Overview
overview
10Static
static
3bootstrap.zip
windows7-x64
1bootstrap.zip
windows10-2004-x64
3bootstrap/...er.exe
windows7-x64
10bootstrap/...er.exe
windows10-2004-x64
10bootstrap/...64.dll
windows7-x64
1bootstrap/...64.dll
windows10-2004-x64
6bootstrap/...10.dll
windows7-x64
1bootstrap/...10.dll
windows10-2004-x64
8bootstrap/...11.dll
windows7-x64
1bootstrap/...11.dll
windows10-2004-x64
8bootstrap/...64.dll
windows7-x64
10bootstrap/...64.dll
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
09-02-2025 21:33
Static task
static1
Behavioral task
behavioral1
Sample
bootstrap.zip
Resource
win7-20250207-en
Behavioral task
behavioral2
Sample
bootstrap.zip
Resource
win10v2004-20250207-en
Behavioral task
behavioral3
Sample
bootstrap/bootstrapper.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
bootstrap/bootstrapper.exe
Resource
win10v2004-20250207-en
Behavioral task
behavioral5
Sample
bootstrap/tier0_s64.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
bootstrap/tier0_s64.dll
Resource
win10v2004-20250207-en
Behavioral task
behavioral7
Sample
bootstrap/vcruntime210.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
bootstrap/vcruntime210.dll
Resource
win10v2004-20250207-en
Behavioral task
behavioral9
Sample
bootstrap/vcruntime211.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
bootstrap/vcruntime211.dll
Resource
win10v2004-20250207-en
Behavioral task
behavioral11
Sample
bootstrap/vstdlib_s64.dll
Resource
win7-20250207-en
Behavioral task
behavioral12
Sample
bootstrap/vstdlib_s64.dll
Resource
win10v2004-20250207-en
General
-
Target
bootstrap/bootstrapper.exe
-
Size
633KB
-
MD5
a3d33d33f8b10595c252ee8e61a8892c
-
SHA1
f8bf529297b99ebdd0d6214a1a8a20bffb1bd875
-
SHA256
fe0c0a5da033e86e09a721070bb2e1116a28160aaffd803b8e65a57ed25e62c1
-
SHA512
5a8d8cfcb0ad0e73ce3a4ca2d23a8cb55216f97b1d4f490b3a7beee963e494e8c122fd7ec70a32eef8c1eb9b6b4e86da4cf2207beba6324d70fada7c36303bf0
-
SSDEEP
6144:pe3DUlId51RnG/LXJKIA5ZaPLi+bWVSBKtnfuvOVYER0u+GIIIIIIIhIIIIIIIIB:M3DkId5HnWLXMJABWVbnf/Vjm5a/s
Malware Config
Signatures
-
Detects Rhadamanthys payload 43 IoCs
resource yara_rule behavioral4/memory/3504-3-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/3504-4-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/3504-2-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/3504-1-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/2564-7-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/2564-6-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/2564-11-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/788-12-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/788-10-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/788-9-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/1424-20-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/2628-18-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/1424-24-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/2592-27-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/4460-41-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/1112-50-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/1112-49-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/3408-47-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/3408-46-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/4004-44-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/4004-43-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/4460-40-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/1772-38-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/1772-37-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/1772-54-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/1112-58-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/640-59-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/3408-57-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/4004-56-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/4460-55-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/3344-53-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/2592-51-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/3344-34-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/3344-33-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/640-31-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/640-30-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/2628-23-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/4388-22-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/2592-26-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/1424-21-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/2628-17-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/4388-16-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 behavioral4/memory/4388-15-0x0000000000400000-0x0000000000481000-memory.dmp Rhadamanthys_v8 -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 21 IoCs
description pid Process procid_target PID 788 created 2468 788 aspnet_wp.exe 42 PID 3504 created 2468 3504 aspnet_wp.exe 42 PID 1424 created 2468 1424 aspnet_wp.exe 42 PID 2628 created 2468 2628 aspnet_wp.exe 42 PID 1772 created 2468 1772 aspnet_wp.exe 42 PID 2564 created 2468 2564 ilasm.exe 42 PID 4004 created 2468 4004 aspnet_wp.exe 42 PID 1112 created 2468 1112 aspnet_wp.exe 42 PID 2592 created 2468 2592 csc.exe 42 PID 3344 created 2468 3344 aspnet_wp.exe 42 PID 4460 created 2468 4460 csc.exe 42 PID 4388 created 2468 4388 aspnet_wp.exe 42 PID 4544 created 2468 4544 aspnet_wp.exe 42 PID 1472 created 2468 1472 aspnet_wp.exe 42 PID 440 created 2468 440 csc.exe 42 PID 1708 created 2468 1708 csc.exe 42 PID 2268 created 2468 2268 csc.exe 42 PID 4816 created 2468 4816 aspnet_wp.exe 42 PID 312 created 2468 312 aspnet_wp.exe 42 PID 3616 created 2468 3616 aspnet_wp.exe 42 PID 184 created 2468 184 aspnet_wp.exe 42 -
Enumerates VirtualBox registry keys 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo bootstrapper.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions bootstrapper.exe -
Looks for VMWare services registry key. 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmtools bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMMEMCTL bootstrapper.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 36 4988 Process not Found -
Suspicious use of SetThreadContext 26 IoCs
description pid Process procid_target PID 1600 set thread context of 3504 1600 bootstrapper.exe 86 PID 1600 set thread context of 2564 1600 bootstrapper.exe 92 PID 1600 set thread context of 788 1600 bootstrapper.exe 93 PID 1600 set thread context of 2628 1600 bootstrapper.exe 94 PID 1600 set thread context of 4388 1600 bootstrapper.exe 95 PID 1600 set thread context of 1424 1600 bootstrapper.exe 96 PID 1600 set thread context of 2592 1600 bootstrapper.exe 98 PID 1600 set thread context of 640 1600 bootstrapper.exe 99 PID 1600 set thread context of 1104 1600 bootstrapper.exe 100 PID 1600 set thread context of 3344 1600 bootstrapper.exe 101 PID 1600 set thread context of 3484 1600 bootstrapper.exe 102 PID 1600 set thread context of 1772 1600 bootstrapper.exe 103 PID 1600 set thread context of 4460 1600 bootstrapper.exe 105 PID 1600 set thread context of 4004 1600 bootstrapper.exe 107 PID 1600 set thread context of 3408 1600 bootstrapper.exe 108 PID 1600 set thread context of 1112 1600 bootstrapper.exe 109 PID 1600 set thread context of 440 1600 bootstrapper.exe 144 PID 1600 set thread context of 1708 1600 bootstrapper.exe 146 PID 1600 set thread context of 4816 1600 bootstrapper.exe 147 PID 1600 set thread context of 1580 1600 bootstrapper.exe 149 PID 1600 set thread context of 2268 1600 bootstrapper.exe 151 PID 1600 set thread context of 3616 1600 bootstrapper.exe 152 PID 1600 set thread context of 4544 1600 bootstrapper.exe 153 PID 1600 set thread context of 1472 1600 bootstrapper.exe 154 PID 1600 set thread context of 312 1600 bootstrapper.exe 155 PID 1600 set thread context of 184 1600 bootstrapper.exe 156 -
Program crash 9 IoCs
pid pid_target Process procid_target 1536 3484 WerFault.exe 516 1104 WerFault.exe 1212 788 WerFault.exe 93 1944 1112 WerFault.exe 109 2612 3504 WerFault.exe 86 4032 4544 WerFault.exe 153 3692 1472 WerFault.exe 154 3980 440 WerFault.exe 144 1916 1708 WerFault.exe 146 -
System Location Discovery: System Language Discovery 1 TTPs 46 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_wp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_wp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_wp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontdrvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_wp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_wp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_wp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontdrvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_wp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_wp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontdrvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ilasm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_wp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_wp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_wp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontdrvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontdrvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontdrvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontdrvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_wp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontdrvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontdrvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_wp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontdrvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontdrvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_wp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_wp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_wp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_wp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontdrvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontdrvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontdrvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontdrvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontdrvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontdrvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontdrvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fontdrvhost.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 64 MicrosoftEdgeUpdate.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1600 bootstrapper.exe 3504 aspnet_wp.exe 3504 aspnet_wp.exe 788 aspnet_wp.exe 788 aspnet_wp.exe 1424 aspnet_wp.exe 1424 aspnet_wp.exe 3504 aspnet_wp.exe 3504 aspnet_wp.exe 2564 ilasm.exe 2564 ilasm.exe 4388 aspnet_wp.exe 4388 aspnet_wp.exe 788 aspnet_wp.exe 788 aspnet_wp.exe 2628 aspnet_wp.exe 2628 aspnet_wp.exe 1772 aspnet_wp.exe 1772 aspnet_wp.exe 2564 ilasm.exe 2564 ilasm.exe 4004 aspnet_wp.exe 4004 aspnet_wp.exe 1112 aspnet_wp.exe 1112 aspnet_wp.exe 2592 csc.exe 2592 csc.exe 1424 aspnet_wp.exe 1424 aspnet_wp.exe 3344 aspnet_wp.exe 3344 aspnet_wp.exe 2628 aspnet_wp.exe 2628 aspnet_wp.exe 1772 aspnet_wp.exe 1772 aspnet_wp.exe 4460 csc.exe 4460 csc.exe 4460 csc.exe 4460 csc.exe 4388 aspnet_wp.exe 4388 aspnet_wp.exe 4004 aspnet_wp.exe 4004 aspnet_wp.exe 1112 aspnet_wp.exe 1112 aspnet_wp.exe 2592 csc.exe 2592 csc.exe 3344 aspnet_wp.exe 3344 aspnet_wp.exe 4372 svchost.exe 4372 svchost.exe 4372 svchost.exe 4372 svchost.exe 2268 csc.exe 2268 csc.exe 4816 aspnet_wp.exe 4816 aspnet_wp.exe 1472 aspnet_wp.exe 1472 aspnet_wp.exe 440 csc.exe 440 csc.exe 1708 csc.exe 1708 csc.exe 4544 aspnet_wp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1600 bootstrapper.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1600 wrote to memory of 3504 1600 bootstrapper.exe 86 PID 1600 wrote to memory of 3504 1600 bootstrapper.exe 86 PID 1600 wrote to memory of 3504 1600 bootstrapper.exe 86 PID 1600 wrote to memory of 3504 1600 bootstrapper.exe 86 PID 1600 wrote to memory of 3504 1600 bootstrapper.exe 86 PID 1600 wrote to memory of 3504 1600 bootstrapper.exe 86 PID 1600 wrote to memory of 3504 1600 bootstrapper.exe 86 PID 1600 wrote to memory of 3504 1600 bootstrapper.exe 86 PID 1600 wrote to memory of 3504 1600 bootstrapper.exe 86 PID 1600 wrote to memory of 3504 1600 bootstrapper.exe 86 PID 1600 wrote to memory of 3504 1600 bootstrapper.exe 86 PID 1600 wrote to memory of 4124 1600 bootstrapper.exe 87 PID 1600 wrote to memory of 4124 1600 bootstrapper.exe 87 PID 1600 wrote to memory of 4124 1600 bootstrapper.exe 87 PID 1600 wrote to memory of 4280 1600 bootstrapper.exe 88 PID 1600 wrote to memory of 4280 1600 bootstrapper.exe 88 PID 1600 wrote to memory of 4280 1600 bootstrapper.exe 88 PID 1600 wrote to memory of 2564 1600 bootstrapper.exe 92 PID 1600 wrote to memory of 2564 1600 bootstrapper.exe 92 PID 1600 wrote to memory of 2564 1600 bootstrapper.exe 92 PID 1600 wrote to memory of 2564 1600 bootstrapper.exe 92 PID 1600 wrote to memory of 2564 1600 bootstrapper.exe 92 PID 1600 wrote to memory of 2564 1600 bootstrapper.exe 92 PID 1600 wrote to memory of 2564 1600 bootstrapper.exe 92 PID 1600 wrote to memory of 2564 1600 bootstrapper.exe 92 PID 1600 wrote to memory of 2564 1600 bootstrapper.exe 92 PID 1600 wrote to memory of 2564 1600 bootstrapper.exe 92 PID 1600 wrote to memory of 2564 1600 bootstrapper.exe 92 PID 1600 wrote to memory of 788 1600 bootstrapper.exe 93 PID 1600 wrote to memory of 788 1600 bootstrapper.exe 93 PID 1600 wrote to memory of 788 1600 bootstrapper.exe 93 PID 1600 wrote to memory of 788 1600 bootstrapper.exe 93 PID 1600 wrote to memory of 788 1600 bootstrapper.exe 93 PID 1600 wrote to memory of 788 1600 bootstrapper.exe 93 PID 1600 wrote to memory of 788 1600 bootstrapper.exe 93 PID 1600 wrote to memory of 788 1600 bootstrapper.exe 93 PID 1600 wrote to memory of 788 1600 bootstrapper.exe 93 PID 1600 wrote to memory of 788 1600 bootstrapper.exe 93 PID 1600 wrote to memory of 788 1600 bootstrapper.exe 93 PID 1600 wrote to memory of 2628 1600 bootstrapper.exe 94 PID 1600 wrote to memory of 2628 1600 bootstrapper.exe 94 PID 1600 wrote to memory of 2628 1600 bootstrapper.exe 94 PID 1600 wrote to memory of 2628 1600 bootstrapper.exe 94 PID 1600 wrote to memory of 2628 1600 bootstrapper.exe 94 PID 1600 wrote to memory of 2628 1600 bootstrapper.exe 94 PID 1600 wrote to memory of 2628 1600 bootstrapper.exe 94 PID 1600 wrote to memory of 2628 1600 bootstrapper.exe 94 PID 1600 wrote to memory of 2628 1600 bootstrapper.exe 94 PID 1600 wrote to memory of 2628 1600 bootstrapper.exe 94 PID 1600 wrote to memory of 2628 1600 bootstrapper.exe 94 PID 1600 wrote to memory of 4388 1600 bootstrapper.exe 95 PID 1600 wrote to memory of 4388 1600 bootstrapper.exe 95 PID 1600 wrote to memory of 4388 1600 bootstrapper.exe 95 PID 1600 wrote to memory of 4388 1600 bootstrapper.exe 95 PID 1600 wrote to memory of 4388 1600 bootstrapper.exe 95 PID 1600 wrote to memory of 4388 1600 bootstrapper.exe 95 PID 1600 wrote to memory of 4388 1600 bootstrapper.exe 95 PID 1600 wrote to memory of 4388 1600 bootstrapper.exe 95 PID 1600 wrote to memory of 4388 1600 bootstrapper.exe 95 PID 1600 wrote to memory of 4388 1600 bootstrapper.exe 95 PID 1600 wrote to memory of 4388 1600 bootstrapper.exe 95 PID 1600 wrote to memory of 1424 1600 bootstrapper.exe 96 PID 1600 wrote to memory of 1424 1600 bootstrapper.exe 96 PID 1600 wrote to memory of 1424 1600 bootstrapper.exe 96
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2468
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2940
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4372
-
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2968
-
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2536
-
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:5096
-
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3192
-
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1084
-
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1352
-
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4032
-
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:896
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3660
-
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1400
-
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4808
-
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2540
-
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4444
-
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2016
-
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1420
-
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:5072
-
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:232
-
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1532
-
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2220
-
-
C:\Users\Admin\AppData\Local\Temp\bootstrap\bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\bootstrap\bootstrapper.exe"1⤵
- Enumerates VirtualBox registry keys
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare services registry key.
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3504 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 3323⤵
- Program crash
PID:2612
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵PID:4124
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵PID:4280
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:788 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 3523⤵
- Program crash
PID:1212
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2628
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4388
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1424
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵PID:412
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2592
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
- System Location Discovery: System Language Discovery
PID:640
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵PID:1104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 763⤵
- Program crash
PID:516
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3344
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵PID:3484
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 763⤵
- Program crash
PID:1536
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1772
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵PID:5028
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4460
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4004
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3408
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1112 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 3363⤵
- Program crash
PID:1944
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵PID:3784
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:440 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 3363⤵
- Program crash
PID:3980
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵PID:5068
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1708 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 3123⤵
- Program crash
PID:1916
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4816
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵PID:4324
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1580
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵PID:2236
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2268
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
PID:3616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4544 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 3363⤵
- Program crash
PID:4032
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1472 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 3683⤵
- Program crash
PID:3692
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
PID:312
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
PID:184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3484 -ip 34841⤵PID:4560
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1104 -ip 11041⤵PID:4244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3504 -ip 35041⤵PID:3152
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 788 -ip 7881⤵PID:2832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1424 -ip 14241⤵PID:2884
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2628 -ip 26281⤵PID:3540
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 1772 -ip 17721⤵PID:976
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2564 -ip 25641⤵PID:4272
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3408 -ip 34081⤵PID:3856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 4004 -ip 40041⤵PID:5052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1112 -ip 11121⤵PID:5036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 640 -ip 6401⤵PID:4712
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2592 -ip 25921⤵PID:4016
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 3344 -ip 33441⤵PID:3356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4388 -ip 43881⤵PID:4772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4460 -ip 44601⤵PID:4824
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 4544 -ip 45441⤵PID:4660
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 892 -p 1472 -ip 14721⤵PID:2008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 440 -ip 4401⤵PID:1372
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1708 -ip 17081⤵PID:3152
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 2268 -ip 22681⤵PID:876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4816 -ip 48161⤵PID:2536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 312 -ip 3121⤵PID:1084
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 3616 -ip 36161⤵PID:868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 184 -ip 1841⤵PID:2448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1580 -ip 15801⤵PID:2316
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MUZBQzY4NjctQ0Q0NS00RTY1LUFCNTUtRkNEMDVFNjIzQTY5fSIgdXNlcmlkPSJ7QTBBOTE4OTctQUUzMC00NDY4LUIzODMtQzBDNzBCNUJDRjBFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NzRFOThCOUQtNTgwMS00QzA5LUE1MDEtMjBENDU4RjgxOTdCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjMxNjIxMTcwIi8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:64