rhadamanthys | a18fb19c7e1e805155fdd956e00046c6e492fce5b07aa1e21b688758ff8dbb22

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
09-02-2025 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bootstrap/bootstrapper.exe
Size

633KB
MD5

a3d33d33f8b10595c252ee8e61a8892c
SHA1

f8bf529297b99ebdd0d6214a1a8a20bffb1bd875
SHA256

fe0c0a5da033e86e09a721070bb2e1116a28160aaffd803b8e65a57ed25e62c1
SHA512

5a8d8cfcb0ad0e73ce3a4ca2d23a8cb55216f97b1d4f490b3a7beee963e494e8c122fd7ec70a32eef8c1eb9b6b4e86da4cf2207beba6324d70fada7c36303bf0
SSDEEP

6144:pe3DUlId51RnG/LXJKIA5ZaPLi+bWVSBKtnfuvOVYER0u+GIIIIIIIhIIIIIIIIB:M3DkId5HnWLXMJABWVbnf/Vjm5a/s

Score

10^/10

rhadamanthys defense_evasion discovery stealer

Malware Config

Signatures

Detects Rhadamanthys payload 49 IoCs

resource	yara_rule
behavioral2/memory/1884-3-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/864-8-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/2164-40-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/3088-56-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/2256-64-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/4720-63-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/2256-62-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/2256-61-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/4720-59-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/4720-58-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/116-55-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/3088-54-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/3088-53-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/116-51-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/116-50-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/232-48-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/3444-47-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/232-46-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/232-45-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/3444-43-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/3444-42-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/380-39-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/2164-38-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/2164-37-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/380-35-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/380-34-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/1796-32-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/3908-31-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/1796-30-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/1796-29-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/3908-27-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/3908-26-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/3032-24-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/3640-23-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/3032-22-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/864-6-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/3640-19-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/3640-18-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/1800-16-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/3032-21-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/4272-15-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/1800-14-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/1800-13-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/4272-11-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/4272-10-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/1884-7-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/864-5-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/1884-2-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/1884-1-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 19 IoCs

description	pid	Process	procid_target
PID 4272 created 2640	4272	csc.exe	44
PID 380 created 2640	380	aspnet_wp.exe	44
PID 864 created 2640	864	aspnet_wp.exe	44
PID 2164 created 2640	2164	aspnet_wp.exe	44
PID 3444 created 2640	3444	aspnet_wp.exe	44
PID 232 created 2640	232	aspnet_wp.exe	44
PID 116 created 2640	116	csc.exe	44
PID 3088 created 2640	3088	aspnet_wp.exe	44
PID 4720 created 2640	4720	csc.exe	44
PID 2256 created 2640	2256	aspnet_wp.exe	44
PID 3640 created 2640	3640	aspnet_wp.exe	44
PID 3032 created 2640	3032	aspnet_wp.exe	44
PID 1800 created 2640	1800	csc.exe	44
PID 3908 created 2640	3908	csc.exe	44
PID 1796 created 2640	1796	aspnet_wp.exe	44
PID 720 created 2640	720	csc.exe	44
PID 4932 created 2640	4932	aspnet_wp.exe	44
PID 3768 created 2640	3768	aspnet_wp.exe	44
PID 4168 created 2640	4168	aspnet_wp.exe	44

Enumerates VirtualBox registry keys 2 TTPs 3 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	bootstrapper.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	bootstrapper.exe

Looks for VMWare services registry key. 1 TTPs 2 IoCs

defense_evasion

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmtools	bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMMEMCTL	bootstrapper.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
35	2160	Process not Found

Suspicious use of SetThreadContext 26 IoCs

description	pid	Process	procid_target
PID 880 set thread context of 1884	880	bootstrapper.exe	86
PID 880 set thread context of 864	880	bootstrapper.exe	87
PID 880 set thread context of 4272	880	bootstrapper.exe	89
PID 880 set thread context of 1800	880	bootstrapper.exe	92
PID 880 set thread context of 3640	880	bootstrapper.exe	93
PID 880 set thread context of 3032	880	bootstrapper.exe	94
PID 880 set thread context of 3908	880	bootstrapper.exe	96
PID 880 set thread context of 1796	880	bootstrapper.exe	97
PID 880 set thread context of 380	880	bootstrapper.exe	98
PID 880 set thread context of 2164	880	bootstrapper.exe	99
PID 880 set thread context of 3444	880	bootstrapper.exe	100
PID 880 set thread context of 232	880	bootstrapper.exe	101
PID 880 set thread context of 116	880	bootstrapper.exe	103
PID 880 set thread context of 3088	880	bootstrapper.exe	104
PID 880 set thread context of 4720	880	bootstrapper.exe	106
PID 880 set thread context of 2256	880	bootstrapper.exe	107
PID 880 set thread context of 320	880	bootstrapper.exe	148
PID 880 set thread context of 2404	880	bootstrapper.exe	149
PID 880 set thread context of 4168	880	bootstrapper.exe	150
PID 880 set thread context of 3768	880	bootstrapper.exe	151
PID 880 set thread context of 4216	880	bootstrapper.exe	152
PID 880 set thread context of 4460	880	bootstrapper.exe	153
PID 880 set thread context of 720	880	bootstrapper.exe	155
PID 880 set thread context of 448	880	bootstrapper.exe	157
PID 880 set thread context of 2004	880	bootstrapper.exe	158
PID 880 set thread context of 4932	880	bootstrapper.exe	159

Program crash 10 IoCs

pid	pid_target	Process	procid_target
4544	3908	WerFault.exe	96
4104	2256	WerFault.exe	107
1152	3444	WerFault.exe	100
2764	2164	WerFault.exe	99
4160	3032	WerFault.exe	94
4524	1796	WerFault.exe	97
1076	320	WerFault.exe	148
3712	4216	WerFault.exe	152
3732	4460	WerFault.exe	153
1856	448	WerFault.exe	157

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3336	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
880	bootstrapper.exe
864	aspnet_wp.exe
864	aspnet_wp.exe
4272	csc.exe
4272	csc.exe
3032	aspnet_wp.exe
3032	aspnet_wp.exe
3640	aspnet_wp.exe
3640	aspnet_wp.exe
1800	csc.exe
1800	csc.exe
2256	aspnet_wp.exe
2256	aspnet_wp.exe
4720	csc.exe
4720	csc.exe
3088	aspnet_wp.exe
3088	aspnet_wp.exe
116	csc.exe
116	csc.exe
232	aspnet_wp.exe
232	aspnet_wp.exe
3444	aspnet_wp.exe
3444	aspnet_wp.exe
2164	aspnet_wp.exe
2164	aspnet_wp.exe
380	aspnet_wp.exe
380	aspnet_wp.exe
3908	csc.exe
3908	csc.exe
1796	aspnet_wp.exe
1796	aspnet_wp.exe
4272	csc.exe
4272	csc.exe
380	aspnet_wp.exe
380	aspnet_wp.exe
3908	csc.exe
3908	csc.exe
864	aspnet_wp.exe
864	aspnet_wp.exe
2164	aspnet_wp.exe
2164	aspnet_wp.exe
3444	aspnet_wp.exe
3444	aspnet_wp.exe
232	aspnet_wp.exe
232	aspnet_wp.exe
116	csc.exe
116	csc.exe
3088	aspnet_wp.exe
3088	aspnet_wp.exe
4720	csc.exe
4720	csc.exe
2256	aspnet_wp.exe
2256	aspnet_wp.exe
3640	aspnet_wp.exe
3640	aspnet_wp.exe
3032	aspnet_wp.exe
3032	aspnet_wp.exe
1800	csc.exe
1800	csc.exe
1796	aspnet_wp.exe
1796	aspnet_wp.exe
1108	fontdrvhost.exe
1108	fontdrvhost.exe
1108	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	880	bootstrapper.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 1884	880	bootstrapper.exe	86
PID 880 wrote to memory of 1884	880	bootstrapper.exe	86
PID 880 wrote to memory of 1884	880	bootstrapper.exe	86
PID 880 wrote to memory of 1884	880	bootstrapper.exe	86
PID 880 wrote to memory of 1884	880	bootstrapper.exe	86
PID 880 wrote to memory of 1884	880	bootstrapper.exe	86
PID 880 wrote to memory of 1884	880	bootstrapper.exe	86
PID 880 wrote to memory of 1884	880	bootstrapper.exe	86
PID 880 wrote to memory of 1884	880	bootstrapper.exe	86
PID 880 wrote to memory of 1884	880	bootstrapper.exe	86
PID 880 wrote to memory of 1884	880	bootstrapper.exe	86
PID 880 wrote to memory of 864	880	bootstrapper.exe	87
PID 880 wrote to memory of 864	880	bootstrapper.exe	87
PID 880 wrote to memory of 864	880	bootstrapper.exe	87
PID 880 wrote to memory of 864	880	bootstrapper.exe	87
PID 880 wrote to memory of 864	880	bootstrapper.exe	87
PID 880 wrote to memory of 864	880	bootstrapper.exe	87
PID 880 wrote to memory of 864	880	bootstrapper.exe	87
PID 880 wrote to memory of 864	880	bootstrapper.exe	87
PID 880 wrote to memory of 864	880	bootstrapper.exe	87
PID 880 wrote to memory of 864	880	bootstrapper.exe	87
PID 880 wrote to memory of 864	880	bootstrapper.exe	87
PID 880 wrote to memory of 5072	880	bootstrapper.exe	88
PID 880 wrote to memory of 5072	880	bootstrapper.exe	88
PID 880 wrote to memory of 5072	880	bootstrapper.exe	88
PID 880 wrote to memory of 4272	880	bootstrapper.exe	89
PID 880 wrote to memory of 4272	880	bootstrapper.exe	89
PID 880 wrote to memory of 4272	880	bootstrapper.exe	89
PID 880 wrote to memory of 4272	880	bootstrapper.exe	89
PID 880 wrote to memory of 4272	880	bootstrapper.exe	89
PID 880 wrote to memory of 4272	880	bootstrapper.exe	89
PID 880 wrote to memory of 4272	880	bootstrapper.exe	89
PID 880 wrote to memory of 4272	880	bootstrapper.exe	89
PID 880 wrote to memory of 4272	880	bootstrapper.exe	89
PID 880 wrote to memory of 4272	880	bootstrapper.exe	89
PID 880 wrote to memory of 4272	880	bootstrapper.exe	89
PID 880 wrote to memory of 3604	880	bootstrapper.exe	91
PID 880 wrote to memory of 3604	880	bootstrapper.exe	91
PID 880 wrote to memory of 3604	880	bootstrapper.exe	91
PID 880 wrote to memory of 1800	880	bootstrapper.exe	92
PID 880 wrote to memory of 1800	880	bootstrapper.exe	92
PID 880 wrote to memory of 1800	880	bootstrapper.exe	92
PID 880 wrote to memory of 1800	880	bootstrapper.exe	92
PID 880 wrote to memory of 1800	880	bootstrapper.exe	92
PID 880 wrote to memory of 1800	880	bootstrapper.exe	92
PID 880 wrote to memory of 1800	880	bootstrapper.exe	92
PID 880 wrote to memory of 1800	880	bootstrapper.exe	92
PID 880 wrote to memory of 1800	880	bootstrapper.exe	92
PID 880 wrote to memory of 1800	880	bootstrapper.exe	92
PID 880 wrote to memory of 1800	880	bootstrapper.exe	92
PID 880 wrote to memory of 3640	880	bootstrapper.exe	93
PID 880 wrote to memory of 3640	880	bootstrapper.exe	93
PID 880 wrote to memory of 3640	880	bootstrapper.exe	93
PID 880 wrote to memory of 3640	880	bootstrapper.exe	93
PID 880 wrote to memory of 3640	880	bootstrapper.exe	93
PID 880 wrote to memory of 3640	880	bootstrapper.exe	93
PID 880 wrote to memory of 3640	880	bootstrapper.exe	93
PID 880 wrote to memory of 3640	880	bootstrapper.exe	93
PID 880 wrote to memory of 3640	880	bootstrapper.exe	93
PID 880 wrote to memory of 3640	880	bootstrapper.exe	93
PID 880 wrote to memory of 3640	880	bootstrapper.exe	93
PID 880 wrote to memory of 3032	880	bootstrapper.exe	94
PID 880 wrote to memory of 3032	880	bootstrapper.exe	94
PID 880 wrote to memory of 3032	880	bootstrapper.exe	94

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2640
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1108
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1348
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1296
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1924
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1892
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1320
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4616
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2608
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3932
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:456
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2708
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1928
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4504
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4520
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3464
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1896
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5084
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4680
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1476

C:\Users\Admin\AppData\Local\Temp\bootstrap\bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\bootstrap\bootstrapper.exe"
1⤵
- Enumerates VirtualBox registry keys
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare services registry key.
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:5072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3032
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 336
    3⤵
    - Program crash
    PID:4160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 368
    3⤵
    - Program crash
    PID:4544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1796
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 336
    3⤵
    - Program crash
    PID:4524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 344
    3⤵
    - Program crash
    PID:2764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 336
    3⤵
    - Program crash
    PID:1152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2256
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 352
    3⤵
    - Program crash
    PID:4104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 304
    3⤵
    - Program crash
    PID:1076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:4168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:3768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 304
    3⤵
    - Program crash
    PID:3712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4460
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 304
    3⤵
    - Program crash
    PID:3732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 304
    3⤵
    - Program crash
    PID:1856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3908 -ip 3908
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1796 -ip 1796
1⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1800 -ip 1800
1⤵
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3032 -ip 3032
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3640 -ip 3640
1⤵
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2256 -ip 2256
1⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4720 -ip 4720
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 3088 -ip 3088
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 116 -ip 116
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 232 -ip 232
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 3444 -ip 3444
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2164 -ip 2164
1⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 864 -ip 864
1⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 380 -ip 380
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 4272 -ip 4272
1⤵
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1884 -ip 1884
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4460 -ip 4460
1⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 448 -ip 448
1⤵
PID:948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 320 -ip 320
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2404 -ip 2404
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 884 -p 4216 -ip 4216
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 912 -p 2004 -ip 2004
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 720 -ip 720
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 4932 -ip 4932
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 3768 -ip 3768
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4168 -ip 4168
1⤵
PID:4836

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0JBRTU5REMtNUEyOS00Qzg4LUFFMTYtODgwQjE1RDIxQTZGfSIgdXNlcmlkPSJ7REFDMUU2QTUtNkFDMi00NTcxLTlBMjAtQkI3NEFERTQyMkU2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QjhEQkI4RDYtNThBMy00QjI0LUEyMEEtMUMxMDkwMkY1MzFCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY0MzMiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODc1OTU2NTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzMzNDQzOTY3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/116-51-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/116-50-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/116-55-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/232-48-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/232-46-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/232-45-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/380-34-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/380-35-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/380-39-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/864-6-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/864-67-0x0000000000F80000-0x0000000001380000-memory.dmp

Filesize
4.0MB

Download
memory/864-8-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/864-5-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/880-0-0x00007FFDF9900000-0x00007FFDF9CE2000-memory.dmp

Filesize
3.9MB

Download
memory/1796-30-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1796-32-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1796-29-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1800-78-0x0000000001590000-0x0000000001990000-memory.dmp

Filesize
4.0MB

Download
memory/1800-13-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1800-14-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1800-16-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1884-1-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1884-65-0x00000000011C0000-0x00000000015C0000-memory.dmp

Filesize
4.0MB

Download
memory/1884-2-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1884-3-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1884-68-0x00000000011C0000-0x00000000015C0000-memory.dmp

Filesize
4.0MB

Download
memory/1884-7-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2164-38-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2164-37-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2164-40-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2256-64-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2256-61-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2256-62-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3032-73-0x0000000001050000-0x0000000001450000-memory.dmp

Filesize
4.0MB

Download
memory/3032-21-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3032-22-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3032-24-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3032-75-0x00007FFE17230000-0x00007FFE17425000-memory.dmp

Filesize
2.0MB

Download
memory/3088-56-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3088-53-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3088-54-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3444-42-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3444-43-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3444-47-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3640-19-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3640-18-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3640-76-0x0000000000D10000-0x0000000001110000-memory.dmp

Filesize
4.0MB

Download
memory/3640-23-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3908-26-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3908-31-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3908-27-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4272-70-0x00000000014E0000-0x00000000018E0000-memory.dmp

Filesize
4.0MB

Download
memory/4272-15-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4272-11-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4272-10-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4272-72-0x00007FFE17230000-0x00007FFE17425000-memory.dmp

Filesize
2.0MB

Download
memory/4720-63-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4720-59-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4720-58-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download