiexec.exe
Token: SeCreateTokenPrivilege	3052	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3052	msiexec.exe
Token: SeLockMemoryPrivilege	3052	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3052	msiexec.exe
Token: SeMachineAccountPrivilege	3052	msiexec.exe
Token: SeTcbPrivilege	3052	msiexec.exe
Token: SeSecurityPrivilege	3052	msiexec.exe
Token: SeTakeOwnershipPrivilege	3052	msiexec.exe
Token: SeLoadDriverPrivilege	3052	msiexec.exe
Token: SeSystemProfilePrivilege	3052	msiexec.exe
Token: SeSystemtimePrivilege	3052	msiexec.exe
Token: SeProfSingleProcessPrivilege	3052	msiexec.exe
Token: SeIncBasePriorityPrivilege	3052	msiexec.exe
Token: SeCreatePagefilePrivilege	3052	msiexec.exe
Token: SeCreatePermanentPrivilege	3052	msiexec.exe
Token: SeBackupPrivilege	3052	msiexec.exe
Token: SeRestorePrivilege	3052	msiexec.exe
Token: SeShutdownPrivilege	3052	msiexec.exe
Token: SeDebugPrivilege	3052	msiexec.exe
Token: SeAuditPrivilege	3052	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3052	msiexec.exe
Token: SeChangeNotifyPrivilege	3052	msiexec.exe
Token: SeRemoteShutdownPrivilege	3052	msiexec.exe
Token: SeUndockPrivilege	3052	msiexec.exe
Token: SeSyncAgentPrivilege	3052	msiexec.exe
Token: SeEnableDelegationPrivilege	3052	msiexec.exe
Token: SeManageVolumePrivilege	3052	msiexec.exe
Token: SeImpersonatePrivilege	3052	msiexec.exe
Token: SeCreateGlobalPrivilege	3052	msiexec.exe
Token: SeBackupPrivilege	2340	vssvc.exe
Token: SeRestorePrivilege	2340	vssvc.exe
Token: SeAuditPrivilege	2340	vssvc.exe
Token: SeBackupPrivilege	2464	msiexec.exe
Token: SeRestorePrivilege	2464	msiexec.exe
Token: SeRestorePrivilege	3024	DrvInst.exe
Token: SeRestorePrivilege	3024	DrvInst.exe
Token: SeRestorePrivilege	3024	DrvInst.exe
Token: SeRestorePrivilege	3024	DrvInst.exe
Token: SeRestorePrivilege	3024	DrvInst.exe
Token: SeRestorePrivilege	3024	DrvInst.exe
Token: SeRestorePrivilege	3024	DrvInst.exe
Token: SeLoadDriverPrivilege	3024	DrvInst.exe
Token: SeLoadDriverPrivilege	3024	DrvInst.exe
Token: SeLoadDriverPrivilege	3024	DrvInst.exe
Token: SeRestorePrivilege	2464	msiexec.exe
Token: SeTakeOwnershipPrivilege	2464	msiexec.exe
Token: SeRestorePrivilege	2464	msiexec.exe
Token: SeTakeOwnershipPrivilege	2464	msiexec.exe
Token: SeRestorePrivilege	2464	msiexec.exe
Token: SeTakeOwnershipPrivilege	2464	msiexec.exe
Token: SeRestorePrivilege	2464	msiexec.exe
Token: SeTakeOwnershipPrivilege	2464	msiexec.exe
Token: SeRestorePrivilege	2464	msiexec.exe
Token: SeTakeOwnershipPrivilege	2464	msiexec.exe
Token: SeRestorePrivilege	2464	msiexec.exe
Token: SeTakeOwnershipPrivilege	2464	msiexec.exe
Token: SeRestorePrivilege	2464	msiexec.exe
Token: SeTakeOwnershipPrivilege	2464	msiexec.exe
Token: SeRestorePrivilege	2464	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3052	msiexec.exe
3052	msiexec.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2644	2464	msiexec.exe	35
PID 2464 wrote to memory of 2644	2464	msiexec.exe	35
PID 2464 wrote to memory of 2644	2464	msiexec.exe	35
PID 2464 wrote to memory of 2644	2464	msiexec.exe	35
PID 2644 wrote to memory of 484	2644	CamMenuMaker.exe	36
PID 2644 wrote to memory of 484	2644	CamMenuMaker.exe	36
PID 2644 wrote to memory of 484	2644	CamMenuMaker.exe	36
PID 2644 wrote to memory of 484	2644	CamMenuMaker.exe	36
PID 484 wrote to memory of 1564	484	CamMenuMaker.exe	37
PID 484 wrote to memory of 1564	484	CamMenuMaker.exe	37
PID 484 wrote to memory of 1564	484	CamMenuMaker.exe	37
PID 484 wrote to memory of 1564	484	CamMenuMaker.exe	37
PID 484 wrote to memory of 1564	484	CamMenuMaker.exe	37
PID 1564 wrote to memory of 1812	1564	cmd.exe	39
PID 1564 wrote to memory of 1812	1564	cmd.exe	39
PID 1564 wrote to memory of 1812	1564	cmd.exe	39
PID 1564 wrote to memory of 1812	1564	cmd.exe	39
PID 1564 wrote to memory of 1812	1564	cmd.exe	39
PID 1564 wrote to memory of 1812	1564	cmd.exe	39
PID 1812 wrote to memory of 2288	1812	MSBuild.exe	40
PID 1812 wrote to memory of 2288	1812	MSBuild.exe	40
PID 1812 wrote to memory of 2288	1812	MSBuild.exe	40
PID 1812 wrote to memory of 2288	1812	MSBuild.exe	40
PID 1812 wrote to memory of 2288	1812	MSBuild.exe	40
PID 1812 wrote to memory of 2288	1812	MSBuild.exe	40

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Windows\system32\msiexec.exe
  msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\YouTubePartnerPolicyUpdate-Feb2025.msi
  2⤵
  - Enumerates connected drives
  - Event Triggered Execution: Installer Packages
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3052
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2288

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Hydrosome\CamMenuMaker.exe
  "C:\Users\Admin\AppData\Local\Hydrosome\CamMenuMaker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Users\Admin\AppData\Roaming\Wordpadhost_uiq_debug\CamMenuMaker.exe
    C:\Users\Admin\AppData\Roaming\Wordpadhost_uiq_debug\CamMenuMaker.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1564
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1812

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003B8" "00000000000003DC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76cfdf.rbs

Filesize
8KB

MD5
a713a77e5523cf3752da4d62794c3569

SHA1
9d9e5ebe2ed3b61c2b90929f790468ffd6c45b1c

SHA256
6727849c219472f29b2f24e55c032faa7b31bc00dc506400419927fa3c2332ba

SHA512
2bba4c5dc9731257f7fdfda0a72813c50559b6d48b8fb4ab2ee0a25e0b56080985885a53ea304f5bcf66169073ce5fcecd3528e0a3ebbcca54c59d5e2bbedcfa

Download Submit
C:\Users\Admin\AppData\Local\Hydrosome\CamMenuMaker.exe

Filesize
1.1MB

MD5
0aa5410c7565c20aebbb56a317e578da

SHA1
1b5fd5739d66cdbb3d08b3d11b45bf49851bc4e0

SHA256
88a1f9a40eb7ece8999092b2872b6afde0fb3776e29384c5b00631bb0fca34d1

SHA512
4d45855719ac2846c5b49a69f4680200cfe0b325a476c3d6624f5bfd56212ccf9858394c0deb98fdca0ed44e8b63720eadcc67577fdbb874c07d9f15b41e4056

Download Submit
C:\Users\Admin\AppData\Local\Hydrosome\MSVCP100.dll

Filesize
411KB

MD5
bc83108b18756547013ed443b8cdb31b

SHA1
79bcaad3714433e01c7f153b05b781f8d7cb318d

SHA256
b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671

SHA512
6e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011

Download Submit
C:\Users\Admin\AppData\Local\Hydrosome\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Local\Hydrosome\XceedZip.dll

Filesize
484KB

MD5
882e0b32bbc7babec02c0f84b4bd45e0

SHA1
13a9012191b5a59e1e3135c3953e8af63eb1b513

SHA256
2d04cc1948c4b8249e5eb71934006fe5dda4db7c856698fb8f2521a77e73f572

SHA512
99e314733e6a9eb5b5e5e973d54d4aac8f7aef119cd8f650da0690a46eaaa9c2157cdf0ddc912cbda81587b484b2b88d0b6833c8c4e4c320182d5e584062dd0a

Download Submit
C:\Users\Admin\AppData\Local\Hydrosome\mfc100enu.dll

Filesize
53KB

MD5
2a2c442f00b45e01d4c882eea69a01bc

SHA1
85145f0f784d3a4efa569deb77b54308a1a21b92

SHA256
d71db839de0bc1fcc01a125d57ced2aaea3f444a992426c316ce18c267c33a8c

SHA512
f18d9019eee843d707aa307714a15207be2ded2eceab518599fbed8a3826a1a56f815fe75fb37f36c93be13f3d90e025f790db6b3ba413bfd5cd040b2cc7dbf7

Download Submit
C:\Users\Admin\AppData\Local\Hydrosome\mfc100u.dll

Filesize
4.2MB

MD5
1c5f698b7a3759c739bd3c83102e26bd

SHA1
37ecf18080583b45ee48e79b59c04601ac95c020

SHA256
1b25d370e68b4834ecf7be7aece569956a0978019553fcfd287ae906f4a56fa2

SHA512
441ee977a2e68d2061d245e42f9981393e0c98d30ed8670b13251aa0b7a2a9213d5499a4c92c264e9929cc930434404025ca33b5be5c74e20f91b0e1c7eb3206

Download Submit
C:\Users\Admin\AppData\Local\Hydrosome\mob.svg

Filesize
29KB

MD5
540adaeeb3d4b933a29ba5c6c739178b

SHA1
9e9db7a75dc6919a7c58f11cea9a03af604ce0ff

SHA256
b212ce626b58d1a7ec1497010ba0f0bad9b6e81d64cc54b21eed83b791e4eef9

SHA512
480b4b27ac47af69070e9ca86d6a03a2ecfd348c7ef7ce82ec009c3809be315f56965580fb34f02cd6da5e4252e91a337dfb4517ff53c2d319abfd7df61795de

Download Submit
C:\Users\Admin\AppData\Local\Hydrosome\potable.csv

Filesize
1.6MB

MD5
74106105bd617a09568ce094614138b1

SHA1
9656ea8ea3a0e8e68b6216c5acddf663bcfd763f

SHA256
3b9f90758bb31e93d1a2ec7055ee2698334ba66c087e66078082ce6cec2fb848

SHA512
803f996692858e0d669f1190ad2b9bfcdc98323ba923aeb4f88499f6ea0f774c1a82048698057f2bfc7739d75cdc06ef928fde91afffd481a5a43b074dc56b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf933013

Filesize
1.8MB

MD5
5a7a63900cca58cbc8533c24fda6b9b4

SHA1
715194cda6df995ae3eeb38e98568342876ee6c8

SHA256
d6beeb7754e973e904b463fe36d49e3af2caf57b874bfea0ab0fc20a9e500921

SHA512
1fddfc34e841e513fe1b10699601187ecb28ebdecccce8636852aad0706971f958620c304573655d3eb07a58be3aea383ed92f333631994f65cad2d8ea37d29b

Download Submit
C:\Windows\Installer\f76cfdd.msi

Filesize
4.0MB

MD5
d96d9b0b72cafb9650a38844082e3429

SHA1
89e5fca28a4c11249672e0d9c25c3cb6c1ece301

SHA256
89676715c9429098e3e34a0ce0122d19d52e90153971c31665500f77c937daf6

SHA512
9dbceaa6136b139a8d0e6c2aafeee8f3908fd8ea984e72e1488a6a0cddefb9753380814e7f7f029d65f0150ecaa3ab59cf78a0554a4cc9016c790d942e80a810

Download Submit
memory/484-69-0x0000000074D00000-0x0000000074E74000-memory.dmp

Filesize
1.5MB

Download
memory/484-67-0x0000000074D00000-0x0000000074E74000-memory.dmp

Filesize
1.5MB

Download
memory/484-68-0x0000000077B80000-0x0000000077D29000-memory.dmp

Filesize
1.7MB

Download
memory/1564-72-0x0000000077B80000-0x0000000077D29000-memory.dmp

Filesize
1.7MB

Download
memory/1564-73-0x0000000074D00000-0x0000000074E74000-memory.dmp

Filesize
1.5MB

Download
memory/1812-80-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/1812-82-0x0000000004F30000-0x0000000005330000-memory.dmp

Filesize
4.0MB

Download
memory/1812-77-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1812-76-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1812-75-0x00000000731B0000-0x0000000074212000-memory.dmp

Filesize
16.4MB

Download
memory/1812-78-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1812-85-0x0000000076F40000-0x0000000076F87000-memory.dmp

Filesize
284KB

Download
memory/1812-79-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/1812-81-0x0000000004F30000-0x0000000005330000-memory.dmp

Filesize
4.0MB

Download
memory/1812-83-0x0000000077B80000-0x0000000077D29000-memory.dmp

Filesize
1.7MB

Download
memory/2288-86-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download
memory/2288-88-0x0000000001DB0000-0x00000000021B0000-memory.dmp

Filesize
4.0MB

Download
memory/2288-89-0x0000000077B80000-0x0000000077D29000-memory.dmp

Filesize
1.7MB

Download
memory/2288-91-0x0000000076F40000-0x0000000076F87000-memory.dmp

Filesize
284KB

Download
memory/2644-42-0x0000000077B80000-0x0000000077D29000-memory.dmp

Filesize
1.7MB

Download
memory/2644-41-0x0000000074D60000-0x0000000074ED4000-memory.dmp

Filesize
1.5MB

Download