Overview
overview
10Static
static
1008751be484...2d.dll
windows10-2004-x64
100a9f79abd4...51.exe
windows10-2004-x64
30di3x.exe
windows10-2004-x64
104a30275f14...ab.dll
windows10-2004-x64
102019-09-02...10.exe
windows10-2004-x64
102c01b00772...eb.exe
windows10-2004-x64
1031.exe
windows10-2004-x64
103DMark 11 ...on.exe
windows10-2004-x64
342f9729255...61.exe
windows10-2004-x64
105da0116af4...18.exe
windows10-2004-x64
10c2716fcc73...86.exe
windows10-2004-x64
1069c56d12ed...6b.exe
windows10-2004-x64
10905d572f23...50.exe
windows10-2004-x64
10948340be97...54.exe
windows10-2004-x64
1095560f1a46...f9.dll
windows10-2004-x64
3Archive.zi...3e.exe
windows10-2004-x64
8DiskIntern...en.exe
windows10-2004-x64
3f28e02bd1e...8a.exe
windows10-2004-x64
10ForceOp 2....ce.exe
windows10-2004-x64
7HYDRA.exe
windows10-2004-x64
10#/power.exe
windows10-2004-x64
#/sant.exe
windows10-2004-x64
#/ufx.exe
windows10-2004-x64
#/va.exe
windows10-2004-x64
KLwC6vii.exe
windows10-2004-x64
1Keygen.exe
windows10-2004-x64
10Lonelyscre...ox.exe
windows10-2004-x64
3LtHv0O2KZDK4M637.exe
windows10-2004-x64
10Magic_File...ja.exe
windows10-2004-x64
3OnlineInstaller.exe
windows10-2004-x64
8REVENGE-RAT.js
windows10-2004-x64
10Remouse.Mi...cg.exe
windows10-2004-x64
3Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
04/05/2025, 04:56
Static task
static1
Behavioral task
behavioral1
Sample
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral3
Sample
0di3x.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral4
Sample
4a30275f14f80c6e11d5a253d7d004eda98651010e0aa47f744cf4105d1676ab.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral5
Sample
2019-09-02_22-41-10.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral6
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral7
Sample
31.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral8
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral9
Sample
42f972925508a82236e8533567487761.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral10
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral11
Sample
c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral12
Sample
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral13
Sample
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral14
Sample
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral15
Sample
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral16
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral17
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral18
Sample
f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral19
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral20
Sample
HYDRA.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral21
Sample
#/power.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral22
Sample
#/sant.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral23
Sample
#/ufx.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral24
Sample
#/va.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral25
Sample
KLwC6vii.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral26
Sample
Keygen.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral27
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral28
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral29
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral30
Sample
OnlineInstaller.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral31
Sample
REVENGE-RAT.js
Resource
win10v2004-20250502-en
Behavioral task
behavioral32
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v2004-20250502-en
General
-
Target
REVENGE-RAT.js
-
Size
1.2MB
-
MD5
8ff99e0a81c684cefbc2a752c44f30a1
-
SHA1
61b8dbc7483abcb72d2c633e6309feb26ac16eb0
-
SHA256
4f7aa725bb1c08b1ca9179e2efd09d48b62ad6a9cd89a1937ae3842363f5280e
-
SHA512
7aaee800cc8dbd8f2ededc4d0454476307c14621fde0c4edbe6d4088cb2dc2e9a2ab4d4f04891a2923cac10ed2c6d436d121f9a52f327e55096a318389ace364
-
SSDEEP
24576:ZU+R0Eg650x+M5+7Yzx0rpdizEAikr2d212SrO7cZbZ8xxTBE/lhEIirIzW0rvWx:v
Malware Config
Extracted
revengerat
tenakt
94.23.220.50:559
RV_MUTEX-YtjWSTUKIWwi
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation tacbvfff.exe -
Drops startup file 7 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msta.exe foldani.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cjnsta.vbs foldani.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tenakt.js foldani.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hadiya.lnk foldani.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\elBV.URL foldani.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\inststa.exe vbc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msta.exe foldani.exe -
Executes dropped EXE 6 IoCs
pid Process 4456 tacbvfff.exe 4492 tacbvfff.exe 5072 foldani.exe 4732 foldani.exe 1312 foldani.exe 2848 foldani.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tenakna = "C:\\Users\\Admin\\Documents\\foldani.exe" foldani.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4456 set thread context of 4492 4456 tacbvfff.exe 92 PID 5072 set thread context of 4732 5072 foldani.exe 97 PID 1312 set thread context of 2848 1312 foldani.exe 135 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foldani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foldani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foldani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tacbvfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foldani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tacbvfff.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5700 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4492 tacbvfff.exe Token: SeDebugPrivilege 4732 foldani.exe Token: SeDebugPrivilege 2848 foldani.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2784 wrote to memory of 4456 2784 wscript.exe 88 PID 2784 wrote to memory of 4456 2784 wscript.exe 88 PID 2784 wrote to memory of 4456 2784 wscript.exe 88 PID 4456 wrote to memory of 4492 4456 tacbvfff.exe 92 PID 4456 wrote to memory of 4492 4456 tacbvfff.exe 92 PID 4456 wrote to memory of 4492 4456 tacbvfff.exe 92 PID 4456 wrote to memory of 4492 4456 tacbvfff.exe 92 PID 4456 wrote to memory of 4492 4456 tacbvfff.exe 92 PID 4456 wrote to memory of 4492 4456 tacbvfff.exe 92 PID 4456 wrote to memory of 4492 4456 tacbvfff.exe 92 PID 4492 wrote to memory of 5072 4492 tacbvfff.exe 96 PID 4492 wrote to memory of 5072 4492 tacbvfff.exe 96 PID 4492 wrote to memory of 5072 4492 tacbvfff.exe 96 PID 5072 wrote to memory of 4732 5072 foldani.exe 97 PID 5072 wrote to memory of 4732 5072 foldani.exe 97 PID 5072 wrote to memory of 4732 5072 foldani.exe 97 PID 5072 wrote to memory of 4732 5072 foldani.exe 97 PID 5072 wrote to memory of 4732 5072 foldani.exe 97 PID 5072 wrote to memory of 4732 5072 foldani.exe 97 PID 5072 wrote to memory of 4732 5072 foldani.exe 97 PID 4732 wrote to memory of 1928 4732 foldani.exe 99 PID 4732 wrote to memory of 1928 4732 foldani.exe 99 PID 4732 wrote to memory of 1928 4732 foldani.exe 99 PID 1928 wrote to memory of 1468 1928 vbc.exe 101 PID 1928 wrote to memory of 1468 1928 vbc.exe 101 PID 1928 wrote to memory of 1468 1928 vbc.exe 101 PID 4732 wrote to memory of 5700 4732 foldani.exe 103 PID 4732 wrote to memory of 5700 4732 foldani.exe 103 PID 4732 wrote to memory of 5700 4732 foldani.exe 103 PID 4732 wrote to memory of 2036 4732 foldani.exe 106 PID 4732 wrote to memory of 2036 4732 foldani.exe 106 PID 4732 wrote to memory of 2036 4732 foldani.exe 106 PID 5116 wrote to memory of 1312 5116 cmd.exe 108 PID 5116 wrote to memory of 1312 5116 cmd.exe 108 PID 5116 wrote to memory of 1312 5116 cmd.exe 108 PID 2036 wrote to memory of 3128 2036 vbc.exe 109 PID 2036 wrote to memory of 3128 2036 vbc.exe 109 PID 2036 wrote to memory of 3128 2036 vbc.exe 109 PID 4732 wrote to memory of 1524 4732 foldani.exe 110 PID 4732 wrote to memory of 1524 4732 foldani.exe 110 PID 4732 wrote to memory of 1524 4732 foldani.exe 110 PID 1524 wrote to memory of 5208 1524 vbc.exe 112 PID 1524 wrote to memory of 5208 1524 vbc.exe 112 PID 1524 wrote to memory of 5208 1524 vbc.exe 112 PID 4732 wrote to memory of 4060 4732 foldani.exe 113 PID 4732 wrote to memory of 4060 4732 foldani.exe 113 PID 4732 wrote to memory of 4060 4732 foldani.exe 113 PID 4060 wrote to memory of 408 4060 vbc.exe 115 PID 4060 wrote to memory of 408 4060 vbc.exe 115 PID 4060 wrote to memory of 408 4060 vbc.exe 115 PID 4732 wrote to memory of 1056 4732 foldani.exe 116 PID 4732 wrote to memory of 1056 4732 foldani.exe 116 PID 4732 wrote to memory of 1056 4732 foldani.exe 116 PID 1056 wrote to memory of 552 1056 vbc.exe 118 PID 1056 wrote to memory of 552 1056 vbc.exe 118 PID 1056 wrote to memory of 552 1056 vbc.exe 118 PID 4732 wrote to memory of 6016 4732 foldani.exe 119 PID 4732 wrote to memory of 6016 4732 foldani.exe 119 PID 4732 wrote to memory of 6016 4732 foldani.exe 119 PID 6016 wrote to memory of 804 6016 vbc.exe 121 PID 6016 wrote to memory of 804 6016 vbc.exe 121 PID 6016 wrote to memory of 804 6016 vbc.exe 121 PID 4732 wrote to memory of 228 4732 foldani.exe 122 PID 4732 wrote to memory of 228 4732 foldani.exe 122
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\REVENGE-RAT.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Users\Admin\Documents\foldani.exe"C:\Users\Admin\Documents\foldani.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Users\Admin\Documents\foldani.exe"C:\Users\Admin\Documents\foldani.exe"5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s3yawhkd.cmdline"6⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB7C2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc67447113EB944188B470959FC446B92.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:1468
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 10 /tn "bladzabi" /tr "C:\Users\Admin\Documents\foldani.exe"6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5700
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cnjs1-ym.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB88D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50C0CC04EAFA498FB1F946123BF3F52A.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:3128
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bi87h5gl.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB958.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc40617EA1DC674011B1EA4BDECDBB5EDC.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:5208
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9h6fh-xl.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA23.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1D8A4335FE244F8DA53D4A177AC8E3B5.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:408
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\amghu-qg.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAFE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA45D28B6D9624C0288651E48D6FB4570.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:552
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p2uayopg.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6016 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB9A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBE48EE94B8204CEC99C7A87F591B30.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:804
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gj61zpqu.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:228 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC08.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7AA5BF52C7249FDB13DAF30E5B6D534.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:1748
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bptafiku.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:5200 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC94.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F753F9EBBA34DD3A14C9C3D60461DCC.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:4956
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\to9pkma0.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:4752 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD02.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD0B19E9034B04007AEB2CA6E95CA7013.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:4872
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ebn3p6hq.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD6F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB1F79360256E4684AA5B2B95B341E12.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:5488
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\foldani.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Users\Admin\Documents\foldani.exeC:\Users\Admin\Documents\foldani.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1312 -
C:\Users\Admin\Documents\foldani.exe"C:\Users\Admin\Documents\foldani.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
Network
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
2JavaScript
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
496B
MD5cb76b18ebed3a9f05a14aed43d35fba6
SHA1836a4b4e351846fca08b84149cb734cb59b8c0d6
SHA2568d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349
SHA5127631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c
-
Filesize
284B
MD56989ad9512c924a0d9771ce7e3360199
SHA11bcc5312adf332719db83156f493ad365f5bdec6
SHA256f80c2d143ea239ba9c96fda416193860cd3d3216e264b856466375bb14618168
SHA51213a0b21b94c5865ec82e4d3d4fca50f2a1948428acc696601ced1f1bf1044338eb5aeee504ca645bd0f6e6c20b2869b832a7fb693618baea756e740af86d5536
-
Filesize
177B
MD5641525a923e6f307e35ddf39b9947a72
SHA1d5e91cbdcd7a66481ecf49f8357cbe387d98a6ac
SHA256e920aca86179bdfd27da029f820fd20457f928a52f9d8bd95e052dc948e6a9f0
SHA512d1ff6cc399398cedd7ec99c45e7ad4caf5f931547d228a34c5d12084380cf53fdc3474f98b4d786a111b86e789af29406e47907fcb74b09275644f2bca2f1621
-
Filesize
1KB
MD54fadf6cf53de00b132d72fa4ed8c649d
SHA136d8405ee1078ae8d24dcb445f4451f9905e1a64
SHA256fde7885b8d701002e8e670ba70b4bf6e5c774fffd4a7583d1b4b5071a36771c4
SHA51209c8c93f0c80cb93723a26b6c312bbe3b9086b3213f7c57f016a63ede0ea44ad1fc85fd885021386572fc958d9ff302701f46327b2b4708de8d6c854af591254
-
Filesize
1KB
MD523cbfcc2ee9db14e6530926bf4d7ade3
SHA114d255afab9d0777356971d4ff668b9dce127031
SHA256350f847ddec7c4cc611187d226b7e79118fe57eb6564423c9c379d572526dacd
SHA512d7e06f97b85d36528aae7e65251a7665680a82459e4a94c06162b6abf3a7393749e0cc7eaa5584a46fe1c39bda8391afced63adbd55ac21b5630916072a04251
-
Filesize
1KB
MD58e7b6b55bce97a45fd7fba176c40f10f
SHA1cc22e898667676154e670ef8ac34d0ec11e4d809
SHA256a9f5a998fd4475d63cedbc02df320db48fad596d9957b5e56e27e6a94e7b0d85
SHA512f898594294ad6ec61404ce7ea96da4df249b6c1641a664263737a34c24821d65bc2ee77b86151329365745d76aa1a80dd24f6e7cd20c8873f8a469c7ba38a3c5
-
Filesize
1KB
MD57a419a7288ad9ee582377039b63cdf3d
SHA1e8455311393b6733a1104324a769fa9cc9a4f7a6
SHA256f21532334fb25383d7cfb59c4a79280a89a13545178f8a8f34e8536e5e26b49f
SHA5122d23f9852e2e35c49163abe29665d66291691924f8c9204ba7ceb5518a3ff8547e02963230c858106c076cf9491874e31984df676a24f959ddf0843ba330dfb4
-
Filesize
1KB
MD5653b735ea453e488fa9d23c649e7dda2
SHA1bfa18803857ef1fdeaceb3ee6dd90697187e2dfd
SHA2564cf53ce0deeaa574b5bd07b1550bcc720f5bbabdad0d601b4eb3c3764253febc
SHA512d28d56d5e598fd8f2d1299147c92cb67f45d951f48f65bb6b1b2334cddf0c27c19bfc1feaf1d8864cbde45b23052a1dd11fcf11e107eb7648ecd52242edb6300
-
Filesize
1KB
MD5502a795e1db98f66a5a7c185be4b9ce6
SHA159cce6726ff8bc8030dc2969a4163d064cbeed29
SHA256f83b71b25a644770e89f43db5477aa0480e8fca2b1dc00c57d329b4d393e1a2c
SHA512db05113b3e3368b6d94c37129fe5aacac7bea3c6ad88d73cbed5757d16362c70a61b98d0bca4afee28ae186d43c4eda16cf9e74d11ce948e97a1373c54cab1c8
-
Filesize
1KB
MD5b8c5f2f67b243f7062803e736b249f75
SHA17f654b2422b2743550b1c584d7a4d32f12ec4c94
SHA256b891e092b57bee7cd4e10f22203173fae30dc3c00df1415fa31fb61a614e6a4a
SHA5128b32554036ba08c380119e519c69818ea8c73945adb7096aec3b3a33c9c57f5215e92afa8ee5bc0fee43d6a5a7ac1ed86bdf9e596a7c0b1c4679d61f4747633a
-
Filesize
1KB
MD5476bc46df752fe5791af619042c74ba9
SHA1f73a42ce12bf16b5aab164f4c8c9fe4a1e4ce8b0
SHA256d7f24f8312afbe7b53566c367fe455b09a4b6d6b1b26a95541efdcd0d1b6dd65
SHA512c4146e43741722b2078b0eb85a981ccb91fffdb0582645f0cab82a064b5a21cc3322821725f9b6de5fa3f0943f4abe1a62e8eaf2a0e3b28339f09f6fbf8694f6
-
Filesize
1KB
MD51009714633e4b9b731f05272855db994
SHA1821987f4a7986be1cc2b926c9b87f12992e95673
SHA256edbcc61360238a2e88628d9a67a32fea5275932f7d868b93b3edb88096b9e04a
SHA512bf99b79cf9564a03cb779c39ad5f9fd4ed1ffac95ac5b94dbbe0625c7b98368de55719efa5ff5a884c81222dadcf73f3102acd78250f74e3c50878a4d0b0e85a
-
Filesize
1KB
MD5594483dca9d931d451beaffc0d63072d
SHA1bbbd85befa7fec48484b5c30c782dbf75bb09657
SHA256a83c3e06c5e4bb2316e9d01f269df1fef9af2f19079ed86f69ed9d7e46834d59
SHA512fca648c890c27db89447ff8c200c762e167145206c2c8ae6966410a1676c8c09ecb8767e3d4a3ac3350cb0b32dabece7a5e8f2e42a52e79274b11e9201d8d862
-
Filesize
285B
MD59a478476d20a01771bcc5a342accfb4e
SHA1314cd193e7dae0d95483be2eae5402ce5d215daa
SHA256e08019db10e6857bff648942f49ae96e3b9159b75e8e62643a8da0ff5b0f3a40
SHA51256903e24de594dd009ee292ab91ba9333db2426c3da63ceba3242439a1fa5981f390f6185250cb53739e9cfd37dcec6e85bed5641d04f017e29016985cdd3f29
-
Filesize
178B
MD5c19020ddf4ecc4a282d54055804aaefb
SHA17b08c2d7b559bc2e576534b4c86597bf5034e1db
SHA256ab930cd4877fb2d1976b22a988b058627978852aa3c3597cda872cb20608f2a6
SHA5126a800832e46c7fd69d7c696a89471f4a349d5251245ec27761d154db7a5a7e829e389f3d45e115dfdff8ae9d1a4a63d2cbdc69564614c02e4bdfb87899588a41
-
Filesize
274B
MD505ab526df31c8742574a1c0aab404c5d
SHA15e9b4cabec3982be6a837defea27dd087a50b193
SHA2560453a179e3926d451c45952c7704686fbe7f35ec91d2b3b4d9dc909f6b7a8430
SHA5121575da9de9cc37d3fb9fdc2a14aeb56d1debfd09534f231a0eddec35cb20ed25032eb709cb907d5d504a450278fe810d6f297939f11b63935518a4bfeb1b4c40
-
Filesize
167B
MD5927df2178ffd61baeb6b31e9bf308ff0
SHA17957687793dbe0b7b0d19648f394698bbba04d74
SHA256b297b6d38eb7e46a8dca875fd35a824f2dc81724ae1e5888a078f1e4e53d1ec9
SHA51208fd0a3c62ef465d32a17497bdda41aa9939c38a0f5fd7b59a08caa6a27289dc111b70ae0c5adf9c45f8a3d90546ebda9bc846eb88ba7d7ce5d2d2240fa9d195
-
Filesize
278B
MD56d569859e5e2c6ed7c5f91d34ab9f56d
SHA17bcd42359b8049010a28b6441d585c955b238910
SHA2563352cf84b9c7b33c2dd6e2194ff24e6a5bd0da7bb829c6cadcf9b33c65f21e78
SHA512accd61c856a1f862699566e9f0cea6a30ab0261fa5fd048a00a5a98bf827184ebfdf1c3c879987bb2210626e71c390f2f366bea02f9ec3219cce4c15ef7ea0d7
-
Filesize
171B
MD5ea35c0f3524a0cb6e72c1e63e1c4789c
SHA107981f2d14cd2e2bcd2bed4cca4a28438775a9f2
SHA256fbe86cfc4aee627e9720de7d19ec4fb1cf800aaa991214875aac9e54d2a67a81
SHA512a4710131e5d43ba2dee9b063aa146009c998ebf2459e4b577b6c47bbda957a6985efb0c50edf7ad27f8c948e476b3a973e1c2247924a503c45bf0b604878db0b
-
Filesize
268B
MD5fe8760874e21534538e34dc52009e8b0
SHA126a9ac419f9530d6045b691f3b0ecfed323be002
SHA2561be68e1d0beb3861fd8a519cc4c4d0b4122cbea7109bcf3e08f294705579d439
SHA51224c249972146048e134b86e909d51d04d3b821605cb08383921e80f6c3595dc65f9315abbd53704387bdda5c2691b5218658823f1de80e39d25152c9d367c6ed
-
Filesize
161B
MD539a1b8581de7b468b551987c83c44931
SHA1cd47d9dcf7217cbab922e88d54841c2f22b1bf11
SHA25612b85f21c2941a7582ffe268f7bcd7036f492b55b8a065a8d1f1ca8020234bae
SHA512e843c0e93b7c0c9a482d4978379e3d4f6762f607c9b18d64bda93ca172bfc4124f8a6347e70b9f9aa13816b7924fff74b39204ffdee42cba25e62a09b99706b5
-
Filesize
287B
MD59cc0fccb33a41b06335022ada540e8f9
SHA1e3f1239c08f98d8fbf66237f34b54854ea7b799a
SHA256b3007d9bef050c2dd5b7c6376ccfc00929cd51f23fcd6cbc254b139ddaf81a49
SHA5129558ae7a93851c901293c8971d141915ed99bbe98c23855e8d4584936bf3b793904ff452d61e620614cd90c7dc2f385f86fee73cfbe4e6ddf6ee9f71b8e2f6eb
-
Filesize
180B
MD5a6de57ea84a8aad0add73d167785652d
SHA1cea143c0787974cdf25cea69fe0c63115cd18251
SHA25685c793fd9bafc22a13698d74be0d11febf8d4d5cffbb967a9bc338aaf993862d
SHA512db18126ccf309bf699ac05a93392c1cc50424694bd7c72d2017efb56c965ba16b65a2710d031520af1755807014139a25f8bd066812f4594a19057cd452372c0
-
Filesize
288B
MD5af52f4c74c8b6e9be1a6ccd73d633366
SHA1186f43720a10ffd61e5f174399fb604813cfc0a1
SHA2562d85e489480ba62f161d16a8f46fb85083ab53f2d9efe702ce2e49e0d68eca07
SHA512c521dacb09ddfe56e326cf75f9f40adc269a9b48ea3217e55c6381e836d226066ecf9721650ce74aebb763cd1d22f3d1f06b4567ee7683ba83f5f00ef41ae99e
-
Filesize
181B
MD5321779b1aea28844e1466f422fce8457
SHA14423ed8b2df7480058bdee4cd6e3ad07cd677fe7
SHA256a54318328a1f1a55158494c4712785ac7495c2b58208683f9a9f58d9ef013e9f
SHA5122f8eaa44699c889d8a44065a91b03511c5a8d061e012d5f31fa584d20a50d3e983b53b9e3a3be038e59d4b8b85c3d414f6b0e746092730e85aa95ac19e706fd0
-
Filesize
285B
MD5b34b98a6937711fa5ca663f0de61d5bb
SHA1c371025912ab08ae52ff537aaa9cd924dbce6dcc
SHA256f1dbc184336bf86e88e1cbc422009ff85febd6bc887ae483bc10109f30ebf69a
SHA5122c27a72d8a2d120a222add219a0e4f11af38421433210ced930c37ccb9a0cc419fe01e45c874aee2c99613785fa4d44a66fa73c41e4dce9810d4deb24476b98f
-
Filesize
178B
MD558387d26226361154a46be94db36c22c
SHA1115e52a31ffff7c4242a0244949bb51b73e79bbe
SHA25672475c3113d3719f6ab67504087c50afd2471d60b24e8cab3baaf5b4f04a1026
SHA512fdebc627125b10dbd34c61a49fb15dc3b151628a8402508a98dd4148eaa03eee198bdec4a1dc0e10db9271fae731875dbc6bd7b782c55276b07c487bfd72b5a8
-
Filesize
145B
MD561413d4417a1d9d90bb2796d38b37e96
SHA1719fcd1e9c0c30c9c940b38890805d7a89fd0fe5
SHA25624c081f2f8589c160e6c556507f9a9590983445b933ce6a73f889b5096c211d7
SHA5129d8ef98bcae56a7abe678f08ba4ef76a135a14f6ca63c02a6e1ea2ddda233802e2aad6c4fc309026e16cd3a8e87a04fe6d4a0acfb9736cca6d670926c83d6cd4
-
Filesize
195B
MD5dac23ecb8ec754caf9662040d9a9a2f7
SHA13f10fcb2f2551c0fc617bf049c53414f20267001
SHA2567986cac0626be611ccba9154cd2e9125bf7bd2dce56efe920caa5b3c1201b6ba
SHA512996780b8f8a69640e9da9a71c065da7e3b9cd709f51de8568172b5b58c36879fadc1c370fd308420c765082c608982988203417e10005c3c8441eb12bc3d9107
-
Filesize
234KB
MD53d3e7a0dc5fd643ca49e89c1a0c3bc4f
SHA130281283f34f39b9c4fc4c84712255ad0240e969
SHA25632d49dc703d8c827ca9ff7d5389debf7314b062a989db36d1360aae21a77db0e
SHA51293ae1ac6739d91488b88f487a252a411d85dc52a409489a61315235e4a3ec6a178cceac207426b779a1494ab792422263652f1ad310b8bab7ad296d2e7222e68
-
Filesize
284B
MD562caeb4021ea9d333101382b04d7ac1c
SHA1ebe2bb042b8a9c6771161156d1abdce9d8d43367
SHA256e466fcc723dfa8d713c6e7c2208581f1c94ecf06a5dd2e3b83d3a93636badbd7
SHA512e283647c6e24d912833229ce80055d103359ace1e83c051227d40a672691491ef612ea639ebc896d01ff132c5f101132b5397e5c59a8ddbf11e58fdd2052247c
-
Filesize
177B
MD5ca3c8f4a196157f4b2a6518060f34692
SHA1e953cf6b2c29e890026990d9e9f29d8f20528d90
SHA25698ff3da5b4b70da8877c8353d7564168d31fbaf4bd90ed524ba23a60b4cfb67a
SHA512dee3d64cc69b5a49e8ec2be8b7d65e4bcd0a5eda85e53d73df13910e230178843216e2b33b5339fe78ee45a8cd0b80296698baacf92f73c555f30454202cb147
-
Filesize
668B
MD53906bddee0286f09007add3cffcaa5d5
SHA10e7ec4da19db060ab3c90b19070d39699561aae2
SHA2560deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA5120a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0
-
Filesize
644B
MD5dac60af34e6b37e2ce48ac2551aee4e7
SHA1968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA2562edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA5121f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084
-
Filesize
644B
MD555335ad1de079999f8d39f6c22fa06b6
SHA1f54e032ad3e7be3cc25cd59db11070d303c2d46d
SHA256e05c551536a5ee7a7c82b70d01f0b893db89b3dab1cd4c56ea9580e3901071ac
SHA512ca8c2f680c3d6a61c8ad18b899f7d731f610dc043729a775fd6eade6e11332c1f32c7cf60464b6b3fd41aead9b0c65bc13934574740179931d931516c13027ca
-
Filesize
684B
MD58135713eeb0cf1521c80ad8f3e7aad22
SHA11628969dc6256816b2ab9b1c0163fcff0971c154
SHA256e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a
SHA512a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4
-
Filesize
676B
MD585c61c03055878407f9433e0cc278eb7
SHA115a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA5127099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756
-
Filesize
684B
MD57a707b422baa7ca0bc8883cbe68961e7
SHA1addf3158670a318c3e8e6fdd6d560244b9e8860e
SHA256453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c
SHA51281147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9