Overview
overview
10Static
static
1008751be484...2d.dll
windows10-2004-x64
100a9f79abd4...51.exe
windows10-2004-x64
30di3x.exe
windows10-2004-x64
104a30275f14...ab.dll
windows10-2004-x64
102019-09-02...10.exe
windows10-2004-x64
102c01b00772...eb.exe
windows10-2004-x64
731.exe
windows10-2004-x64
103DMark 11 ...on.exe
windows10-2004-x64
342f9729255...61.exe
windows10-2004-x64
105da0116af4...18.exe
windows10-2004-x64
10c2716fcc73...86.exe
windows10-2004-x64
1069c56d12ed...6b.exe
windows10-2004-x64
10905d572f23...50.exe
windows10-2004-x64
10948340be97...54.exe
windows10-2004-x64
1095560f1a46...f9.dll
windows10-2004-x64
3Archive.zi...3e.exe
windows10-2004-x64
8DiskIntern...en.exe
windows10-2004-x64
3f28e02bd1e...8a.exe
windows10-2004-x64
10ForceOp 2....ce.exe
windows10-2004-x64
7HYDRA.exe
windows10-2004-x64
10#/power.exe
windows10-2004-x64
#/sant.exe
windows10-2004-x64
#/ufx.exe
windows10-2004-x64
#/va.exe
windows10-2004-x64
KLwC6vii.exe
windows10-2004-x64
1Keygen.exe
windows10-2004-x64
10Lonelyscre...ox.exe
windows10-2004-x64
3LtHv0O2KZDK4M637.exe
windows10-2004-x64
10Magic_File...ja.exe
windows10-2004-x64
3OnlineInstaller.exe
windows10-2004-x64
8REVENGE-RAT.js
windows10-2004-x64
10Remouse.Mi...cg.exe
windows10-2004-x64
3Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2025, 22:42
Static task
static1
Behavioral task
behavioral1
Sample
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral3
Sample
0di3x.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral4
Sample
4a30275f14f80c6e11d5a253d7d004eda98651010e0aa47f744cf4105d1676ab.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral5
Sample
2019-09-02_22-41-10.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral6
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral7
Sample
31.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral8
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral9
Sample
42f972925508a82236e8533567487761.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral10
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral11
Sample
c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral12
Sample
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral13
Sample
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral14
Sample
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral15
Sample
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral16
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral17
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral18
Sample
f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral19
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral20
Sample
HYDRA.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral21
Sample
#/power.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral22
Sample
#/sant.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral23
Sample
#/ufx.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral24
Sample
#/va.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral25
Sample
KLwC6vii.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral26
Sample
Keygen.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral27
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral28
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral29
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral30
Sample
OnlineInstaller.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral31
Sample
REVENGE-RAT.js
Resource
win10v2004-20250502-en
Behavioral task
behavioral32
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v2004-20250502-en
General
-
Target
REVENGE-RAT.js
-
Size
1.2MB
-
MD5
8ff99e0a81c684cefbc2a752c44f30a1
-
SHA1
61b8dbc7483abcb72d2c633e6309feb26ac16eb0
-
SHA256
4f7aa725bb1c08b1ca9179e2efd09d48b62ad6a9cd89a1937ae3842363f5280e
-
SHA512
7aaee800cc8dbd8f2ededc4d0454476307c14621fde0c4edbe6d4088cb2dc2e9a2ab4d4f04891a2923cac10ed2c6d436d121f9a52f327e55096a318389ace364
-
SSDEEP
24576:ZU+R0Eg650x+M5+7Yzx0rpdizEAikr2d212SrO7cZbZ8xxTBE/lhEIirIzW0rvWx:v
Malware Config
Extracted
revengerat
tenakt
94.23.220.50:559
RV_MUTEX-YtjWSTUKIWwi
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\International\Geo\Nation tacbvfff.exe -
Drops startup file 7 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msta.exe foldani.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msta.exe foldani.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cjnsta.vbs foldani.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tenakt.js foldani.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hadiya.lnk foldani.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\elBV.URL foldani.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\inststa.exe vbc.exe -
Executes dropped EXE 6 IoCs
pid Process 4540 tacbvfff.exe 4812 tacbvfff.exe 5560 foldani.exe 5440 foldani.exe 4440 foldani.exe 1916 foldani.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tenakna = "C:\\Users\\Admin\\Documents\\foldani.exe" foldani.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4540 set thread context of 4812 4540 tacbvfff.exe 98 PID 5560 set thread context of 5440 5560 foldani.exe 108 PID 4440 set thread context of 1916 4440 foldani.exe 147 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foldani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tacbvfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tacbvfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foldani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foldani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foldani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3412 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4812 tacbvfff.exe Token: SeDebugPrivilege 5440 foldani.exe Token: SeDebugPrivilege 1916 foldani.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 6032 wrote to memory of 4540 6032 wscript.exe 86 PID 6032 wrote to memory of 4540 6032 wscript.exe 86 PID 6032 wrote to memory of 4540 6032 wscript.exe 86 PID 4540 wrote to memory of 4812 4540 tacbvfff.exe 98 PID 4540 wrote to memory of 4812 4540 tacbvfff.exe 98 PID 4540 wrote to memory of 4812 4540 tacbvfff.exe 98 PID 4540 wrote to memory of 4812 4540 tacbvfff.exe 98 PID 4540 wrote to memory of 4812 4540 tacbvfff.exe 98 PID 4540 wrote to memory of 4812 4540 tacbvfff.exe 98 PID 4540 wrote to memory of 4812 4540 tacbvfff.exe 98 PID 4812 wrote to memory of 5560 4812 tacbvfff.exe 107 PID 4812 wrote to memory of 5560 4812 tacbvfff.exe 107 PID 4812 wrote to memory of 5560 4812 tacbvfff.exe 107 PID 5560 wrote to memory of 5440 5560 foldani.exe 108 PID 5560 wrote to memory of 5440 5560 foldani.exe 108 PID 5560 wrote to memory of 5440 5560 foldani.exe 108 PID 5560 wrote to memory of 5440 5560 foldani.exe 108 PID 5560 wrote to memory of 5440 5560 foldani.exe 108 PID 5560 wrote to memory of 5440 5560 foldani.exe 108 PID 5560 wrote to memory of 5440 5560 foldani.exe 108 PID 5440 wrote to memory of 316 5440 foldani.exe 110 PID 5440 wrote to memory of 316 5440 foldani.exe 110 PID 5440 wrote to memory of 316 5440 foldani.exe 110 PID 316 wrote to memory of 696 316 vbc.exe 112 PID 316 wrote to memory of 696 316 vbc.exe 112 PID 316 wrote to memory of 696 316 vbc.exe 112 PID 5440 wrote to memory of 3412 5440 foldani.exe 114 PID 5440 wrote to memory of 3412 5440 foldani.exe 114 PID 5440 wrote to memory of 3412 5440 foldani.exe 114 PID 5440 wrote to memory of 3600 5440 foldani.exe 117 PID 5440 wrote to memory of 3600 5440 foldani.exe 117 PID 5440 wrote to memory of 3600 5440 foldani.exe 117 PID 1888 wrote to memory of 4440 1888 cmd.exe 119 PID 1888 wrote to memory of 4440 1888 cmd.exe 119 PID 1888 wrote to memory of 4440 1888 cmd.exe 119 PID 3600 wrote to memory of 4884 3600 vbc.exe 120 PID 3600 wrote to memory of 4884 3600 vbc.exe 120 PID 3600 wrote to memory of 4884 3600 vbc.exe 120 PID 5440 wrote to memory of 2556 5440 foldani.exe 121 PID 5440 wrote to memory of 2556 5440 foldani.exe 121 PID 5440 wrote to memory of 2556 5440 foldani.exe 121 PID 2556 wrote to memory of 5060 2556 vbc.exe 123 PID 2556 wrote to memory of 5060 2556 vbc.exe 123 PID 2556 wrote to memory of 5060 2556 vbc.exe 123 PID 5440 wrote to memory of 1728 5440 foldani.exe 124 PID 5440 wrote to memory of 1728 5440 foldani.exe 124 PID 5440 wrote to memory of 1728 5440 foldani.exe 124 PID 1728 wrote to memory of 4872 1728 vbc.exe 126 PID 1728 wrote to memory of 4872 1728 vbc.exe 126 PID 1728 wrote to memory of 4872 1728 vbc.exe 126 PID 5440 wrote to memory of 3628 5440 foldani.exe 127 PID 5440 wrote to memory of 3628 5440 foldani.exe 127 PID 5440 wrote to memory of 3628 5440 foldani.exe 127 PID 3628 wrote to memory of 5784 3628 vbc.exe 129 PID 3628 wrote to memory of 5784 3628 vbc.exe 129 PID 3628 wrote to memory of 5784 3628 vbc.exe 129 PID 5440 wrote to memory of 4564 5440 foldani.exe 130 PID 5440 wrote to memory of 4564 5440 foldani.exe 130 PID 5440 wrote to memory of 4564 5440 foldani.exe 130 PID 4564 wrote to memory of 2744 4564 vbc.exe 132 PID 4564 wrote to memory of 2744 4564 vbc.exe 132 PID 4564 wrote to memory of 2744 4564 vbc.exe 132 PID 5440 wrote to memory of 412 5440 foldani.exe 133 PID 5440 wrote to memory of 412 5440 foldani.exe 133
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\REVENGE-RAT.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:6032 -
C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Users\Admin\Documents\foldani.exe"C:\Users\Admin\Documents\foldani.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5560 -
C:\Users\Admin\Documents\foldani.exe"C:\Users\Admin\Documents\foldani.exe"5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5440 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eudsqps7.cmdline"6⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5F6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA9CEA52C52E6424F9D2314B78BD76686.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:696
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 10 /tn "bladzabi" /tr "C:\Users\Admin\Documents\foldani.exe"6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3412
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yqd0pmki.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6D1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F1BE61061364E659B88B1592A1855A.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:4884
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vpzlzbir.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE76D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D6B8D9B5EBD4C1DBDAAC06E4B567257.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:5060
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i64zfqhq.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE857.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc915BA9C7800D4A6B99639FB7C6A6B347.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:4872
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\trbfpclz.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE923.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4A871F773DAE4F3FA9E2EAA6A3961ED.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:5784
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lrapn3nk.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9BF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc48D81AE22F0A47539A7C805F218B8EB.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:2744
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v0bduxs-.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:412 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA4B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5CADA4D884CCEB46AA423C620E740.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:544
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\szw2mvvg.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:3212 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEAB9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8742A587D40E4E79B037BF4A1B393B8A.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:4348
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iil-khh1.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB26.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC6A406ECF91481D87C38306997FF7D.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:408
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\alg0cxn6.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:5288 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBA3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcED3C99422BCA4942A11CB1F73A1C817D.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:5384
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\foldani.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Users\Admin\Documents\foldani.exeC:\Users\Admin\Documents\foldani.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4440 -
C:\Users\Admin\Documents\foldani.exe"C:\Users\Admin\Documents\foldani.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
Network
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
2JavaScript
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
496B
MD5cb76b18ebed3a9f05a14aed43d35fba6
SHA1836a4b4e351846fca08b84149cb734cb59b8c0d6
SHA2568d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349
SHA5127631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c
-
Filesize
1KB
MD5bcc1abd1f97e9cf228128fa062d5f039
SHA1893e5ab0bc2d7c13ac21c6b5e41e44a7482897d1
SHA2565fe15afbe4d0719af27458fd57665f3b2d3dd4e9359cfa482a57fc6739f33d50
SHA51282e68574d359f293a3ffc051effbd3759f9f7dee892001fe4339b061f0d7eb80c89beea0a45ec8eaa8fc8e49eae6e78288a69691839229ff3636d77403255643
-
Filesize
1KB
MD59d6e1340c436b75b3dd4f95f726df87f
SHA12f23b225e9cdde177f119140aab3063c380bbaf7
SHA2566bbecbec9b7112e1dfd57c214d22d691280174f4d74f7aa954ed121c27db9283
SHA51271b992cc5d1936b5a2fd5d83ef7d4e4747e2b0e8bf1ab0b8494125c95c5c0a6b0b0a039b0b463c9cdd8ac2accf5eb6f16e97139b1551c3bd109c89fe83d4d560
-
Filesize
1KB
MD5d3122165982c8104285fe327001bb60b
SHA1c1fb8722bbf8fd1eceabe4f4ff5fd6bb79f79788
SHA256770537e09cbb531545df90fba5b0b6841cbf3ef6349da3715f40f73120f58bde
SHA5123381a61d587484dd28b27cbf4532d4d902d3e6858d98e8518e884d757b9433f48301f098f3265d26e091a35d62c5761b91ef6246d816dcdc25c77dc60ba36c56
-
Filesize
1KB
MD5b9f17cd84784c1cf910325da43f194be
SHA11b4c56cc9f22f0abbab0e54c49afa7022e020a10
SHA2565424a52c4e9f378724b249a17c5791ff3879bb7059597e55d8f0dab64217d8cb
SHA5126cd2dbb3c03acecde04186609cc6cb5fe288dbfee8483b58c823d73cc6b43e4a9589cf9b7d17c2085f9b11b202a651652f51e83067c065dbf81d7e58f77ecd7b
-
Filesize
1KB
MD5ffe9de41d166ee87c7a24ec8dd48ca44
SHA1c43b7dfc0e781eba27baaa79ac9238a56913ee0f
SHA256bea09e4abf4bd0c9a361ec813d818ab931ea6b002e86d8d21df3275a6c5e5880
SHA5127d48d16162639c24c2c9813813441f5fcc404495cc2e87709afebcb35379e43901ac65238b389b30c63af0e2f33fa2c981bb28e1709d37700b3b351bd94fcc54
-
Filesize
1KB
MD525819cca6b9c628c7823f716729df46e
SHA16e023637e8e0c0756773c19b7b8fffa4db1dbcef
SHA256797ab626b65ed32ee56504207f7b8d444f14fdd2eec884fe6ec8c7e9d4d508d2
SHA512f95f0f69f617adabd4d13e1bb57b631f58af0cb79aded0cc05c7d2dd8fa2b7ab5190e58a318181c54e82c1ca79d236138bbee91eb8bea7c566359d42ab8e4f1f
-
Filesize
1KB
MD597c47a68b36a7dbab9c3112f6ef22c8a
SHA1feb026a5f0d825f02a99acd6daad163f048260e0
SHA256184cec22ee39b5ee2e1b89f2e95a6fc9c0f896133fe01f633946e08fb3f0d6c3
SHA5127de6fd54e4eae9bb7b26e7725e831fc6383c931038290dcb2d28d09b2e53cd9eb08f2e0733c1b504f7bbb4ec4feb47c1a11657b78b713d87644b900f1289148f
-
Filesize
1KB
MD5cc33b9ab43f958c37c01008fa40e47ad
SHA165946b44f87fb472c85cb2a3f04378209d8ad3b4
SHA256c7e73dddbda0da3fd6f9e42e81c7bbc3665fd6d65bb8cbdedc44f5bd6d2c93e8
SHA51258a21ff0a6734da8753b2510878c9f52e53844883b3d5c211c11122fbfe529eb6eed04c7ef8d17183680e3ff46e1f0d10c9eb0efc1e0eaa6d1ee70a075963576
-
Filesize
1KB
MD5ce746cddde3067a04e670c41d773cff7
SHA1f13d1e163208ff8f0ed79b6941e034f4f0402044
SHA256edee22db4edea96fb880cf5463e33f7cdc3d6641bcfb5737cee357e8922d476a
SHA512bcd51cda46bc730bac0e355655dd5e004c98b8e3cddaf7ac3d1f74b3bc727e896755122bffce0219ce6fbeb846887d1c241e57a1f4851ee517f511037b17e8fe
-
Filesize
1KB
MD5cbd859daab5e33347611e5e958b903a0
SHA1b2ac4929a9030054a0797a9f401b56316d8a1d7b
SHA256655fc664de158f004c293468322336cb7c19a379f1c4ab3e30edf8fb224b59b2
SHA5128d88df7b0b7e8966772aec4027d20204fc92f9b10e9235af0b197fa9c59375ec089b72e5ee0bad2f964679a159ca4f2c745863e617ca7302e372697c990445bc
-
Filesize
287B
MD59cc0fccb33a41b06335022ada540e8f9
SHA1e3f1239c08f98d8fbf66237f34b54854ea7b799a
SHA256b3007d9bef050c2dd5b7c6376ccfc00929cd51f23fcd6cbc254b139ddaf81a49
SHA5129558ae7a93851c901293c8971d141915ed99bbe98c23855e8d4584936bf3b793904ff452d61e620614cd90c7dc2f385f86fee73cfbe4e6ddf6ee9f71b8e2f6eb
-
Filesize
180B
MD5457167fe9357b44c91b2da0b3030fab1
SHA11d2b696251a878efa0c18d7b6b34d57c5dde9a17
SHA256ecdb5308ae4164371f109ee7c2c566ad8791ee8490b37c4a06c585f0faf503fb
SHA512a612b9a3df6582c01b24099126b37e1e6e821c8eb5a88d0bc8a98e55f6fc6a61e7d1c59cd4af279a6d945e614d7f21f8da5e798379a7a0219b1b964b67f2762e
-
Filesize
145B
MD561413d4417a1d9d90bb2796d38b37e96
SHA1719fcd1e9c0c30c9c940b38890805d7a89fd0fe5
SHA25624c081f2f8589c160e6c556507f9a9590983445b933ce6a73f889b5096c211d7
SHA5129d8ef98bcae56a7abe678f08ba4ef76a135a14f6ca63c02a6e1ea2ddda233802e2aad6c4fc309026e16cd3a8e87a04fe6d4a0acfb9736cca6d670926c83d6cd4
-
Filesize
195B
MD54deeabad33ce68d52c3b956811d87d8d
SHA124a41e01d5375d181cf2d71ada737f23d459d198
SHA2567cc9f1f2a95129c8f62e1efe1befbfcbcf426a79966724a8cdce5dbdfac21032
SHA512b64c5f25504486c50fa30d07aa699474fd0952cb30ac055e288de1ee05cd969d3ef329e24f97fd997133e8be369e8adf68842672819570acd8015f381cf5501f
-
Filesize
284B
MD56989ad9512c924a0d9771ce7e3360199
SHA11bcc5312adf332719db83156f493ad365f5bdec6
SHA256f80c2d143ea239ba9c96fda416193860cd3d3216e264b856466375bb14618168
SHA51213a0b21b94c5865ec82e4d3d4fca50f2a1948428acc696601ced1f1bf1044338eb5aeee504ca645bd0f6e6c20b2869b832a7fb693618baea756e740af86d5536
-
Filesize
177B
MD5aec1835ad6c7c1a222abfe29b2fe5dca
SHA1429de15cea03e3483032d51a1d4f5cab625294b0
SHA2566d527c847522136f2df931d6790c0cceca2dbcf664246cbbcfc3ba9cb5a518bf
SHA512503664097b3d208e708b0a962bff81986b5eb52cc3423f3f694a4dfe846fc9f7fa2daa0916b1670ac24d9295f745fe565973d33247861e4556e16561859ec5e2
-
Filesize
285B
MD5b34b98a6937711fa5ca663f0de61d5bb
SHA1c371025912ab08ae52ff537aaa9cd924dbce6dcc
SHA256f1dbc184336bf86e88e1cbc422009ff85febd6bc887ae483bc10109f30ebf69a
SHA5122c27a72d8a2d120a222add219a0e4f11af38421433210ced930c37ccb9a0cc419fe01e45c874aee2c99613785fa4d44a66fa73c41e4dce9810d4deb24476b98f
-
Filesize
178B
MD536ca4dd4461fdb5b170dbc14c788b43d
SHA10956f5785ce854c391bc2a1cfb50760991bf8412
SHA25612444efb231ab5bee21d0c1a21ebfce22e3cbeecc4ea2496d7c94061efd0afc4
SHA5127ba3eddbc5bd93dd9e54331d4bc378ef42fa491cbdbf5e0e9a2b7dbf93eafa61f9e5cbcca600d4b605c5a8073e24913dcb13c03c85869d508273109f60b34fa1
-
Filesize
288B
MD5af52f4c74c8b6e9be1a6ccd73d633366
SHA1186f43720a10ffd61e5f174399fb604813cfc0a1
SHA2562d85e489480ba62f161d16a8f46fb85083ab53f2d9efe702ce2e49e0d68eca07
SHA512c521dacb09ddfe56e326cf75f9f40adc269a9b48ea3217e55c6381e836d226066ecf9721650ce74aebb763cd1d22f3d1f06b4567ee7683ba83f5f00ef41ae99e
-
Filesize
181B
MD5a70f79afeb4a4e02641822b9ee594ef0
SHA19aa608f8ef45e4115ba7948c128d784c6911e42a
SHA25676a266c06bdcc71e67080386fbb54472c54e7f34d8a0f6ca1b1cc23f1b3988e8
SHA51255b4e853b9c921ab2dc54d98e9f930081fcb0f96efafba28432e7380a47f9a3200cc993f8d4f9d192f8267b0521599513fbc4274d990bbf42ab8493ca766f8df
-
Filesize
284B
MD562caeb4021ea9d333101382b04d7ac1c
SHA1ebe2bb042b8a9c6771161156d1abdce9d8d43367
SHA256e466fcc723dfa8d713c6e7c2208581f1c94ecf06a5dd2e3b83d3a93636badbd7
SHA512e283647c6e24d912833229ce80055d103359ace1e83c051227d40a672691491ef612ea639ebc896d01ff132c5f101132b5397e5c59a8ddbf11e58fdd2052247c
-
Filesize
177B
MD50fb9a9461fe3936914cecab56eec103d
SHA1ea8f71689166770d10bb7a54d6dc933e93314640
SHA25613f3d9e9343e02065aba5764cd6746c3662d74cd0ce192a5977be54aea12f712
SHA512e9f7d918a774c1618698f5905d79ec9a975e61061fee432d9258fa4336183f3c7d80683a36fbf0911b4eaefaca96e483e82b398a365249bb77fb267b40545379
-
Filesize
234KB
MD53d3e7a0dc5fd643ca49e89c1a0c3bc4f
SHA130281283f34f39b9c4fc4c84712255ad0240e969
SHA25632d49dc703d8c827ca9ff7d5389debf7314b062a989db36d1360aae21a77db0e
SHA51293ae1ac6739d91488b88f487a252a411d85dc52a409489a61315235e4a3ec6a178cceac207426b779a1494ab792422263652f1ad310b8bab7ad296d2e7222e68
-
Filesize
285B
MD59a478476d20a01771bcc5a342accfb4e
SHA1314cd193e7dae0d95483be2eae5402ce5d215daa
SHA256e08019db10e6857bff648942f49ae96e3b9159b75e8e62643a8da0ff5b0f3a40
SHA51256903e24de594dd009ee292ab91ba9333db2426c3da63ceba3242439a1fa5981f390f6185250cb53739e9cfd37dcec6e85bed5641d04f017e29016985cdd3f29
-
Filesize
178B
MD5d42b153691d2909445fb906d613aaccd
SHA12c7807edf945eb65189cf2b800d1249d2ed81028
SHA256735bde59bbd01d29c0875fc676c847593ce344eb171d974c4456dbfbd0ffd848
SHA5125e490539540682e9e31ab559b650c544301cfdbe6dee97a12f4665006fa007adf2f30a4d886ced52a79d58fe9f003c7ce20e47095258f3994b6dbeaae26ae8c9
-
Filesize
278B
MD56d569859e5e2c6ed7c5f91d34ab9f56d
SHA17bcd42359b8049010a28b6441d585c955b238910
SHA2563352cf84b9c7b33c2dd6e2194ff24e6a5bd0da7bb829c6cadcf9b33c65f21e78
SHA512accd61c856a1f862699566e9f0cea6a30ab0261fa5fd048a00a5a98bf827184ebfdf1c3c879987bb2210626e71c390f2f366bea02f9ec3219cce4c15ef7ea0d7
-
Filesize
171B
MD5c210e6a86c3a43c8b814c0f0e9e56b6c
SHA11974c32d61e95d3a63a0800ac11dcb947d9dc987
SHA25686524de14db7fc1a13e0f11ba29c793329560e9cc3b72e92b8c8cdca906cc73a
SHA512d85272440489fca2ed13f5fbb9cd51384c195191c48285eee448b05594d4fe770f8db1718dacdda20a7a76bd923481cfff45d30ead65e2697e95d7f42f4b9c6a
-
Filesize
644B
MD5dac60af34e6b37e2ce48ac2551aee4e7
SHA1968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA2562edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA5121f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084
-
Filesize
684B
MD58135713eeb0cf1521c80ad8f3e7aad22
SHA11628969dc6256816b2ab9b1c0163fcff0971c154
SHA256e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a
SHA512a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4
-
Filesize
676B
MD585c61c03055878407f9433e0cc278eb7
SHA115a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA5127099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756
-
Filesize
668B
MD53906bddee0286f09007add3cffcaa5d5
SHA10e7ec4da19db060ab3c90b19070d39699561aae2
SHA2560deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA5120a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0
-
Filesize
644B
MD555335ad1de079999f8d39f6c22fa06b6
SHA1f54e032ad3e7be3cc25cd59db11070d303c2d46d
SHA256e05c551536a5ee7a7c82b70d01f0b893db89b3dab1cd4c56ea9580e3901071ac
SHA512ca8c2f680c3d6a61c8ad18b899f7d731f610dc043729a775fd6eade6e11332c1f32c7cf60464b6b3fd41aead9b0c65bc13934574740179931d931516c13027ca
-
Filesize
684B
MD57a707b422baa7ca0bc8883cbe68961e7
SHA1addf3158670a318c3e8e6fdd6d560244b9e8860e
SHA256453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c
SHA51281147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9
-
Filesize
274B
MD505ab526df31c8742574a1c0aab404c5d
SHA15e9b4cabec3982be6a837defea27dd087a50b193
SHA2560453a179e3926d451c45952c7704686fbe7f35ec91d2b3b4d9dc909f6b7a8430
SHA5121575da9de9cc37d3fb9fdc2a14aeb56d1debfd09534f231a0eddec35cb20ed25032eb709cb907d5d504a450278fe810d6f297939f11b63935518a4bfeb1b4c40
-
Filesize
167B
MD591f8b5851f6c7d1fa7a082374bee4394
SHA11c545e94a0a933cec89f794e8c1aba7a438ff17b
SHA2565981eda1222bc589bfd430b71414309d0236d332524340e940d5775808993abe
SHA512a6801fbc8673ef557ecab5755f9fa5f5edd6a07fbe4bd2ac9102ca070d6f8a4690b29f3175d115a3aba653eb42db9f380f090fc4ee2a265aeb616e2c14517d38
-
Filesize
268B
MD5fe8760874e21534538e34dc52009e8b0
SHA126a9ac419f9530d6045b691f3b0ecfed323be002
SHA2561be68e1d0beb3861fd8a519cc4c4d0b4122cbea7109bcf3e08f294705579d439
SHA51224c249972146048e134b86e909d51d04d3b821605cb08383921e80f6c3595dc65f9315abbd53704387bdda5c2691b5218658823f1de80e39d25152c9d367c6ed
-
Filesize
161B
MD50025b9f33671237be334f0ce87ac45a3
SHA159b0fb9e3cc562fd2e1598d8b43479530e391a06
SHA256a9c174ee4e6e61f9a332685686c0b4b7148c95e18446b2bc45677c100018778d
SHA512e38e9b37584d3278ca6d1d180b61428d803bd16c4af1f268a5a3d1184287e14d13e41dfa58fc21b74411846302c43e16f920b2521c6fad83c64d6c97f53bc695