xtremerat | 5de00dd1a531be0249d174d5542dac457d4019b5163ea64d18d116e2750327e1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe
Size

180KB
MD5

c579c77aab7d55003e16ee77d8e871fe
SHA1

6766fa883b36c3fbe4237de3fcd35984f8043681
SHA256

5de00dd1a531be0249d174d5542dac457d4019b5163ea64d18d116e2750327e1
SHA512

ad6964673900df48a8c2599517324553fcf04d4b9ba605eb452c648a193780b6dc72720740b4c46d3311d85835f7c6fa823f79587f5903e9b237cf705a7b85ea
SSDEEP

3072:wW/p7H3PfZmVgu6madOO7vl3JosedK3zBnHc:wW/p7XpaF61sO7NZoseQ3lH

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 18 IoCs

resource	yara_rule
behavioral2/memory/2340-9-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/2340-8-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/3988-10-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/3988-11-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/3608-21-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/3608-22-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/5076-29-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/5076-30-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/1220-37-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/1220-38-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/4628-45-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/4628-46-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/1948-51-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/1948-52-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/1056-59-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/1056-60-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/4488-67-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/4488-68-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 4256 set thread context of 2340	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	82
PID 4256 set thread context of 224	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	97
PID 4256 set thread context of 3324	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	105
PID 4256 set thread context of 2224	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	113
PID 4256 set thread context of 3696	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	120
PID 4256 set thread context of 1092	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	127
PID 4256 set thread context of 4060	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	134
PID 4256 set thread context of 1532	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	141
PID 4256 set thread context of 4856	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	148
PID 4256 set thread context of 2740	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	155

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2340-4-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/2340-5-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/2340-3-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/2340-7-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/2340-9-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/2340-8-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/3988-10-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/3988-11-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/3608-21-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/3608-22-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/5076-29-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/5076-30-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/1220-37-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/1220-38-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/4628-45-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/4628-46-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/1948-51-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/1948-52-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/1056-59-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/1056-60-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/4488-67-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/4488-68-0x0000000010000000-0x000000001004D000-memory.dmp	upx

Program crash 20 IoCs

pid	pid_target	Process	procid_target
1780	3988	WerFault.exe	83
868	3988	WerFault.exe	83
1668	3608	WerFault.exe	98
3936	3608	WerFault.exe	98
4856	5076	WerFault.exe	106
2360	5076	WerFault.exe	106
5032	1220	WerFault.exe	114
64	1220	WerFault.exe	114
972	4628	WerFault.exe	121
2216	4628	WerFault.exe	121
812	1948	WerFault.exe	128
4424	1948	WerFault.exe	128
3484	1056	WerFault.exe	135
1364	1056	WerFault.exe	135
3136	4488	WerFault.exe	142
1444	4488	WerFault.exe	142
4544	2036	WerFault.exe	149
5064	2036	WerFault.exe	149
3100	3168	WerFault.exe	156
2144	3168	WerFault.exe	156

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe
4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe
4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe
4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe
4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe
4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe
4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe
4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe
4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe
4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 2340	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	82
PID 4256 wrote to memory of 2340	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	82
PID 4256 wrote to memory of 2340	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	82
PID 4256 wrote to memory of 2340	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	82
PID 4256 wrote to memory of 2340	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	82
PID 4256 wrote to memory of 2340	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	82
PID 4256 wrote to memory of 2340	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	82
PID 4256 wrote to memory of 2340	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	82
PID 2340 wrote to memory of 3988	2340	vbc.exe	83
PID 2340 wrote to memory of 3988	2340	vbc.exe	83
PID 2340 wrote to memory of 3988	2340	vbc.exe	83
PID 2340 wrote to memory of 3988	2340	vbc.exe	83
PID 2340 wrote to memory of 3528	2340	vbc.exe	84
PID 2340 wrote to memory of 3528	2340	vbc.exe	84
PID 2340 wrote to memory of 3528	2340	vbc.exe	84
PID 4256 wrote to memory of 224	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	97
PID 4256 wrote to memory of 224	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	97
PID 4256 wrote to memory of 224	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	97
PID 4256 wrote to memory of 224	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	97
PID 4256 wrote to memory of 224	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	97
PID 4256 wrote to memory of 224	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	97
PID 4256 wrote to memory of 224	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	97
PID 4256 wrote to memory of 224	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	97
PID 224 wrote to memory of 3608	224	vbc.exe	98
PID 224 wrote to memory of 3608	224	vbc.exe	98
PID 224 wrote to memory of 3608	224	vbc.exe	98
PID 224 wrote to memory of 3608	224	vbc.exe	98
PID 224 wrote to memory of 1588	224	vbc.exe	99
PID 224 wrote to memory of 1588	224	vbc.exe	99
PID 224 wrote to memory of 1588	224	vbc.exe	99
PID 4256 wrote to memory of 3324	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	105
PID 4256 wrote to memory of 3324	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	105
PID 4256 wrote to memory of 3324	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	105
PID 4256 wrote to memory of 3324	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	105
PID 4256 wrote to memory of 3324	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	105
PID 4256 wrote to memory of 3324	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	105
PID 4256 wrote to memory of 3324	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	105
PID 4256 wrote to memory of 3324	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	105
PID 3324 wrote to memory of 5076	3324	vbc.exe	106
PID 3324 wrote to memory of 5076	3324	vbc.exe	106
PID 3324 wrote to memory of 5076	3324	vbc.exe	106
PID 3324 wrote to memory of 5076	3324	vbc.exe	106
PID 3324 wrote to memory of 2716	3324	vbc.exe	107
PID 3324 wrote to memory of 2716	3324	vbc.exe	107
PID 3324 wrote to memory of 2716	3324	vbc.exe	107
PID 4256 wrote to memory of 2224	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	113
PID 4256 wrote to memory of 2224	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	113
PID 4256 wrote to memory of 2224	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	113
PID 4256 wrote to memory of 2224	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	113
PID 4256 wrote to memory of 2224	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	113
PID 4256 wrote to memory of 2224	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	113
PID 4256 wrote to memory of 2224	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	113
PID 4256 wrote to memory of 2224	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	113
PID 2224 wrote to memory of 1220	2224	vbc.exe	114
PID 2224 wrote to memory of 1220	2224	vbc.exe	114
PID 2224 wrote to memory of 1220	2224	vbc.exe	114
PID 2224 wrote to memory of 1220	2224	vbc.exe	114
PID 2224 wrote to memory of 4412	2224	vbc.exe	115
PID 2224 wrote to memory of 4412	2224	vbc.exe	115
PID 2224 wrote to memory of 4412	2224	vbc.exe	115
PID 4256 wrote to memory of 3696	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	120
PID 4256 wrote to memory of 3696	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	120
PID 4256 wrote to memory of 3696	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	120
PID 4256 wrote to memory of 3696	4256	JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe	120

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c579c77aab7d55003e16ee77d8e871fe.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 468
      4⤵
      Program crash
      PID:1780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 488
      4⤵
      Program crash
      PID:868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3528
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 484
      4⤵
      Program crash
      PID:1668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 504
      4⤵
      Program crash
      PID:3936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1588
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5076
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 448
      4⤵
      Program crash
      PID:4856
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 488
      4⤵
      Program crash
      PID:2360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2716
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1220
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 480
      4⤵
      Program crash
      PID:5032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 504
      4⤵
      Program crash
      PID:64
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4412
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3696
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 480
      4⤵
      Program crash
      PID:972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 488
      4⤵
      Program crash
      PID:2216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2904
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1092
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1948
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 480
      4⤵
      Program crash
      PID:812
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 500
      4⤵
      Program crash
      PID:4424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4716
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4060
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1056
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 480
      4⤵
      Program crash
      PID:3484
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 504
      4⤵
      Program crash
      PID:1364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4844
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1532
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4488
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 480
      4⤵
      Program crash
      PID:3136
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 504
      4⤵
      Program crash
      PID:1444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1620
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4856
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 484
      4⤵
      Program crash
      PID:4544
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 504
      4⤵
      Program crash
      PID:5064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3976
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2740
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3168
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 480
      4⤵
      Program crash
      PID:3100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 504
      4⤵
      Program crash
      PID:2144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3988 -ip 3988
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3988 -ip 3988
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3608 -ip 3608
1⤵
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3608 -ip 3608
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5076 -ip 5076
1⤵
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5076 -ip 5076
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1220 -ip 1220
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1220 -ip 1220
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4628 -ip 4628
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4628 -ip 4628
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1948 -ip 1948
1⤵
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1948 -ip 1948
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1056 -ip 1056
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1056 -ip 1056
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4488 -ip 4488
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4488 -ip 4488
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2036 -ip 2036
1⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2036 -ip 2036
1⤵
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3168 -ip 3168
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3168 -ip 3168
1⤵
PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1056-60-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1056-59-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1220-37-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1220-38-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1948-52-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1948-51-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2340-7-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2340-3-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2340-8-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2340-4-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2340-9-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2340-5-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3608-21-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3608-22-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3988-10-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3988-11-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4256-13-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/4256-0-0x0000000074B32000-0x0000000074B33000-memory.dmp

Filesize
4KB

Download
memory/4256-12-0x0000000074B32000-0x0000000074B33000-memory.dmp

Filesize
4KB

Download
memory/4256-2-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/4256-1-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/4488-67-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4488-68-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4628-45-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4628-46-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/5076-30-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/5076-29-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download