Overview
overview
10Static
static
1008751be484...2d.dll
windows10-2004-x64
100a9f79abd4...51.exe
windows10-2004-x64
30di3x.exe
windows10-2004-x64
104a30275f14...ab.dll
windows10-2004-x64
102019-09-02...10.exe
windows10-2004-x64
102c01b00772...eb.exe
windows10-2004-x64
731.exe
windows10-2004-x64
103DMark 11 ...on.exe
windows10-2004-x64
342f9729255...61.exe
windows10-2004-x64
105da0116af4...18.exe
windows10-2004-x64
10c2716fcc73...86.exe
windows10-2004-x64
1069c56d12ed...6b.exe
windows10-2004-x64
10905d572f23...50.exe
windows10-2004-x64
10948340be97...54.exe
windows10-2004-x64
1095560f1a46...f9.dll
windows10-2004-x64
5Archive.zi...3e.exe
windows10-2004-x64
8DiskIntern...en.exe
windows10-2004-x64
3f28e02bd1e...8a.exe
windows10-2004-x64
10ForceOp 2....ce.exe
windows10-2004-x64
7HYDRA.exe
windows10-2004-x64
10#/power.exe
windows10-2004-x64
#/sant.exe
windows10-2004-x64
#/ufx.exe
windows10-2004-x64
#/va.exe
windows10-2004-x64
KLwC6vii.exe
windows10-2004-x64
1Keygen.exe
windows10-2004-x64
10Lonelyscre...ox.exe
windows10-2004-x64
3LtHv0O2KZDK4M637.exe
windows10-2004-x64
10Magic_File...ja.exe
windows10-2004-x64
3OnlineInstaller.exe
windows10-2004-x64
8REVENGE-RAT.js
windows10-2004-x64
10Remouse.Mi...cg.exe
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
04/05/2025, 05:10
Static task
static1
Behavioral task
behavioral1
Sample
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral3
Sample
0di3x.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral4
Sample
4a30275f14f80c6e11d5a253d7d004eda98651010e0aa47f744cf4105d1676ab.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral5
Sample
2019-09-02_22-41-10.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral6
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral7
Sample
31.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral8
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral9
Sample
42f972925508a82236e8533567487761.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral10
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral11
Sample
c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral12
Sample
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral13
Sample
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral14
Sample
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral15
Sample
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral16
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral17
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral18
Sample
f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral19
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral20
Sample
HYDRA.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral21
Sample
#/power.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral22
Sample
#/sant.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral23
Sample
#/ufx.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral24
Sample
#/va.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral25
Sample
KLwC6vii.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral26
Sample
Keygen.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral27
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral28
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral29
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral30
Sample
OnlineInstaller.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral31
Sample
REVENGE-RAT.js
Resource
win10v2004-20250502-en
Behavioral task
behavioral32
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v2004-20250502-en
General
-
Target
REVENGE-RAT.js
-
Size
1.2MB
-
MD5
8ff99e0a81c684cefbc2a752c44f30a1
-
SHA1
61b8dbc7483abcb72d2c633e6309feb26ac16eb0
-
SHA256
4f7aa725bb1c08b1ca9179e2efd09d48b62ad6a9cd89a1937ae3842363f5280e
-
SHA512
7aaee800cc8dbd8f2ededc4d0454476307c14621fde0c4edbe6d4088cb2dc2e9a2ab4d4f04891a2923cac10ed2c6d436d121f9a52f327e55096a318389ace364
-
SSDEEP
24576:ZU+R0Eg650x+M5+7Yzx0rpdizEAikr2d212SrO7cZbZ8xxTBE/lhEIirIzW0rvWx:v
Malware Config
Extracted
revengerat
tenakt
94.23.220.50:559
RV_MUTEX-YtjWSTUKIWwi
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation tacbvfff.exe -
Drops startup file 7 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\inststa.exe vbc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msta.exe foldani.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msta.exe foldani.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cjnsta.vbs foldani.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tenakt.js foldani.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hadiya.lnk foldani.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\elBV.URL foldani.exe -
Executes dropped EXE 6 IoCs
pid Process 4760 tacbvfff.exe 884 tacbvfff.exe 4660 foldani.exe 2668 foldani.exe 3364 foldani.exe 3396 foldani.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tenakna = "C:\\Users\\Admin\\Documents\\foldani.exe" foldani.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4760 set thread context of 884 4760 tacbvfff.exe 88 PID 4660 set thread context of 2668 4660 foldani.exe 93 PID 3364 set thread context of 3396 3364 foldani.exe 131 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foldani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foldani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foldani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tacbvfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tacbvfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foldani.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4720 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 884 tacbvfff.exe Token: SeDebugPrivilege 2668 foldani.exe Token: SeDebugPrivilege 3396 foldani.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4548 wrote to memory of 4760 4548 wscript.exe 87 PID 4548 wrote to memory of 4760 4548 wscript.exe 87 PID 4548 wrote to memory of 4760 4548 wscript.exe 87 PID 4760 wrote to memory of 884 4760 tacbvfff.exe 88 PID 4760 wrote to memory of 884 4760 tacbvfff.exe 88 PID 4760 wrote to memory of 884 4760 tacbvfff.exe 88 PID 4760 wrote to memory of 884 4760 tacbvfff.exe 88 PID 4760 wrote to memory of 884 4760 tacbvfff.exe 88 PID 4760 wrote to memory of 884 4760 tacbvfff.exe 88 PID 4760 wrote to memory of 884 4760 tacbvfff.exe 88 PID 884 wrote to memory of 4660 884 tacbvfff.exe 92 PID 884 wrote to memory of 4660 884 tacbvfff.exe 92 PID 884 wrote to memory of 4660 884 tacbvfff.exe 92 PID 4660 wrote to memory of 2668 4660 foldani.exe 93 PID 4660 wrote to memory of 2668 4660 foldani.exe 93 PID 4660 wrote to memory of 2668 4660 foldani.exe 93 PID 4660 wrote to memory of 2668 4660 foldani.exe 93 PID 4660 wrote to memory of 2668 4660 foldani.exe 93 PID 4660 wrote to memory of 2668 4660 foldani.exe 93 PID 4660 wrote to memory of 2668 4660 foldani.exe 93 PID 2668 wrote to memory of 960 2668 foldani.exe 94 PID 2668 wrote to memory of 960 2668 foldani.exe 94 PID 2668 wrote to memory of 960 2668 foldani.exe 94 PID 960 wrote to memory of 2284 960 vbc.exe 96 PID 960 wrote to memory of 2284 960 vbc.exe 96 PID 960 wrote to memory of 2284 960 vbc.exe 96 PID 2668 wrote to memory of 4720 2668 foldani.exe 98 PID 2668 wrote to memory of 4720 2668 foldani.exe 98 PID 2668 wrote to memory of 4720 2668 foldani.exe 98 PID 2668 wrote to memory of 3332 2668 foldani.exe 101 PID 2668 wrote to memory of 3332 2668 foldani.exe 101 PID 2668 wrote to memory of 3332 2668 foldani.exe 101 PID 4740 wrote to memory of 3364 4740 cmd.exe 103 PID 4740 wrote to memory of 3364 4740 cmd.exe 103 PID 4740 wrote to memory of 3364 4740 cmd.exe 103 PID 3332 wrote to memory of 4372 3332 vbc.exe 104 PID 3332 wrote to memory of 4372 3332 vbc.exe 104 PID 3332 wrote to memory of 4372 3332 vbc.exe 104 PID 2668 wrote to memory of 4812 2668 foldani.exe 105 PID 2668 wrote to memory of 4812 2668 foldani.exe 105 PID 2668 wrote to memory of 4812 2668 foldani.exe 105 PID 4812 wrote to memory of 3372 4812 vbc.exe 107 PID 4812 wrote to memory of 3372 4812 vbc.exe 107 PID 4812 wrote to memory of 3372 4812 vbc.exe 107 PID 2668 wrote to memory of 2444 2668 foldani.exe 108 PID 2668 wrote to memory of 2444 2668 foldani.exe 108 PID 2668 wrote to memory of 2444 2668 foldani.exe 108 PID 2444 wrote to memory of 3472 2444 vbc.exe 110 PID 2444 wrote to memory of 3472 2444 vbc.exe 110 PID 2444 wrote to memory of 3472 2444 vbc.exe 110 PID 2668 wrote to memory of 4668 2668 foldani.exe 111 PID 2668 wrote to memory of 4668 2668 foldani.exe 111 PID 2668 wrote to memory of 4668 2668 foldani.exe 111 PID 4668 wrote to memory of 4332 4668 vbc.exe 113 PID 4668 wrote to memory of 4332 4668 vbc.exe 113 PID 4668 wrote to memory of 4332 4668 vbc.exe 113 PID 2668 wrote to memory of 1676 2668 foldani.exe 114 PID 2668 wrote to memory of 1676 2668 foldani.exe 114 PID 2668 wrote to memory of 1676 2668 foldani.exe 114 PID 1676 wrote to memory of 776 1676 vbc.exe 116 PID 1676 wrote to memory of 776 1676 vbc.exe 116 PID 1676 wrote to memory of 776 1676 vbc.exe 116 PID 2668 wrote to memory of 3876 2668 foldani.exe 117 PID 2668 wrote to memory of 3876 2668 foldani.exe 117
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\REVENGE-RAT.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Users\Admin\Documents\foldani.exe"C:\Users\Admin\Documents\foldani.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Users\Admin\Documents\foldani.exe"C:\Users\Admin\Documents\foldani.exe"5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ketljfyr.cmdline"6⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC3F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1592735C24D046A485936B9EBA6C6822.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:2284
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 10 /tn "bladzabi" /tr "C:\Users\Admin\Documents\foldani.exe"6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4720
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pjxkzgrh.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED0B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9B6625449315408391E32C6D6AA0F6AC.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:4372
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tv8d9fii.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDB6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4CD017347A264B2EB9575A79CB9266E.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:3372
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ks3aeal5.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEEDF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF966AE98B94E434786A19EC5901CFA.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:3472
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wxln2hv-.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFAA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5CF41B3890034FC0B55240DAF1F7DD2E.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:4332
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b6wa28ex.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF066.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2537EA5827D14851B87853BF2F353397.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:776
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8jiuu6qn.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:3876 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0E3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD737156C5AA547DFB570F4FB91D95D7E.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:3192
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sinlewel.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:4760 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF160.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E7B9E0031A544C2A310247F9774396C.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:2532
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6xcpfogb.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF1DD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6B867A7274FE44FBAE31E7C8AC6444BF.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:424
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j5hwri9v.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF23B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF7D944F392DA4528861D5A75E84BF070.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:1152
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\foldani.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Users\Admin\Documents\foldani.exeC:\Users\Admin\Documents\foldani.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3364 -
C:\Users\Admin\Documents\foldani.exe"C:\Users\Admin\Documents\foldani.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3396
-
-
Network
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
2JavaScript
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
496B
MD5cb76b18ebed3a9f05a14aed43d35fba6
SHA1836a4b4e351846fca08b84149cb734cb59b8c0d6
SHA2568d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349
SHA5127631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c
-
Filesize
284B
MD562caeb4021ea9d333101382b04d7ac1c
SHA1ebe2bb042b8a9c6771161156d1abdce9d8d43367
SHA256e466fcc723dfa8d713c6e7c2208581f1c94ecf06a5dd2e3b83d3a93636badbd7
SHA512e283647c6e24d912833229ce80055d103359ace1e83c051227d40a672691491ef612ea639ebc896d01ff132c5f101132b5397e5c59a8ddbf11e58fdd2052247c
-
Filesize
177B
MD5bed06ac4148f4ae5d4a30918363d9b47
SHA15c5111d6279af87ca5c4daa648a5b7040b25c5dc
SHA25643a50fc4d4133b3e1b960d686ce312ac2a08a23ff4569fd101f00e100aeffba1
SHA512062354a787351989c47cc8818fce7f3a5922920a84b9e3a0bbc91464f599e33292640a97c7bb100dd423a3dcaef86c4d5ce172c7f9638ffde8ddc58d6f85b239
-
Filesize
288B
MD5af52f4c74c8b6e9be1a6ccd73d633366
SHA1186f43720a10ffd61e5f174399fb604813cfc0a1
SHA2562d85e489480ba62f161d16a8f46fb85083ab53f2d9efe702ce2e49e0d68eca07
SHA512c521dacb09ddfe56e326cf75f9f40adc269a9b48ea3217e55c6381e836d226066ecf9721650ce74aebb763cd1d22f3d1f06b4567ee7683ba83f5f00ef41ae99e
-
Filesize
181B
MD562b713417070f91f5b1af3ad022d7b39
SHA1acd4d4a16b1fa495103872a99782950b46d5f8b7
SHA2561c9ffaec8a95793e353a6d7deab8c6d3048c365b40fd1fc5ce9a0b890776063b
SHA51269181ce1d49abb9c2e0ea8c2973aada49934b9501229827df03a3e0332b5922cfa83d57e7d882cb333a18b7ab19f0a2e31526149dba90770ec564044fbc0a3bf
-
Filesize
1KB
MD58205ed20f0ca1bc2440f35b24eff373a
SHA136b7f1629ef0b6ce4a180622cb459f848f1531c9
SHA256b0a4b8658564d1b8fd3ad135d29f7ba14e9e4755f2c068e57f026a7a2a712ece
SHA512b31f41890d25b2c50f3d8b13823c84e4d9fd4848d81780133bd0ec811fff81754bad8ee0ded9531cf1d20bea72fffe24fe3fdd685b5918d3bad7a7ebcede707c
-
Filesize
1KB
MD5bc16ef00842fa7722b0006a27393d75f
SHA163bf6fdfddba852e7764e57bcc62a818eb38f0d4
SHA25640c5fbc69bd4c9e3918085bbb8e9635048fb454574e7312d50568d6f456c0979
SHA51248f7ca550086b3c3f2e0f69543d56f7bb8a3841da47fd7b2475b5234953d3c56ac834c0747bd30af3c76fe8e871a1d3d0284929657df8af447c40d95365742ec
-
Filesize
1KB
MD536bac4922a56df7f569061899260abca
SHA12fb07fca9dda3a4a62ca198617a3d874ecc6403c
SHA256e7845f1a218390bf78e3aa0f292899121b7c1c3656bfb41957938efb59c67656
SHA512ba6c61e00def241ee5e4f548fa429456361bc682d470684f9355bdc60ef13693c8670b5c960786e03a2c78f1769720f5dafc4d597bb48bbf2b291b4db2669c1a
-
Filesize
1KB
MD57eba78af372e297cff2f7e2ca70683df
SHA12fdecd059601e3de662272f71e51f3b9929893e7
SHA25671805628a8fdd77c4619424147f59a8be167069fbd9982ac9e208c3b9ad9bfc6
SHA5122ca82f74e8a880614ce50f6967f7bfeea91edd5cb7b81755f7d545b6b2d3f1083a814c2e2a51f11c969e47da940d9f60e2697d4f8d349e64f8f8585da9c8f1db
-
Filesize
1KB
MD5b3b6acce38cb02596c1b9b4bc046e76e
SHA1a95b23661e0bbd97ee0abc3a957e12d2b7ca3bca
SHA2569dc7d42f7cab415b2cea3614699d693eef11b5c89f5acd6db5f5e3d8006a01e4
SHA512317497844720d95e9a2b49e57e9d5475bb756ce7f3815cfd95b3c4035b18fe2bc13d043feee46b35e547a864662a1c5a4556ca81450b977426a0b0b0f10aba14
-
Filesize
1KB
MD5148478b4c2b371e0e629fca5acb6b61c
SHA118129ea8dadc8cb356ec8a52a1fde5695c48b536
SHA256c54dc9addf7dc1b54991f782d055b202f93748e34b6df6a3f3ed12e1fe7e9b6b
SHA5120589c03a66620a762dcf5c16cf337b9a97507735981c32eaff900a25bdfedff4778cf686df882711bd9f3473d65450af3c6993c10fa31242a10c1244e2469f2c
-
Filesize
1KB
MD5522f9d1e07a2a1e6767276dbcbe5ec8c
SHA1a2c36f6089dc7a4d9ad490543063471e5d274d16
SHA256ed61f843745dad50a2b8706a92bd3409ec576596736bda8d66f18863fafe9bbf
SHA512882659b5c1c1865b37cfa38305dba0fbb93411378fc7e2e8a58897f966d6b80885152fb6a3d0e196f54c8c2c70f23884992c99b2612cf03eb1981fdcfbe83d63
-
Filesize
1KB
MD5dc222ae00c9605cf8e2f6ec9dccd7a90
SHA1ea9bde7e068023ac7496f8701792ef1df9376925
SHA256bf06ff4f55c2f24a1dd45dbe02f18e6f8431f0cb0164976d954d94e559ac7d54
SHA512d9aee9c7c4813c9a4636dd15ccbc88a8fa33d86ebb92acd0946ddc711522f9f47bff3ad92a8c85d53a64cf7b9bf58f2df5f02aebcd1fa6459af66c3259571b45
-
Filesize
1KB
MD54d6f633d78a3da13f0113e485227e978
SHA19b0f0bd23f4d66f3566a7b6318ff9de682004d4d
SHA256866cea41a55241d1397ea6bc51a0809ff6d2831cff1570654d3f03d5437defa9
SHA5127b83164d34df6cef457c8a59f51738f5aaaf676701237dda8beb8696dfb7cc2630b2f0abbe50a57fe2fb96934b959181e82f38ad30b12e5c41ad76c1cddd2973
-
Filesize
1KB
MD5cbfdc694961ec4231f2802b8900a2c41
SHA135a2d4109ecc605089515c9bfd58fb66df6bbc7b
SHA2563d855bd084368e88b68d32614641f09b9bc5c6784e25750800f43ed838f457b2
SHA512ced0c1ec275f364acf5a70abfe431a2c87b83c75347dd86f4edf70e96e2a4bb5f903bcb4320259c33a1d6e6eb164cc040cc8c4da229c62afb05ff983a6a247ee
-
Filesize
285B
MD5b34b98a6937711fa5ca663f0de61d5bb
SHA1c371025912ab08ae52ff537aaa9cd924dbce6dcc
SHA256f1dbc184336bf86e88e1cbc422009ff85febd6bc887ae483bc10109f30ebf69a
SHA5122c27a72d8a2d120a222add219a0e4f11af38421433210ced930c37ccb9a0cc419fe01e45c874aee2c99613785fa4d44a66fa73c41e4dce9810d4deb24476b98f
-
Filesize
178B
MD55987a2bb89c64602bd77a8b3b86aa6e6
SHA1df957f9d94e62760d646d4d4b3b469cd6960744a
SHA2566d46e6625a4ac608a391621548bfcb9065b43a0fa8e170f8e0a2e0f2600b2bd2
SHA512b5076158e72ef831900f6d30b8ac1c9f79cbc409462634f8e2af93bd6ea7fc5ea98e73f8efd327d7076dbc75b8362ba76898c5d25eb0c9b123e1f8a803c107f7
-
Filesize
287B
MD59cc0fccb33a41b06335022ada540e8f9
SHA1e3f1239c08f98d8fbf66237f34b54854ea7b799a
SHA256b3007d9bef050c2dd5b7c6376ccfc00929cd51f23fcd6cbc254b139ddaf81a49
SHA5129558ae7a93851c901293c8971d141915ed99bbe98c23855e8d4584936bf3b793904ff452d61e620614cd90c7dc2f385f86fee73cfbe4e6ddf6ee9f71b8e2f6eb
-
Filesize
180B
MD501f98e049edd39792f8d6e76f729f837
SHA1c0ed1af5bc696c4cf63ecf6ad624f1605198ce0e
SHA256cd93930bc39664b0e6cd84ad889b4c5db05d9b1be6d39bf0a228f9aa3a7ca9fb
SHA5124ac11c15071c6674feeb5b07d881056ad4c530ef1286ecf72e12d5cdfdfd154490be2da7890c724a2af5f863d700a4ac381dfaef92ddbfa95a4501e8f079b081
-
Filesize
145B
MD561413d4417a1d9d90bb2796d38b37e96
SHA1719fcd1e9c0c30c9c940b38890805d7a89fd0fe5
SHA25624c081f2f8589c160e6c556507f9a9590983445b933ce6a73f889b5096c211d7
SHA5129d8ef98bcae56a7abe678f08ba4ef76a135a14f6ca63c02a6e1ea2ddda233802e2aad6c4fc309026e16cd3a8e87a04fe6d4a0acfb9736cca6d670926c83d6cd4
-
Filesize
195B
MD531a85935486e4a5cdbdff366163286b0
SHA1cc8581f80ba150558274b0cfe48e1f66d39d8d79
SHA2562e7c3a1abacc8b5272e9389b67208a86f63eb43bf2d44eb25b028474c1cda917
SHA512d02a41b8fe55ed2183b305003b0ff07e12ef1fc21aca30e1c2b9f45b2ac6c9f31c8c1b0df3c06cbc90c65d53462f7c72d9990870c771dda616606b1b618f2f21
-
Filesize
284B
MD56989ad9512c924a0d9771ce7e3360199
SHA11bcc5312adf332719db83156f493ad365f5bdec6
SHA256f80c2d143ea239ba9c96fda416193860cd3d3216e264b856466375bb14618168
SHA51213a0b21b94c5865ec82e4d3d4fca50f2a1948428acc696601ced1f1bf1044338eb5aeee504ca645bd0f6e6c20b2869b832a7fb693618baea756e740af86d5536
-
Filesize
177B
MD56d5b0b862bf5d418262e84b546a30bd3
SHA1c8b3948329ab1d3e83c1920ec4e7d825365ae57d
SHA25643bf164721a000f01ee9339b748b7625d7a8f96616de90ac3203c0ab236c2a92
SHA5125eb912c4a0a83d86a1b7bc381a9928712de89d05b6f567fd556a9ba5e84ad16eb2f4d880132423686f4359d025c1ff872a5aad52a5826877146b4accfcb50189
-
Filesize
268B
MD5fe8760874e21534538e34dc52009e8b0
SHA126a9ac419f9530d6045b691f3b0ecfed323be002
SHA2561be68e1d0beb3861fd8a519cc4c4d0b4122cbea7109bcf3e08f294705579d439
SHA51224c249972146048e134b86e909d51d04d3b821605cb08383921e80f6c3595dc65f9315abbd53704387bdda5c2691b5218658823f1de80e39d25152c9d367c6ed
-
Filesize
161B
MD5240f5425f710779e0b75d85b162835dc
SHA1708548b6e2fb3d2f7da3e1016c085b230b2d122c
SHA256a679f601370dd871f4c109fa5df01e2998ae109427d4ae9cdb966982c52af517
SHA512bf6ad3456378906d68e5aeb50454bd083eb31fa3edc3d050c6a2ec66c8346cc69f89161bc5f862753eeb03648ea8f00b8bdaf087e724884ca6177e63f44d2c79
-
Filesize
278B
MD56d569859e5e2c6ed7c5f91d34ab9f56d
SHA17bcd42359b8049010a28b6441d585c955b238910
SHA2563352cf84b9c7b33c2dd6e2194ff24e6a5bd0da7bb829c6cadcf9b33c65f21e78
SHA512accd61c856a1f862699566e9f0cea6a30ab0261fa5fd048a00a5a98bf827184ebfdf1c3c879987bb2210626e71c390f2f366bea02f9ec3219cce4c15ef7ea0d7
-
Filesize
171B
MD51f448be937f583be715a6c47e969382f
SHA15a2638c8087f59c0dedf5628857b72fc6cb7a344
SHA256a90be90da16d610a09a294b709e52e29b5d50b71e67b5f7f68fdd23556388bec
SHA512c991fc1cbbe10d226ac2940e02905e9aae49480bfb2c8922d180c7bc3d6c432ad7935eb4a43dc1f2d4c4387007f5f37c377ef517fc9f9a242df11cb84b615a48
-
Filesize
234KB
MD53d3e7a0dc5fd643ca49e89c1a0c3bc4f
SHA130281283f34f39b9c4fc4c84712255ad0240e969
SHA25632d49dc703d8c827ca9ff7d5389debf7314b062a989db36d1360aae21a77db0e
SHA51293ae1ac6739d91488b88f487a252a411d85dc52a409489a61315235e4a3ec6a178cceac207426b779a1494ab792422263652f1ad310b8bab7ad296d2e7222e68
-
Filesize
274B
MD505ab526df31c8742574a1c0aab404c5d
SHA15e9b4cabec3982be6a837defea27dd087a50b193
SHA2560453a179e3926d451c45952c7704686fbe7f35ec91d2b3b4d9dc909f6b7a8430
SHA5121575da9de9cc37d3fb9fdc2a14aeb56d1debfd09534f231a0eddec35cb20ed25032eb709cb907d5d504a450278fe810d6f297939f11b63935518a4bfeb1b4c40
-
Filesize
167B
MD5923b1dc02a5020bf43f532c7b1e66989
SHA10ab6fec489c98ad4f54398ee2aae8d70aedaa4ab
SHA256576fa4c89c4cda0324e7117ec2cf62876bcf54d885827fdae8890b43779e6728
SHA5122d77fd2fc66b16081ee0de67575daea345e5d44ff05bc436188d5f4f74ca2616c32e3adcbdf44579b4de02e27c16cd3acdd49abfe520cce36fbc1671adf6d458
-
Filesize
644B
MD555335ad1de079999f8d39f6c22fa06b6
SHA1f54e032ad3e7be3cc25cd59db11070d303c2d46d
SHA256e05c551536a5ee7a7c82b70d01f0b893db89b3dab1cd4c56ea9580e3901071ac
SHA512ca8c2f680c3d6a61c8ad18b899f7d731f610dc043729a775fd6eade6e11332c1f32c7cf60464b6b3fd41aead9b0c65bc13934574740179931d931516c13027ca
-
Filesize
668B
MD53906bddee0286f09007add3cffcaa5d5
SHA10e7ec4da19db060ab3c90b19070d39699561aae2
SHA2560deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA5120a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0
-
Filesize
676B
MD585c61c03055878407f9433e0cc278eb7
SHA115a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA5127099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756
-
Filesize
644B
MD5dac60af34e6b37e2ce48ac2551aee4e7
SHA1968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA2562edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA5121f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084
-
Filesize
684B
MD58135713eeb0cf1521c80ad8f3e7aad22
SHA11628969dc6256816b2ab9b1c0163fcff0971c154
SHA256e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a
SHA512a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4
-
Filesize
684B
MD57a707b422baa7ca0bc8883cbe68961e7
SHA1addf3158670a318c3e8e6fdd6d560244b9e8860e
SHA256453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c
SHA51281147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9
-
Filesize
285B
MD59a478476d20a01771bcc5a342accfb4e
SHA1314cd193e7dae0d95483be2eae5402ce5d215daa
SHA256e08019db10e6857bff648942f49ae96e3b9159b75e8e62643a8da0ff5b0f3a40
SHA51256903e24de594dd009ee292ab91ba9333db2426c3da63ceba3242439a1fa5981f390f6185250cb53739e9cfd37dcec6e85bed5641d04f017e29016985cdd3f29
-
Filesize
178B
MD54adb3caef1c912a2e1856a2aab48fb78
SHA1c060cc3412401aa30d28abd036693fd67eae865a
SHA256dcb1d8c4f6b98a7a1a4b30795c9943780dc62217a918eb7313b455510f06ee1f
SHA512a229df745172ad42d77ca21cd16695cfa6807ad6b665d821a0504b56f3f3f995ddadccabc067df3ff1ca734815ede1976c1e2fded1bb06aef3136f2d992c2108