Overview
overview
10Static
static
1008751be484...2d.dll
windows10-2004-x64
100a9f79abd4...51.exe
windows10-2004-x64
30di3x.exe
windows10-2004-x64
104a30275f14...ab.dll
windows10-2004-x64
102019-09-02...10.exe
windows10-2004-x64
102c01b00772...eb.exe
windows10-2004-x64
731.exe
windows10-2004-x64
103DMark 11 ...on.exe
windows10-2004-x64
342f9729255...61.exe
windows10-2004-x64
105da0116af4...18.exe
windows10-2004-x64
10c2716fcc73...86.exe
windows10-2004-x64
1069c56d12ed...6b.exe
windows10-2004-x64
10905d572f23...50.exe
windows10-2004-x64
10948340be97...54.exe
windows10-2004-x64
1095560f1a46...f9.dll
windows10-2004-x64
5Archive.zi...3e.exe
windows10-2004-x64
8DiskIntern...en.exe
windows10-2004-x64
3f28e02bd1e...8a.exe
windows10-2004-x64
10ForceOp 2....ce.exe
windows10-2004-x64
7HYDRA.exe
windows10-2004-x64
10#/power.exe
windows10-2004-x64
#/sant.exe
windows10-2004-x64
#/ufx.exe
windows10-2004-x64
#/va.exe
windows10-2004-x64
KLwC6vii.exe
windows10-2004-x64
1Keygen.exe
windows10-2004-x64
10Lonelyscre...ox.exe
windows10-2004-x64
3LtHv0O2KZDK4M637.exe
windows10-2004-x64
10Magic_File...ja.exe
windows10-2004-x64
3OnlineInstaller.exe
windows10-2004-x64
8REVENGE-RAT.js
windows10-2004-x64
10Remouse.Mi...cg.exe
windows10-2004-x64
3Analysis
-
max time kernel
143s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
04/05/2025, 05:35
Static task
static1
Behavioral task
behavioral1
Sample
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral3
Sample
0di3x.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral4
Sample
4a30275f14f80c6e11d5a253d7d004eda98651010e0aa47f744cf4105d1676ab.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral5
Sample
2019-09-02_22-41-10.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral6
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral7
Sample
31.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral8
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral9
Sample
42f972925508a82236e8533567487761.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral10
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral11
Sample
c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral12
Sample
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral14
Sample
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral15
Sample
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral16
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral17
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral18
Sample
f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral19
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral20
Sample
HYDRA.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral21
Sample
#/power.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral22
Sample
#/sant.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral23
Sample
#/ufx.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral24
Sample
#/va.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral25
Sample
KLwC6vii.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral26
Sample
Keygen.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral27
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral28
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral29
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral30
Sample
OnlineInstaller.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral31
Sample
REVENGE-RAT.js
Resource
win10v2004-20250314-en
Behavioral task
behavioral32
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v2004-20250502-en
General
-
Target
REVENGE-RAT.js
-
Size
1.2MB
-
MD5
8ff99e0a81c684cefbc2a752c44f30a1
-
SHA1
61b8dbc7483abcb72d2c633e6309feb26ac16eb0
-
SHA256
4f7aa725bb1c08b1ca9179e2efd09d48b62ad6a9cd89a1937ae3842363f5280e
-
SHA512
7aaee800cc8dbd8f2ededc4d0454476307c14621fde0c4edbe6d4088cb2dc2e9a2ab4d4f04891a2923cac10ed2c6d436d121f9a52f327e55096a318389ace364
-
SSDEEP
24576:ZU+R0Eg650x+M5+7Yzx0rpdizEAikr2d212SrO7cZbZ8xxTBE/lhEIirIzW0rvWx:v
Malware Config
Extracted
revengerat
tenakt
94.23.220.50:559
RV_MUTEX-YtjWSTUKIWwi
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation tacbvfff.exe -
Drops startup file 7 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\inststa.exe vbc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msta.exe foldani.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msta.exe foldani.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cjnsta.vbs foldani.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tenakt.js foldani.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hadiya.lnk foldani.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\elBV.URL foldani.exe -
Executes dropped EXE 6 IoCs
pid Process 1120 tacbvfff.exe 5464 tacbvfff.exe 4688 foldani.exe 3844 foldani.exe 5392 foldani.exe 5940 foldani.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tenakna = "C:\\Users\\Admin\\Documents\\foldani.exe" foldani.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1120 set thread context of 5464 1120 tacbvfff.exe 93 PID 4688 set thread context of 3844 4688 foldani.exe 97 PID 5392 set thread context of 5940 5392 foldani.exe 134 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tacbvfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foldani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foldani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foldani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tacbvfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foldani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5156 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5464 tacbvfff.exe Token: SeDebugPrivilege 3844 foldani.exe Token: SeDebugPrivilege 5940 foldani.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5968 wrote to memory of 1120 5968 wscript.exe 85 PID 5968 wrote to memory of 1120 5968 wscript.exe 85 PID 5968 wrote to memory of 1120 5968 wscript.exe 85 PID 1120 wrote to memory of 5464 1120 tacbvfff.exe 93 PID 1120 wrote to memory of 5464 1120 tacbvfff.exe 93 PID 1120 wrote to memory of 5464 1120 tacbvfff.exe 93 PID 1120 wrote to memory of 5464 1120 tacbvfff.exe 93 PID 1120 wrote to memory of 5464 1120 tacbvfff.exe 93 PID 1120 wrote to memory of 5464 1120 tacbvfff.exe 93 PID 1120 wrote to memory of 5464 1120 tacbvfff.exe 93 PID 5464 wrote to memory of 4688 5464 tacbvfff.exe 96 PID 5464 wrote to memory of 4688 5464 tacbvfff.exe 96 PID 5464 wrote to memory of 4688 5464 tacbvfff.exe 96 PID 4688 wrote to memory of 3844 4688 foldani.exe 97 PID 4688 wrote to memory of 3844 4688 foldani.exe 97 PID 4688 wrote to memory of 3844 4688 foldani.exe 97 PID 4688 wrote to memory of 3844 4688 foldani.exe 97 PID 4688 wrote to memory of 3844 4688 foldani.exe 97 PID 4688 wrote to memory of 3844 4688 foldani.exe 97 PID 4688 wrote to memory of 3844 4688 foldani.exe 97 PID 3844 wrote to memory of 432 3844 foldani.exe 98 PID 3844 wrote to memory of 432 3844 foldani.exe 98 PID 3844 wrote to memory of 432 3844 foldani.exe 98 PID 432 wrote to memory of 3896 432 vbc.exe 100 PID 432 wrote to memory of 3896 432 vbc.exe 100 PID 432 wrote to memory of 3896 432 vbc.exe 100 PID 3844 wrote to memory of 5156 3844 foldani.exe 102 PID 3844 wrote to memory of 5156 3844 foldani.exe 102 PID 3844 wrote to memory of 5156 3844 foldani.exe 102 PID 3844 wrote to memory of 844 3844 foldani.exe 105 PID 3844 wrote to memory of 844 3844 foldani.exe 105 PID 3844 wrote to memory of 844 3844 foldani.exe 105 PID 5440 wrote to memory of 5392 5440 cmd.exe 107 PID 5440 wrote to memory of 5392 5440 cmd.exe 107 PID 5440 wrote to memory of 5392 5440 cmd.exe 107 PID 844 wrote to memory of 5920 844 vbc.exe 108 PID 844 wrote to memory of 5920 844 vbc.exe 108 PID 844 wrote to memory of 5920 844 vbc.exe 108 PID 3844 wrote to memory of 3308 3844 foldani.exe 109 PID 3844 wrote to memory of 3308 3844 foldani.exe 109 PID 3844 wrote to memory of 3308 3844 foldani.exe 109 PID 3308 wrote to memory of 5756 3308 vbc.exe 111 PID 3308 wrote to memory of 5756 3308 vbc.exe 111 PID 3308 wrote to memory of 5756 3308 vbc.exe 111 PID 3844 wrote to memory of 4268 3844 foldani.exe 112 PID 3844 wrote to memory of 4268 3844 foldani.exe 112 PID 3844 wrote to memory of 4268 3844 foldani.exe 112 PID 4268 wrote to memory of 5180 4268 vbc.exe 114 PID 4268 wrote to memory of 5180 4268 vbc.exe 114 PID 4268 wrote to memory of 5180 4268 vbc.exe 114 PID 3844 wrote to memory of 5368 3844 foldani.exe 115 PID 3844 wrote to memory of 5368 3844 foldani.exe 115 PID 3844 wrote to memory of 5368 3844 foldani.exe 115 PID 5368 wrote to memory of 5860 5368 vbc.exe 117 PID 5368 wrote to memory of 5860 5368 vbc.exe 117 PID 5368 wrote to memory of 5860 5368 vbc.exe 117 PID 3844 wrote to memory of 5844 3844 foldani.exe 118 PID 3844 wrote to memory of 5844 3844 foldani.exe 118 PID 3844 wrote to memory of 5844 3844 foldani.exe 118 PID 5844 wrote to memory of 3340 5844 vbc.exe 120 PID 5844 wrote to memory of 3340 5844 vbc.exe 120 PID 5844 wrote to memory of 3340 5844 vbc.exe 120 PID 3844 wrote to memory of 3768 3844 foldani.exe 121 PID 3844 wrote to memory of 3768 3844 foldani.exe 121
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\REVENGE-RAT.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5968 -
C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5464 -
C:\Users\Admin\Documents\foldani.exe"C:\Users\Admin\Documents\foldani.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Users\Admin\Documents\foldani.exe"C:\Users\Admin\Documents\foldani.exe"5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\okgxuz9q.cmdline"6⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES69D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C011BE4E2B8459CB4829AAE1AB616BE.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:3896
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 10 /tn "bladzabi" /tr "C:\Users\Admin\Documents\foldani.exe"6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5156
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aovtziup.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES769.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6B702E279FD24D3D91D657F99E5D7121.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:5920
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-dplden3.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C9C773E305141CF9AF5CB26AEA0AE72.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:5756
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4uoaggvn.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8EF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc571EAB8649254D6586665D6A452CC552.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:5180
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\baezgos0.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5368 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC764551081DF4B4FB3D21DF781E69959.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:5860
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dmijdkfp.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5844 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF268CBDD3AD4D7BAD4D945C178516DC.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:3340
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0x2e8bmd.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:3768 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB22.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C709D89767B4D41B1E094C37C1DDED.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:4000
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7wf9xlhu.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:5100 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc40B1B31761174AE8A23ABEE17D96165D.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:2340
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eug3i_x0.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4DCD01B537864FE09169F81892C6FBD3.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:1848
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\265xc4ka.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFAE052161794F87A0528CF0C2A1D3D2.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:2000
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\foldani.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5440 -
C:\Users\Admin\Documents\foldani.exeC:\Users\Admin\Documents\foldani.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5392 -
C:\Users\Admin\Documents\foldani.exe"C:\Users\Admin\Documents\foldani.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5940
-
-
Network
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
2JavaScript
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
496B
MD5cb76b18ebed3a9f05a14aed43d35fba6
SHA1836a4b4e351846fca08b84149cb734cb59b8c0d6
SHA2568d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349
SHA5127631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c
-
Filesize
274B
MD505ab526df31c8742574a1c0aab404c5d
SHA15e9b4cabec3982be6a837defea27dd087a50b193
SHA2560453a179e3926d451c45952c7704686fbe7f35ec91d2b3b4d9dc909f6b7a8430
SHA5121575da9de9cc37d3fb9fdc2a14aeb56d1debfd09534f231a0eddec35cb20ed25032eb709cb907d5d504a450278fe810d6f297939f11b63935518a4bfeb1b4c40
-
Filesize
167B
MD595829986be7c9262626f2aed55e21ce1
SHA1fe9932cd01fac869842a95a9ed6c60066a57992c
SHA256b186592e786b4da73db211bdf3b0b2b3b33ebe5310e2dcbbc62111fd437577eb
SHA5128ba6cbf6baf566a17d8d2699d06bb7ec5b2b3d1b5b29669074d1b16ad1f470571dfcae3a348271c8ac8b5e0b033b21d912f69fcbd3c93f077f9ff4ef209d58a0
-
Filesize
288B
MD5af52f4c74c8b6e9be1a6ccd73d633366
SHA1186f43720a10ffd61e5f174399fb604813cfc0a1
SHA2562d85e489480ba62f161d16a8f46fb85083ab53f2d9efe702ce2e49e0d68eca07
SHA512c521dacb09ddfe56e326cf75f9f40adc269a9b48ea3217e55c6381e836d226066ecf9721650ce74aebb763cd1d22f3d1f06b4567ee7683ba83f5f00ef41ae99e
-
Filesize
181B
MD50c5207453ecb6ef089470a1a9d949db9
SHA18f1a04eba0ddb8420557c8320bc4d28bf00dda54
SHA2566d70344df81a0b7e7ea9034f209ba5bceda573d8cb4df45213620e618e65b6d0
SHA512a029f7ee69515fb37631636dc50c90f42fd7fd4abbcba55282aa529ba7d62ebd4829b16bb639952b5f093628fabbbf145339904549ea7acd3122bb5771f70c19
-
Filesize
287B
MD59cc0fccb33a41b06335022ada540e8f9
SHA1e3f1239c08f98d8fbf66237f34b54854ea7b799a
SHA256b3007d9bef050c2dd5b7c6376ccfc00929cd51f23fcd6cbc254b139ddaf81a49
SHA5129558ae7a93851c901293c8971d141915ed99bbe98c23855e8d4584936bf3b793904ff452d61e620614cd90c7dc2f385f86fee73cfbe4e6ddf6ee9f71b8e2f6eb
-
Filesize
180B
MD5aa87b9bc696a4c9b375bf139474a91f9
SHA151bacc799ba1b05a6c8123b98e859851881abb94
SHA2566038d876b3b5365f937079ab5816df595c4bdd4261d084e3f87a51de54184730
SHA5125bb83c7adbaa12759914971e657e530d988277390d6e9bab22ae546b5ca3b807b2d6cdc22e07b2a860c98c382b8751426ac00948efb33b748ac30a7f39e22d9c
-
Filesize
284B
MD56989ad9512c924a0d9771ce7e3360199
SHA11bcc5312adf332719db83156f493ad365f5bdec6
SHA256f80c2d143ea239ba9c96fda416193860cd3d3216e264b856466375bb14618168
SHA51213a0b21b94c5865ec82e4d3d4fca50f2a1948428acc696601ced1f1bf1044338eb5aeee504ca645bd0f6e6c20b2869b832a7fb693618baea756e740af86d5536
-
Filesize
177B
MD5e2fd52b166fd21255b2e04b4ad6959ba
SHA1e8e908c47f4e7bec0fc6dce6e1022cd47ca70430
SHA256719d73c8743f955bea6328e66947fcb0e70bcd1cb311028d6d380e305193b946
SHA5129c7fe273bf4e01bbf66422be82ef024ff3972c0c1650857b6b7449c569b96c163c339f564b22d799a07fbb44cdcc4e424498e1d0b2cba504f36c4e8913248499
-
Filesize
278B
MD56d569859e5e2c6ed7c5f91d34ab9f56d
SHA17bcd42359b8049010a28b6441d585c955b238910
SHA2563352cf84b9c7b33c2dd6e2194ff24e6a5bd0da7bb829c6cadcf9b33c65f21e78
SHA512accd61c856a1f862699566e9f0cea6a30ab0261fa5fd048a00a5a98bf827184ebfdf1c3c879987bb2210626e71c390f2f366bea02f9ec3219cce4c15ef7ea0d7
-
Filesize
171B
MD5faf4c0e3a225864e20e2cc570c0a546f
SHA1c657c6f3d6e48ca9da82df206852079f26f3d9bc
SHA256ba14a3dff90b7e9c3be6ba7a70c2f30dfe56275d16f239d64f07b22f1a9cc0b4
SHA512267416cd6790bd889eb930344e957a40c57caeb74426bd7f0eb0462b279dc98a1f49f120492c5392e32120a559475fead2b4937d25282f3e0f37892a5428c275
-
Filesize
1KB
MD5047257c23422193a6f1e51a7605cacc5
SHA1a35b78e57bc7067916de254663ab2493d6798dcd
SHA2565473e4012b0b14483272088fa7e6cd2705c540a1d00e1a1dc99fe48089bbdaa4
SHA51223d13a7c43e1c028713dc3bce0d0efc189aac336357591dc70dc74d6135bea6e3c73a4ec0abd5af1988c9fbe75d8356003ab2422670d4f5b88586d35941a56d4
-
Filesize
1KB
MD573f5d21bb55cd479ed4b11eae3addf49
SHA198cebab43e0b3e38ebce2b4d0add92c6cbd9f998
SHA2565cee306f8e775a73be740ffd8ef61ea081648af0c2eb4b42fec0c49ac01e9080
SHA5129f2e09336f338de884e60ae228377acca997b1b6ff5623029e2cf6a07d226503d041797bd126d9f23fb9c256360145b1572c10ff06c3b9427a6457c953271ffb
-
Filesize
1KB
MD5879e5db3fe55931f89f1b2d4258cf2d7
SHA1c5a7e0cd86c8d76f7b57313313919baaa208ca18
SHA2560d92e24abf268b440e0ab690d7cf6cc45427a762143ac476e1b77c85e14e41d2
SHA5123df941b35c3bcf1f0e0ce99a58f82d82894387a565893e4368edd97db7c5f0135f1d4e2e6e35af77f7ff839aa952d36399e35f250df06bc5dabea53fe7f78a5a
-
Filesize
1KB
MD5dff3d0f7bdad6c85615311ff4abd4309
SHA1433b08f490d680535e5fddecd4061dce8d27454f
SHA256b69e4c66e14ee2bbf3a2911eb9247d9b6e7fbd5a9f9f934f5d9428dfa656215b
SHA51268b1dad797d44d9cf307fa56135f2a64b23d597ae1f8513150a8ebbd4e7fa019850e4b9d4918be42b406b36b6a3407b0c2eb14e889007ca132509d24cdf37e28
-
Filesize
1KB
MD5d70a83f130ec3f4dcdcac61b3df52a6c
SHA1eb079919a0d48ea47724a05b242345da547932b3
SHA256b06a7cd02363abd8e1af7bd49d9f14f015c553c0b677b7aa3bf2db0faf541041
SHA512aac5514e81b61721bab728bf8b3224a6f0c141c736b52fbf0090a4ffafe665601c6bc1dec87dca81e536b5e2a1c0bf0023bbd5afc8d1bbe90bc12352d02f659d
-
Filesize
1KB
MD523e656539e4827fe5507ae05d9b6ca84
SHA13f8c0e6f7ea0557d1a50aadbea0012af3d2924ec
SHA2567f26502deebc09000eb6309a4c74b77b59b8ad1828a367f8224c43f133f60453
SHA5124cad9d2b2b4d7ce2281c4a00d2017e19201b9909583c55bc9e07c602112fe1bab4188ae0e75aac27a25b1f0429755834e31dc44313ee0c8e4c0f16f567b41cc8
-
Filesize
1KB
MD57d99bb4d4b966492cb03dd3a6d17dc29
SHA1affaaec319f2529e9673e5137d28e6ae5c7266aa
SHA256852a7fe830548d48b8a4677540515bea17ee07e563ba1e6060c842ed773e3393
SHA512652a223300a3ea60c1590a175e1385a4b63e38c65942796d4f735d9f837a288272cc3810513dc66edef9d6b9cd22526c27bbf3273aed6523d61480e67a79b8b6
-
Filesize
1KB
MD5a1bce42051a3028135e1af5f8a9c25d7
SHA14ab8c7132cccec032cd8a015b63b28d83d9a0872
SHA25699122603b00553f14607d1048be63c3b06bfaa8c4e5b97d8ec0f1bc4d64b63ab
SHA51221e269efcca21fc2d44efedca727998a7651f0a6a6042e34ea5fb543568cdfffe02fbaf160593187e84cc0afdd85e3526295a2ffbcd67e759fd5a82b6d54dc75
-
Filesize
1KB
MD51405c00102c0eec6f7d59a7409d8e0ac
SHA1f8e8102884c7f49bdef48f41f9aba631a2b5da4b
SHA256e12c79c876f2ff7a0338796b53911206b00a86d5d16b994b0b511b1c0016b369
SHA512a7b705876f2c180c2bfc656617037c47dfdaa05d6cb19483add9bec3d84fb318f475bd616837834e4bfb85dff43f6b8b5f178602c905aae9ca4f47cf36e20275
-
Filesize
1KB
MD51a7c18f602a5d0c8342960e2b167279a
SHA149c92082cc8c449dcc2bf35fc01691f70fd13ab8
SHA256afde890996bb5c06a00de7ed834fe06abbf8aa9f399b78165691c458b9d4dd1c
SHA5121f194b1122288abfcd8f94a856cb605f96f675ced8693160539418ed53d2449c13ac55150c9918e238b833529dcb555746af4c560ea831a50a30b2f5635ca8c6
-
Filesize
268B
MD5fe8760874e21534538e34dc52009e8b0
SHA126a9ac419f9530d6045b691f3b0ecfed323be002
SHA2561be68e1d0beb3861fd8a519cc4c4d0b4122cbea7109bcf3e08f294705579d439
SHA51224c249972146048e134b86e909d51d04d3b821605cb08383921e80f6c3595dc65f9315abbd53704387bdda5c2691b5218658823f1de80e39d25152c9d367c6ed
-
Filesize
161B
MD5724bc5aa0023d90685df26b05ba62db7
SHA177ec48c664f6f047ac18c074c8e8831851a18837
SHA256879532d0414284c3dc43f3fe491e51569d8de161de2d76c2d372d82bff7a2435
SHA512ccf94b0cfa4add005f7c4057a9f672da4fa0efed5328f769a956f55101a65182dc2153047576820c0bd3fefcf2ae441688aa1c17f896dc2f060db31e488ecc58
-
Filesize
285B
MD59a478476d20a01771bcc5a342accfb4e
SHA1314cd193e7dae0d95483be2eae5402ce5d215daa
SHA256e08019db10e6857bff648942f49ae96e3b9159b75e8e62643a8da0ff5b0f3a40
SHA51256903e24de594dd009ee292ab91ba9333db2426c3da63ceba3242439a1fa5981f390f6185250cb53739e9cfd37dcec6e85bed5641d04f017e29016985cdd3f29
-
Filesize
178B
MD59ad6c7fbedc6f5aaa11d18a80865369c
SHA1988aa45b54ee452ca07f928c3fa4d5e7cc3ad05a
SHA256f50861465c131d99edd948cf33062d8c6a56c3729ed2004203f376b10b773775
SHA512db0fb76d5ae9cb0a25d03ef31db2ceb0bf500d09f14ae66bfdee46e22ff9b30c99bdd35d5ff82fa7ab9a8d330d23c80f2ca197b4b60c638da8b1273c671b491f
-
Filesize
285B
MD5b34b98a6937711fa5ca663f0de61d5bb
SHA1c371025912ab08ae52ff537aaa9cd924dbce6dcc
SHA256f1dbc184336bf86e88e1cbc422009ff85febd6bc887ae483bc10109f30ebf69a
SHA5122c27a72d8a2d120a222add219a0e4f11af38421433210ced930c37ccb9a0cc419fe01e45c874aee2c99613785fa4d44a66fa73c41e4dce9810d4deb24476b98f
-
Filesize
178B
MD553b5d11283f0cc04bded44d4e216ef26
SHA19e42f253de591d905177c509c1982a4053b9f6cc
SHA256d882b647125e51b35d329e93a85b177e78a5825bdf74eec23e0e3633330a666b
SHA5124b3ce9dd5613773472e06d0926bb8ee129256d1da8458828e75c8f3b3b15cefedcf9677d06f311c04b8174b913029b76dc81a5990fc240547cc0030e8466788c
-
Filesize
284B
MD562caeb4021ea9d333101382b04d7ac1c
SHA1ebe2bb042b8a9c6771161156d1abdce9d8d43367
SHA256e466fcc723dfa8d713c6e7c2208581f1c94ecf06a5dd2e3b83d3a93636badbd7
SHA512e283647c6e24d912833229ce80055d103359ace1e83c051227d40a672691491ef612ea639ebc896d01ff132c5f101132b5397e5c59a8ddbf11e58fdd2052247c
-
Filesize
177B
MD598b4b5492db88fd17a86bbf64d878540
SHA1a079930e7cf854d68c11d5f2b272f4bdff2005fb
SHA2560c079f2e739961e5ff32c3af328828e3ed8c3ad0b49cc3a5e71deabd4ff1691e
SHA512fe2af689a7fab5178362a649f0c956d21474165180d89591fdced491568c5cf32418604d0c9903034721f83af9f553e0ce9fc3624641926a156966a98965ead3
-
Filesize
145B
MD561413d4417a1d9d90bb2796d38b37e96
SHA1719fcd1e9c0c30c9c940b38890805d7a89fd0fe5
SHA25624c081f2f8589c160e6c556507f9a9590983445b933ce6a73f889b5096c211d7
SHA5129d8ef98bcae56a7abe678f08ba4ef76a135a14f6ca63c02a6e1ea2ddda233802e2aad6c4fc309026e16cd3a8e87a04fe6d4a0acfb9736cca6d670926c83d6cd4
-
Filesize
195B
MD59b62bc684f91132888761df7de8aea49
SHA1e5d1fcc36293d7a2f9bcd2553556586c19ea07b4
SHA25646d1bc09c7e7694db0271913866ec0deabd66dc05d0893744823c5e741e0e9b1
SHA5120a768e9305baee87d3261956c7dd2b01b1daadac3d0118b5dfa9461ed8d160da3c7b6e190fa3f4f2d953b3ad04ff54f88eac32233db2e45bb51c58176d5f3ee6
-
Filesize
234KB
MD53d3e7a0dc5fd643ca49e89c1a0c3bc4f
SHA130281283f34f39b9c4fc4c84712255ad0240e969
SHA25632d49dc703d8c827ca9ff7d5389debf7314b062a989db36d1360aae21a77db0e
SHA51293ae1ac6739d91488b88f487a252a411d85dc52a409489a61315235e4a3ec6a178cceac207426b779a1494ab792422263652f1ad310b8bab7ad296d2e7222e68
-
Filesize
644B
MD555335ad1de079999f8d39f6c22fa06b6
SHA1f54e032ad3e7be3cc25cd59db11070d303c2d46d
SHA256e05c551536a5ee7a7c82b70d01f0b893db89b3dab1cd4c56ea9580e3901071ac
SHA512ca8c2f680c3d6a61c8ad18b899f7d731f610dc043729a775fd6eade6e11332c1f32c7cf60464b6b3fd41aead9b0c65bc13934574740179931d931516c13027ca
-
Filesize
668B
MD53906bddee0286f09007add3cffcaa5d5
SHA10e7ec4da19db060ab3c90b19070d39699561aae2
SHA2560deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA5120a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0
-
Filesize
644B
MD5dac60af34e6b37e2ce48ac2551aee4e7
SHA1968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA2562edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA5121f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084
-
Filesize
684B
MD58135713eeb0cf1521c80ad8f3e7aad22
SHA11628969dc6256816b2ab9b1c0163fcff0971c154
SHA256e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a
SHA512a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4
-
Filesize
676B
MD585c61c03055878407f9433e0cc278eb7
SHA115a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA5127099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756
-
Filesize
684B
MD57a707b422baa7ca0bc8883cbe68961e7
SHA1addf3158670a318c3e8e6fdd6d560244b9e8860e
SHA256453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c
SHA51281147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9