rhadamanthys | hxxps://github[.]com/arikfio/Hwid-Spoofer/releases/download/Spoofer/project[.]rar

Analysis

max time kernel
65s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/arikfio/Hwid-Spoofer/releases/download/Spoofer/project.rar

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://135.181.4.162:2423/97e9fc994198e76/cq4mk2ms.xrf3c

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 6000 created 2520	6000	RegAsm.exe	44

Executes dropped EXE 2 IoCs

pid	Process
5820	Software.exe
5436	Software.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5820 set thread context of 6000	5820	Software.exe	118
PID 5436 set thread context of 2316	5436	Software.exe	128

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4064	6000	WerFault.exe	118
5240	6000	WerFault.exe	118
5692	2316	WerFault.exe	128
5568	2316	WerFault.exe	128

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Software.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Software.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5744	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4724	msedge.exe
4724	msedge.exe
3332	msedge.exe
3332	msedge.exe
3588	identity_helper.exe
3588	identity_helper.exe
3656	msedge.exe
3656	msedge.exe
6000	RegAsm.exe
6000	RegAsm.exe
6056	openwith.exe
6056	openwith.exe
6056	openwith.exe
6056	openwith.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	5492	7zG.exe
Token: 35	5492	7zG.exe
Token: SeSecurityPrivilege	5492	7zG.exe
Token: SeSecurityPrivilege	5492	7zG.exe
Token: SeDebugPrivilege	720	taskmgr.exe
Token: SeSystemProfilePrivilege	720	taskmgr.exe
Token: SeCreateGlobalPrivilege	720	taskmgr.exe
Token: 33	720	taskmgr.exe
Token: SeIncBasePriorityPrivilege	720	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
5492	7zG.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe

Suspicious use of SendNotifyMessage 59 IoCs

pid	Process
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
3332	msedge.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe
720	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 1864	3332	msedge.exe	88
PID 3332 wrote to memory of 1864	3332	msedge.exe	88
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4180	3332	msedge.exe	89
PID 3332 wrote to memory of 4724	3332	msedge.exe	90
PID 3332 wrote to memory of 4724	3332	msedge.exe	90
PID 3332 wrote to memory of 1436	3332	msedge.exe	91
PID 3332 wrote to memory of 1436	3332	msedge.exe	91
PID 3332 wrote to memory of 1436	3332	msedge.exe	91
PID 3332 wrote to memory of 1436	3332	msedge.exe	91
PID 3332 wrote to memory of 1436	3332	msedge.exe	91
PID 3332 wrote to memory of 1436	3332	msedge.exe	91
PID 3332 wrote to memory of 1436	3332	msedge.exe	91
PID 3332 wrote to memory of 1436	3332	msedge.exe	91
PID 3332 wrote to memory of 1436	3332	msedge.exe	91
PID 3332 wrote to memory of 1436	3332	msedge.exe	91
PID 3332 wrote to memory of 1436	3332	msedge.exe	91
PID 3332 wrote to memory of 1436	3332	msedge.exe	91
PID 3332 wrote to memory of 1436	3332	msedge.exe	91
PID 3332 wrote to memory of 1436	3332	msedge.exe	91
PID 3332 wrote to memory of 1436	3332	msedge.exe	91
PID 3332 wrote to memory of 1436	3332	msedge.exe	91
PID 3332 wrote to memory of 1436	3332	msedge.exe	91
PID 3332 wrote to memory of 1436	3332	msedge.exe	91
PID 3332 wrote to memory of 1436	3332	msedge.exe	91
PID 3332 wrote to memory of 1436	3332	msedge.exe	91

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2520
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:6056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/arikfio/Hwid-Spoofer/releases/download/Spoofer/project.rar
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc580746f8,0x7ffc58074708,0x7ffc58074718
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,5193839417810808178,8348512212437366324,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,5193839417810808178,8348512212437366324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,5193839417810808178,8348512212437366324,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5193839417810808178,8348512212437366324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5193839417810808178,8348512212437366324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,5193839417810808178,8348512212437366324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,5193839417810808178,8348512212437366324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,5193839417810808178,8348512212437366324,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5193839417810808178,8348512212437366324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,5193839417810808178,8348512212437366324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5193839417810808178,8348512212437366324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5193839417810808178,8348512212437366324,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:1828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2200

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5240

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\project\" -ad -an -ai#7zMap684:76:7zEvent4510
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5492

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\project\Project\LICENSE.TXT
1⤵
- Opens file in notepad (likely ransom note)
PID:5744

C:\Users\Admin\Downloads\project\Project\Software.exe
"C:\Users\Admin\Downloads\project\Project\Software.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:5992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:6000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6000 -s 644
    3⤵
    - Program crash
    PID:4064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6000 -s 652
    3⤵
    - Program crash
    PID:5240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6000 -ip 6000
1⤵
PID:6124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 6000 -ip 6000
1⤵
PID:3656

C:\Users\Admin\Downloads\project\Project\Software.exe
"C:\Users\Admin\Downloads\project\Project\Software.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 580
    3⤵
    - Program crash
    PID:5692
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 604
    3⤵
    - Program crash
    PID:5568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2316 -ip 2316
1⤵
PID:5676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2316 -ip 2316
1⤵
PID:5700

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Software.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab283f88362e9716dd5c324319272528

SHA1
84cebc7951a84d497b2c1017095c2c572e3648c4

SHA256
61e4aa4614e645255c6db977ea7da1c7997f9676d8b8c3aaab616710d9186ab2

SHA512
66dff3b6c654c91b05f92b7661985391f29763cf757cc4b869bce5d1047af9fb29bbe37c4097ddcfa021331c16dd7e96321d7c5236729be29f74853818ec1484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fffde59525dd5af902ac449748484b15

SHA1
243968c68b819f03d15b48fc92029bf11e21bedc

SHA256
26bc5e85dd325466a27394e860cac7bef264e287e5a75a20ea54eec96abd0762

SHA512
f246854e8ed0f88ca43f89cf497b90383e05ffa107496b4c346f070f6e9bbf1d9dc1bdcc28cad6b5c7810e3ba39f27d549061b3b413a7c0dd49faacae68cd645

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8c32b8d0eed93482001ffd8206608b5f

SHA1
8e3b4b75b5af611a3c6ca704118f8f4a5d6d9ca6

SHA256
cb61edefa217ec2eaaffc599fa0728e37e902d6ca668854a53ae5a1b3581d3b1

SHA512
b425c4096f149ddeeee29e4290c6338a14e0c734cd552b05b723efdd91f8d0a8a93a6c9e5bd208c118e4325b80d1c60568f3dd8aa651876b8ad566773747c8ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fdf0de663647525cf26e639e18267af0

SHA1
76892cfb2e97082bc805fa9bb5e7b81207013b11

SHA256
1a2ef2f63375da9f16ffec13ab216b3523ca71456b06ec561db9d8d361b003bd

SHA512
1856bfcf8e45970e996ff7631e7e8ed9b291218e0389d41b75e831b35c8a92591185f8f46fe2e8a9d103e9f6180d16601f2bf9b10652c2d22ffdff12c5d9a0b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b0cb9d754cab2bab7bacad46cc9a87c4

SHA1
0750c5b42875bb57264d95a8fb503fd81a626dc8

SHA256
ee9c25b6864c3fbaa135945cd92b3a073a65f580b489ac6be36e55cb4ff5849f

SHA512
bc82047bcb53bbad1ad2fc45813abe65079b6c4c431c4b8a5694948916b8fe4172840c33f15c0c0413bfde14a1e3bc8ab563cfb6c3f25e59db8744f59b280e1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1c2b6a9893554dc53ffe4515decf0ad7

SHA1
4bb0a53ed1713ab0a533bd35b2be49995057b265

SHA256
ed80efb4d3ac87b6bb7e3afea0f119ff4ef16791bacfaa37815f5deaf08ce2e4

SHA512
1916e46d2df261db30c564ec7eb3c56922e77e606a66498dcf5d38b9460abd5abf30b7552ea4ad542e699fc109f32215718975b45f5af2266da395d6d812ea37

Download Submit
C:\Users\Admin\Downloads\project.rar

Filesize
2.3MB

MD5
53bf7cd46fe868f7f66b40fa5fc86b1e

SHA1
38130119bb5741a849a3064937cfcc3a3dcaf3ed

SHA256
c1a5e50b7a6c12adacab921fc3b89b5779988c046a743b47c308e4229af937fc

SHA512
5df94cab0c0dba4b74e85c3054cfcfe892908cfcfbe259f6407ee15afcbde90907ab93215ca237fd3f730c2c2e43ebee23ae72d4ff6e205987b35d18f7dd7be4

Download Submit
C:\Users\Admin\Downloads\project\Project\LICENSE.TXT

Filesize
1KB

MD5
ba2bed45d99b13d4c31485d0631ae675

SHA1
26c7c096ac257154020a07532c5edeba91ee97e0

SHA256
d7a68596ab69b06f51ca278a6545148e4269a9381c26d597c13df5d88e08cf5b

SHA512
430f0a57ff6be9cb03316eb7312b70f5a2eb44175edacac242a9fd329257ae52c03de8add8a957cd3a336f99fd638eb89d8d3d1338525d5be21d8f4e22f86f97

Download Submit
C:\Users\Admin\Downloads\project\Project\Software.exe

Filesize
442KB

MD5
55a3d0312c376ed1db15e85430f8ec59

SHA1
b981f13a8586870aa4fddcf981653392f2bbbfc6

SHA256
66ead826c7d71057741fa77c22db4b59e005bf009f7f190098cda30efb89ea0f

SHA512
c06c09aae467d298589e125d68803d9909b4e981ed4748454663fb6538fdded6feec6203ae3a3c63edd42901089f4141dab0a55e8585ed452aeee131942c46c2

Download Submit
memory/720-165-0x0000021107EA0000-0x0000021107EA1000-memory.dmp

Filesize
4KB

Download
memory/720-164-0x0000021107EA0000-0x0000021107EA1000-memory.dmp

Filesize
4KB

Download
memory/720-170-0x0000021107EA0000-0x0000021107EA1000-memory.dmp

Filesize
4KB

Download
memory/720-171-0x0000021107EA0000-0x0000021107EA1000-memory.dmp

Filesize
4KB

Download
memory/720-172-0x0000021107EA0000-0x0000021107EA1000-memory.dmp

Filesize
4KB

Download
memory/720-173-0x0000021107EA0000-0x0000021107EA1000-memory.dmp

Filesize
4KB

Download
memory/720-174-0x0000021107EA0000-0x0000021107EA1000-memory.dmp

Filesize
4KB

Download
memory/720-175-0x0000021107EA0000-0x0000021107EA1000-memory.dmp

Filesize
4KB

Download
memory/720-169-0x0000021107EA0000-0x0000021107EA1000-memory.dmp

Filesize
4KB

Download
memory/720-163-0x0000021107EA0000-0x0000021107EA1000-memory.dmp

Filesize
4KB

Download
memory/2316-139-0x0000000003A10000-0x0000000003E10000-memory.dmp

Filesize
4.0MB

Download
memory/2316-135-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2316-137-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5820-109-0x00000000008C0000-0x0000000000932000-memory.dmp

Filesize
456KB

Download
memory/6000-122-0x0000000077230000-0x0000000077445000-memory.dmp

Filesize
2.1MB

Download
memory/6000-117-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/6000-112-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/6000-115-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/6000-118-0x0000000003B90000-0x0000000003F90000-memory.dmp

Filesize
4.0MB

Download
memory/6000-119-0x0000000003B90000-0x0000000003F90000-memory.dmp

Filesize
4.0MB

Download
memory/6000-120-0x00007FFC66AB0000-0x00007FFC66CA5000-memory.dmp

Filesize
2.0MB

Download
memory/6056-128-0x0000000077230000-0x0000000077445000-memory.dmp

Filesize
2.1MB

Download
memory/6056-123-0x0000000000AD0000-0x0000000000AD9000-memory.dmp

Filesize
36KB

Download
memory/6056-125-0x0000000002890000-0x0000000002C90000-memory.dmp

Filesize
4.0MB

Download
memory/6056-126-0x00007FFC66AB0000-0x00007FFC66CA5000-memory.dmp

Filesize
2.0MB

Download