rhadamanthys | a18fb19c7e1e805155fdd956e00046c6e492fce5b07aa1e21b688758ff8dbb22

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
09/02/2025, 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bootstrap/bootstrapper.exe
Size

633KB
MD5

a3d33d33f8b10595c252ee8e61a8892c
SHA1

f8bf529297b99ebdd0d6214a1a8a20bffb1bd875
SHA256

fe0c0a5da033e86e09a721070bb2e1116a28160aaffd803b8e65a57ed25e62c1
SHA512

5a8d8cfcb0ad0e73ce3a4ca2d23a8cb55216f97b1d4f490b3a7beee963e494e8c122fd7ec70a32eef8c1eb9b6b4e86da4cf2207beba6324d70fada7c36303bf0
SSDEEP

6144:pe3DUlId51RnG/LXJKIA5ZaPLi+bWVSBKtnfuvOVYER0u+GIIIIIIIhIIIIIIIIB:M3DkId5HnWLXMJABWVbnf/Vjm5a/s

Score

10^/10

rhadamanthys defense_evasion discovery stealer

Malware Config

Signatures

Detects Rhadamanthys payload 40 IoCs

resource	yara_rule
behavioral4/memory/528-1-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/4984-8-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/4756-27-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/5040-34-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/312-40-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/2996-43-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/2996-42-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/312-39-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/3332-37-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/3332-36-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/5040-33-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/8-30-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/8-29-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/4984-44-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/388-50-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/4908-62-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/2996-57-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/312-55-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/3332-54-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/5040-53-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/8-52-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/4756-51-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/2420-46-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/3740-47-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/3688-45-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/4756-26-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/388-24-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/388-23-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/3740-21-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/3740-20-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/2420-18-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/2420-17-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/3688-14-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/3688-13-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/4908-11-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/4908-10-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/4984-7-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/1672-5-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/1672-4-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral4/memory/1672-3-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 19 IoCs

description	pid	Process	procid_target
PID 4984 created 2636	4984	aspnet_wp.exe	44
PID 2420 created 2636	2420	aspnet_wp.exe	44
PID 3688 created 2636	3688	aspnet_wp.exe	44
PID 4908 created 2636	4908	aspnet_wp.exe	44
PID 8 created 2636	8	aspnet_wp.exe	44
PID 1672 created 2636	1672	aspnet_wp.exe	44
PID 388 created 2636	388	vbc.exe	44
PID 5040 created 2636	5040	aspnet_wp.exe	44
PID 312 created 2636	312	aspnet_wp.exe	44
PID 3740 created 2636	3740	aspnet_wp.exe	44
PID 3632 created 2636	3632	csc.exe	44
PID 2632 created 2636	2632	aspnet_wp.exe	44
PID 4440 created 2636	4440	csc.exe	44
PID 840 created 2636	840	aspnet_wp.exe	44
PID 3984 created 2636	3984	aspnet_wp.exe	44
PID 3872 created 2636	3872	aspnet_wp.exe	44
PID 1704 created 2636	1704	csc.exe	44
PID 1800 created 2636	1800	aspnet_wp.exe	44
PID 3436 created 2636	3436	aspnet_wp.exe	44

Enumerates VirtualBox registry keys 2 TTPs 3 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	bootstrapper.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	bootstrapper.exe

Looks for VMWare services registry key. 1 TTPs 2 IoCs

defense_evasion

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmtools	bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMMEMCTL	bootstrapper.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Downloads MZ/PE file 1 IoCs

flow	pid	Process
36	3808	Process not Found

Suspicious use of SetThreadContext 26 IoCs

description	pid	Process	procid_target
PID 2736 set thread context of 528	2736	bootstrapper.exe	85
PID 2736 set thread context of 1672	2736	bootstrapper.exe	86
PID 2736 set thread context of 4984	2736	bootstrapper.exe	87
PID 2736 set thread context of 4908	2736	bootstrapper.exe	89
PID 2736 set thread context of 3688	2736	bootstrapper.exe	90
PID 2736 set thread context of 1164	2736	bootstrapper.exe	92
PID 2736 set thread context of 2420	2736	bootstrapper.exe	94
PID 2736 set thread context of 3740	2736	bootstrapper.exe	96
PID 2736 set thread context of 388	2736	bootstrapper.exe	100
PID 2736 set thread context of 4756	2736	bootstrapper.exe	103
PID 2736 set thread context of 8	2736	bootstrapper.exe	104
PID 2736 set thread context of 400	2736	bootstrapper.exe	105
PID 2736 set thread context of 5040	2736	bootstrapper.exe	106
PID 2736 set thread context of 3332	2736	bootstrapper.exe	108
PID 2736 set thread context of 312	2736	bootstrapper.exe	109
PID 2736 set thread context of 2996	2736	bootstrapper.exe	110
PID 2736 set thread context of 3872	2736	bootstrapper.exe	137
PID 2736 set thread context of 3632	2736	bootstrapper.exe	139
PID 2736 set thread context of 3984	2736	bootstrapper.exe	140
PID 2736 set thread context of 1800	2736	bootstrapper.exe	141
PID 2736 set thread context of 3436	2736	bootstrapper.exe	142
PID 2736 set thread context of 1704	2736	bootstrapper.exe	144
PID 2736 set thread context of 2632	2736	bootstrapper.exe	145
PID 2736 set thread context of 840	2736	bootstrapper.exe	146
PID 2736 set thread context of 4440	2736	bootstrapper.exe	148
PID 2736 set thread context of 3732	2736	bootstrapper.exe	150

Program crash 10 IoCs

pid	pid_target	Process	procid_target
2052	400	WerFault.exe	105
5012	528	WerFault.exe	85
864	1164	WerFault.exe	92
1564	4984	WerFault.exe	87
4920	3688	WerFault.exe	90
2596	3732	WerFault.exe	150
552	3984	WerFault.exe	140
2204	2632	WerFault.exe	145
1276	3632	WerFault.exe	139
2576	1704	WerFault.exe	144

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4480	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2736	bootstrapper.exe
1672	aspnet_wp.exe
1672	aspnet_wp.exe
4908	aspnet_wp.exe
4908	aspnet_wp.exe
4984	aspnet_wp.exe
4984	aspnet_wp.exe
3688	aspnet_wp.exe
3688	aspnet_wp.exe
2420	aspnet_wp.exe
2420	aspnet_wp.exe
4908	aspnet_wp.exe
4908	aspnet_wp.exe
8	aspnet_wp.exe
8	aspnet_wp.exe
3740	aspnet_wp.exe
4984	aspnet_wp.exe
4984	aspnet_wp.exe
3740	aspnet_wp.exe
2420	aspnet_wp.exe
2420	aspnet_wp.exe
1672	aspnet_wp.exe
1672	aspnet_wp.exe
3688	aspnet_wp.exe
3688	aspnet_wp.exe
312	aspnet_wp.exe
312	aspnet_wp.exe
5040	aspnet_wp.exe
5040	aspnet_wp.exe
388	vbc.exe
388	vbc.exe
8	aspnet_wp.exe
8	aspnet_wp.exe
312	aspnet_wp.exe
312	aspnet_wp.exe
388	vbc.exe
388	vbc.exe
5040	aspnet_wp.exe
5040	aspnet_wp.exe
3740	aspnet_wp.exe
1392	fontdrvhost.exe
1392	fontdrvhost.exe
3740	aspnet_wp.exe
1392	fontdrvhost.exe
1392	fontdrvhost.exe
3632	csc.exe
3632	csc.exe
4440	csc.exe
4440	csc.exe
840	aspnet_wp.exe
840	aspnet_wp.exe
3872	aspnet_wp.exe
3872	aspnet_wp.exe
1704	csc.exe
1704	csc.exe
1800	aspnet_wp.exe
1800	aspnet_wp.exe
1800	aspnet_wp.exe
1800	aspnet_wp.exe
3436	aspnet_wp.exe
3436	aspnet_wp.exe
3632	csc.exe
3632	csc.exe
2632	aspnet_wp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	bootstrapper.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 528	2736	bootstrapper.exe	85
PID 2736 wrote to memory of 528	2736	bootstrapper.exe	85
PID 2736 wrote to memory of 528	2736	bootstrapper.exe	85
PID 2736 wrote to memory of 528	2736	bootstrapper.exe	85
PID 2736 wrote to memory of 528	2736	bootstrapper.exe	85
PID 2736 wrote to memory of 528	2736	bootstrapper.exe	85
PID 2736 wrote to memory of 528	2736	bootstrapper.exe	85
PID 2736 wrote to memory of 528	2736	bootstrapper.exe	85
PID 2736 wrote to memory of 528	2736	bootstrapper.exe	85
PID 2736 wrote to memory of 528	2736	bootstrapper.exe	85
PID 2736 wrote to memory of 528	2736	bootstrapper.exe	85
PID 2736 wrote to memory of 1672	2736	bootstrapper.exe	86
PID 2736 wrote to memory of 1672	2736	bootstrapper.exe	86
PID 2736 wrote to memory of 1672	2736	bootstrapper.exe	86
PID 2736 wrote to memory of 1672	2736	bootstrapper.exe	86
PID 2736 wrote to memory of 1672	2736	bootstrapper.exe	86
PID 2736 wrote to memory of 1672	2736	bootstrapper.exe	86
PID 2736 wrote to memory of 1672	2736	bootstrapper.exe	86
PID 2736 wrote to memory of 1672	2736	bootstrapper.exe	86
PID 2736 wrote to memory of 1672	2736	bootstrapper.exe	86
PID 2736 wrote to memory of 1672	2736	bootstrapper.exe	86
PID 2736 wrote to memory of 1672	2736	bootstrapper.exe	86
PID 2736 wrote to memory of 4984	2736	bootstrapper.exe	87
PID 2736 wrote to memory of 4984	2736	bootstrapper.exe	87
PID 2736 wrote to memory of 4984	2736	bootstrapper.exe	87
PID 2736 wrote to memory of 4984	2736	bootstrapper.exe	87
PID 2736 wrote to memory of 4984	2736	bootstrapper.exe	87
PID 2736 wrote to memory of 4984	2736	bootstrapper.exe	87
PID 2736 wrote to memory of 4984	2736	bootstrapper.exe	87
PID 2736 wrote to memory of 4984	2736	bootstrapper.exe	87
PID 2736 wrote to memory of 4984	2736	bootstrapper.exe	87
PID 2736 wrote to memory of 4984	2736	bootstrapper.exe	87
PID 2736 wrote to memory of 4984	2736	bootstrapper.exe	87
PID 2736 wrote to memory of 4908	2736	bootstrapper.exe	89
PID 2736 wrote to memory of 4908	2736	bootstrapper.exe	89
PID 2736 wrote to memory of 4908	2736	bootstrapper.exe	89
PID 2736 wrote to memory of 4908	2736	bootstrapper.exe	89
PID 2736 wrote to memory of 4908	2736	bootstrapper.exe	89
PID 2736 wrote to memory of 4908	2736	bootstrapper.exe	89
PID 2736 wrote to memory of 4908	2736	bootstrapper.exe	89
PID 2736 wrote to memory of 4908	2736	bootstrapper.exe	89
PID 2736 wrote to memory of 4908	2736	bootstrapper.exe	89
PID 2736 wrote to memory of 4908	2736	bootstrapper.exe	89
PID 2736 wrote to memory of 4908	2736	bootstrapper.exe	89
PID 2736 wrote to memory of 3688	2736	bootstrapper.exe	90
PID 2736 wrote to memory of 3688	2736	bootstrapper.exe	90
PID 2736 wrote to memory of 3688	2736	bootstrapper.exe	90
PID 2736 wrote to memory of 3688	2736	bootstrapper.exe	90
PID 2736 wrote to memory of 3688	2736	bootstrapper.exe	90
PID 2736 wrote to memory of 3688	2736	bootstrapper.exe	90
PID 2736 wrote to memory of 3688	2736	bootstrapper.exe	90
PID 2736 wrote to memory of 3688	2736	bootstrapper.exe	90
PID 2736 wrote to memory of 3688	2736	bootstrapper.exe	90
PID 2736 wrote to memory of 3688	2736	bootstrapper.exe	90
PID 2736 wrote to memory of 3688	2736	bootstrapper.exe	90
PID 2736 wrote to memory of 3704	2736	bootstrapper.exe	91
PID 2736 wrote to memory of 3704	2736	bootstrapper.exe	91
PID 2736 wrote to memory of 3704	2736	bootstrapper.exe	91
PID 2736 wrote to memory of 1164	2736	bootstrapper.exe	92
PID 2736 wrote to memory of 1164	2736	bootstrapper.exe	92
PID 2736 wrote to memory of 1164	2736	bootstrapper.exe	92
PID 2736 wrote to memory of 1164	2736	bootstrapper.exe	92
PID 2736 wrote to memory of 1164	2736	bootstrapper.exe	92
PID 2736 wrote to memory of 1164	2736	bootstrapper.exe	92

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2636
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4864
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1872
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1392
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4944
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1052
- C:\Windows\SysWOW64\dllhost.exe
  "C:\Windows\System32\dllhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2104
- C:\Windows\SysWOW64\dllhost.exe
  "C:\Windows\System32\dllhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1784
- C:\Windows\SysWOW64\dllhost.exe
  "C:\Windows\System32\dllhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4588
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2964
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1832
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2700
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4280
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4236
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5008
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3816
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4924
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3252
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:60
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4872

C:\Users\Admin\AppData\Local\Temp\bootstrap\bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\bootstrap\bootstrapper.exe"
1⤵
- Enumerates VirtualBox registry keys
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare services registry key.
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 76
    3⤵
    - Program crash
    PID:5012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 312
    3⤵
    - Program crash
    PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 368
    3⤵
    - Program crash
    PID:4920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:1164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 76
    3⤵
    - Program crash
    PID:864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:3760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:5076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:8
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 76
    3⤵
    - Program crash
    PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 332
    3⤵
    - Program crash
    PID:1276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:3984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 336
    3⤵
    - Program crash
    PID:552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 336
    3⤵
    - Program crash
    PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 336
    3⤵
    - Program crash
    PID:2204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:4512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:3732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 76
    3⤵
    - Program crash
    PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 528 -ip 528
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1164 -ip 1164
1⤵
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 400 -ip 400
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2420 -ip 2420
1⤵
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4984 -ip 4984
1⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3688 -ip 3688
1⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1672 -ip 1672
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3332 -ip 3332
1⤵
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 388 -ip 388
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 5040 -ip 5040
1⤵
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 4908 -ip 4908
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 8 -ip 8
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 312 -ip 312
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 2996 -ip 2996
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 4756 -ip 4756
1⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 3740 -ip 3740
1⤵
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3732 -ip 3732
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3632 -ip 3632
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2632 -ip 2632
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4440 -ip 4440
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 840 -ip 840
1⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3984 -ip 3984
1⤵
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3872 -ip 3872
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1704 -ip 1704
1⤵
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 1800 -ip 1800
1⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 3436 -ip 3436
1⤵
PID:4352

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTUwQTAyMzgtNDc5RC00QUE5LUJDQ0MtOUVGODI0RjE2QjE2fSIgdXNlcmlkPSJ7MUIxMUJGODYtMEQ5MS00NDA3LTgxRDctNDQ4MjBEQTM1RjQ4fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QjBCM0Y1MjMtMTdENC00NTg2LUEzODctOTUxRjgwRjJDN0U5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU1NzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODAxNjUyMzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODY1MjgxNzU1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/8-30-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/8-74-0x0000000000DC0000-0x00000000011C0000-memory.dmp

Filesize
4.0MB

Download
memory/8-52-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/8-29-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/312-40-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/312-39-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/312-55-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/388-69-0x00000000015A0000-0x00000000019A0000-memory.dmp

Filesize
4.0MB

Download
memory/388-23-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/388-24-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/388-50-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-1-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1672-4-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1672-146-0x0000000001650000-0x0000000001A50000-memory.dmp

Filesize
4.0MB

Download
memory/1672-3-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1672-56-0x0000000001650000-0x0000000001A50000-memory.dmp

Filesize
4.0MB

Download
memory/1672-5-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2420-46-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2420-66-0x00000000011F0000-0x00000000015F0000-memory.dmp

Filesize
4.0MB

Download
memory/2420-17-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2420-18-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2736-0-0x00007FFD8C680000-0x00007FFD8CA62000-memory.dmp

Filesize
3.9MB

Download
memory/2996-42-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2996-57-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2996-43-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3332-54-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3332-36-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3332-37-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3688-13-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3688-64-0x0000000000B80000-0x0000000000F80000-memory.dmp

Filesize
4.0MB

Download
memory/3688-45-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3688-14-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3740-47-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3740-20-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3740-21-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3740-77-0x0000000001020000-0x0000000001420000-memory.dmp

Filesize
4.0MB

Download
memory/4756-27-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4756-26-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4756-51-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4908-10-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4908-11-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4908-72-0x00007FFDA9F50000-0x00007FFDAA145000-memory.dmp

Filesize
2.0MB

Download
memory/4908-61-0x00000000010C0000-0x00000000014C0000-memory.dmp

Filesize
4.0MB

Download
memory/4908-62-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4908-75-0x0000000076040000-0x0000000076255000-memory.dmp

Filesize
2.1MB

Download
memory/4984-79-0x0000000076040000-0x0000000076255000-memory.dmp

Filesize
2.1MB

Download
memory/4984-7-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4984-76-0x00007FFDA9F50000-0x00007FFDAA145000-memory.dmp

Filesize
2.0MB

Download
memory/4984-8-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4984-49-0x0000000000D20000-0x0000000001120000-memory.dmp

Filesize
4.0MB

Download
memory/4984-63-0x0000000000D20000-0x0000000001120000-memory.dmp

Filesize
4.0MB

Download
memory/4984-44-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4984-147-0x0000000000D20000-0x0000000001120000-memory.dmp

Filesize
4.0MB

Download
memory/5040-34-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5040-33-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5040-53-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download