Overview
overview
10Static
static
1008751be484...2d.dll
windows10-2004-x64
100a9f79abd4...51.exe
windows10-2004-x64
30di3x.exe
windows10-2004-x64
104a30275f14...ab.dll
windows10-2004-x64
102019-09-02...10.exe
windows10-2004-x64
102c01b00772...eb.exe
windows10-2004-x64
731.exe
windows10-2004-x64
103DMark 11 ...on.exe
windows10-2004-x64
342f9729255...61.exe
windows10-2004-x64
105da0116af4...18.exe
windows10-2004-x64
7c2716fcc73...86.exe
windows10-2004-x64
1069c56d12ed...6b.exe
windows10-2004-x64
10905d572f23...50.exe
windows10-2004-x64
10948340be97...54.exe
windows10-2004-x64
1095560f1a46...f9.dll
windows10-2004-x64
5Archive.zi...3e.exe
windows10-2004-x64
8DiskIntern...en.exe
windows10-2004-x64
3f28e02bd1e...8a.exe
windows10-2004-x64
10ForceOp 2....ce.exe
windows10-2004-x64
7HYDRA.exe
windows10-2004-x64
10#/power.exe
windows10-2004-x64
#/sant.exe
windows10-2004-x64
#/ufx.exe
windows10-2004-x64
#/va.exe
windows10-2004-x64
KLwC6vii.exe
windows10-2004-x64
1Keygen.exe
windows10-2004-x64
10Lonelyscre...ox.exe
windows10-2004-x64
3LtHv0O2KZDK4M637.exe
windows10-2004-x64
10Magic_File...ja.exe
windows10-2004-x64
3OnlineInstaller.exe
windows10-2004-x64
8REVENGE-RAT.js
windows10-2004-x64
10Remouse.Mi...cg.exe
windows10-2004-x64
3Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2025, 20:22
Static task
static1
Behavioral task
behavioral1
Sample
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral3
Sample
0di3x.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral4
Sample
4a30275f14f80c6e11d5a253d7d004eda98651010e0aa47f744cf4105d1676ab.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral5
Sample
2019-09-02_22-41-10.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral6
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral7
Sample
31.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral8
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral9
Sample
42f972925508a82236e8533567487761.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral10
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral11
Sample
c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral12
Sample
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral13
Sample
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral14
Sample
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral15
Sample
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral16
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral17
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral18
Sample
f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral19
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral20
Sample
HYDRA.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral21
Sample
#/power.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral22
Sample
#/sant.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral23
Sample
#/ufx.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral24
Sample
#/va.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral25
Sample
KLwC6vii.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral26
Sample
Keygen.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral27
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral28
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral29
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral30
Sample
OnlineInstaller.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral31
Sample
REVENGE-RAT.js
Resource
win10v2004-20250502-en
Behavioral task
behavioral32
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v2004-20250502-en
General
-
Target
REVENGE-RAT.js
-
Size
1.2MB
-
MD5
8ff99e0a81c684cefbc2a752c44f30a1
-
SHA1
61b8dbc7483abcb72d2c633e6309feb26ac16eb0
-
SHA256
4f7aa725bb1c08b1ca9179e2efd09d48b62ad6a9cd89a1937ae3842363f5280e
-
SHA512
7aaee800cc8dbd8f2ededc4d0454476307c14621fde0c4edbe6d4088cb2dc2e9a2ab4d4f04891a2923cac10ed2c6d436d121f9a52f327e55096a318389ace364
-
SSDEEP
24576:ZU+R0Eg650x+M5+7Yzx0rpdizEAikr2d212SrO7cZbZ8xxTBE/lhEIirIzW0rvWx:v
Malware Config
Extracted
revengerat
tenakt
94.23.220.50:559
RV_MUTEX-YtjWSTUKIWwi
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation tacbvfff.exe -
Drops startup file 7 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cjnsta.vbs foldani.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tenakt.js foldani.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hadiya.lnk foldani.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\elBV.URL foldani.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\inststa.exe vbc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msta.exe foldani.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msta.exe foldani.exe -
Executes dropped EXE 6 IoCs
pid Process 2968 tacbvfff.exe 3972 tacbvfff.exe 4808 foldani.exe 2308 foldani.exe 3616 foldani.exe 2652 foldani.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tenakna = "C:\\Users\\Admin\\Documents\\foldani.exe" foldani.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2968 set thread context of 3972 2968 tacbvfff.exe 100 PID 4808 set thread context of 2308 4808 foldani.exe 106 PID 3616 set thread context of 2652 3616 foldani.exe 144 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foldani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tacbvfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foldani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tacbvfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foldani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foldani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4032 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3972 tacbvfff.exe Token: SeDebugPrivilege 2308 foldani.exe Token: SeDebugPrivilege 2652 foldani.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3292 wrote to memory of 2968 3292 wscript.exe 87 PID 3292 wrote to memory of 2968 3292 wscript.exe 87 PID 3292 wrote to memory of 2968 3292 wscript.exe 87 PID 2968 wrote to memory of 3972 2968 tacbvfff.exe 100 PID 2968 wrote to memory of 3972 2968 tacbvfff.exe 100 PID 2968 wrote to memory of 3972 2968 tacbvfff.exe 100 PID 2968 wrote to memory of 3972 2968 tacbvfff.exe 100 PID 2968 wrote to memory of 3972 2968 tacbvfff.exe 100 PID 2968 wrote to memory of 3972 2968 tacbvfff.exe 100 PID 2968 wrote to memory of 3972 2968 tacbvfff.exe 100 PID 3972 wrote to memory of 4808 3972 tacbvfff.exe 104 PID 3972 wrote to memory of 4808 3972 tacbvfff.exe 104 PID 3972 wrote to memory of 4808 3972 tacbvfff.exe 104 PID 4808 wrote to memory of 2308 4808 foldani.exe 106 PID 4808 wrote to memory of 2308 4808 foldani.exe 106 PID 4808 wrote to memory of 2308 4808 foldani.exe 106 PID 4808 wrote to memory of 2308 4808 foldani.exe 106 PID 4808 wrote to memory of 2308 4808 foldani.exe 106 PID 4808 wrote to memory of 2308 4808 foldani.exe 106 PID 4808 wrote to memory of 2308 4808 foldani.exe 106 PID 2308 wrote to memory of 3492 2308 foldani.exe 108 PID 2308 wrote to memory of 3492 2308 foldani.exe 108 PID 2308 wrote to memory of 3492 2308 foldani.exe 108 PID 3492 wrote to memory of 3784 3492 vbc.exe 110 PID 3492 wrote to memory of 3784 3492 vbc.exe 110 PID 3492 wrote to memory of 3784 3492 vbc.exe 110 PID 2308 wrote to memory of 4032 2308 foldani.exe 112 PID 2308 wrote to memory of 4032 2308 foldani.exe 112 PID 2308 wrote to memory of 4032 2308 foldani.exe 112 PID 2308 wrote to memory of 2984 2308 foldani.exe 115 PID 2308 wrote to memory of 2984 2308 foldani.exe 115 PID 2308 wrote to memory of 2984 2308 foldani.exe 115 PID 3200 wrote to memory of 3616 3200 cmd.exe 117 PID 3200 wrote to memory of 3616 3200 cmd.exe 117 PID 3200 wrote to memory of 3616 3200 cmd.exe 117 PID 2984 wrote to memory of 2436 2984 vbc.exe 118 PID 2984 wrote to memory of 2436 2984 vbc.exe 118 PID 2984 wrote to memory of 2436 2984 vbc.exe 118 PID 2308 wrote to memory of 2428 2308 foldani.exe 119 PID 2308 wrote to memory of 2428 2308 foldani.exe 119 PID 2308 wrote to memory of 2428 2308 foldani.exe 119 PID 2428 wrote to memory of 4724 2428 vbc.exe 121 PID 2428 wrote to memory of 4724 2428 vbc.exe 121 PID 2428 wrote to memory of 4724 2428 vbc.exe 121 PID 2308 wrote to memory of 524 2308 foldani.exe 122 PID 2308 wrote to memory of 524 2308 foldani.exe 122 PID 2308 wrote to memory of 524 2308 foldani.exe 122 PID 524 wrote to memory of 2232 524 vbc.exe 124 PID 524 wrote to memory of 2232 524 vbc.exe 124 PID 524 wrote to memory of 2232 524 vbc.exe 124 PID 2308 wrote to memory of 2932 2308 foldani.exe 125 PID 2308 wrote to memory of 2932 2308 foldani.exe 125 PID 2308 wrote to memory of 2932 2308 foldani.exe 125 PID 2932 wrote to memory of 4520 2932 vbc.exe 127 PID 2932 wrote to memory of 4520 2932 vbc.exe 127 PID 2932 wrote to memory of 4520 2932 vbc.exe 127 PID 2308 wrote to memory of 2028 2308 foldani.exe 128 PID 2308 wrote to memory of 2028 2308 foldani.exe 128 PID 2308 wrote to memory of 2028 2308 foldani.exe 128 PID 2028 wrote to memory of 2692 2028 vbc.exe 130 PID 2028 wrote to memory of 2692 2028 vbc.exe 130 PID 2028 wrote to memory of 2692 2028 vbc.exe 130 PID 2308 wrote to memory of 3260 2308 foldani.exe 131 PID 2308 wrote to memory of 3260 2308 foldani.exe 131
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\REVENGE-RAT.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\Documents\foldani.exe"C:\Users\Admin\Documents\foldani.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Users\Admin\Documents\foldani.exe"C:\Users\Admin\Documents\foldani.exe"5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ydclrpcv.cmdline"6⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF47D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8B8A0FE657254A18B06DCC82C76280A1.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:3784
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 10 /tn "bladzabi" /tr "C:\Users\Admin\Documents\foldani.exe"6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4032
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\klml3vhx.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF548.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3807728AF2A14F609EB13BF189D34CB0.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:2436
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lqpcelcu.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF613.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc295E158BB1854C45B4144C26F866B969.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:4724
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\izvhhfkq.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF6CF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3794DD9849544AD29F8DB4DDA535F815.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:2232
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t23u-w-_.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF7D8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc80E873908D704197BD179D62774ABD.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:4520
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c3uunm2p.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF874.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc54CA7792A5147E9ABFB2B6DA475FA40.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:2692
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jebpkyya.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:3260 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF8F1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB410668024AE4662ABE43E8063D312A9.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:3848
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v9sstjpo.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:856 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF96E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2FE121CBB3FB4A1A91FF5988E841CB49.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:2584
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2ffao0dk.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:4460 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF9EB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFF438C69D734F22ADD227F3D48F4FEE.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:4336
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2widvvfm.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:5016 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA59.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc87148B5ED837432485D6BF1764E372AD.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:3156
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\foldani.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Users\Admin\Documents\foldani.exeC:\Users\Admin\Documents\foldani.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3616 -
C:\Users\Admin\Documents\foldani.exe"C:\Users\Admin\Documents\foldani.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
Network
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
2JavaScript
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
496B
MD5cb76b18ebed3a9f05a14aed43d35fba6
SHA1836a4b4e351846fca08b84149cb734cb59b8c0d6
SHA2568d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349
SHA5127631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c
-
Filesize
284B
MD562caeb4021ea9d333101382b04d7ac1c
SHA1ebe2bb042b8a9c6771161156d1abdce9d8d43367
SHA256e466fcc723dfa8d713c6e7c2208581f1c94ecf06a5dd2e3b83d3a93636badbd7
SHA512e283647c6e24d912833229ce80055d103359ace1e83c051227d40a672691491ef612ea639ebc896d01ff132c5f101132b5397e5c59a8ddbf11e58fdd2052247c
-
Filesize
177B
MD582e65dca21de5e63c52c4076b669cb8b
SHA1325b230910f36dbcdd006397fb4bfedabb0d81be
SHA256f13bd08f942a91b8a5c71a008d3307a72b172d2d6e9fad3f2755233b9307d54e
SHA512e719e3913df3c5b2734f1f8b7be1813b73a87708821bb657630bcf61457f826048c54c10925cc53d923d7a71849570e5169bea1e405a92abf165720ac7036993
-
Filesize
287B
MD59cc0fccb33a41b06335022ada540e8f9
SHA1e3f1239c08f98d8fbf66237f34b54854ea7b799a
SHA256b3007d9bef050c2dd5b7c6376ccfc00929cd51f23fcd6cbc254b139ddaf81a49
SHA5129558ae7a93851c901293c8971d141915ed99bbe98c23855e8d4584936bf3b793904ff452d61e620614cd90c7dc2f385f86fee73cfbe4e6ddf6ee9f71b8e2f6eb
-
Filesize
180B
MD56a4d6bb751af72cce33900b66c0a866d
SHA1772922620eb4afeaa691d0f25a769b83b7a70c7a
SHA25604d0b8c658d7fd8e25f340984372975229042822b32dc1453aa2d09a2b35df42
SHA512d9262c52b0987af9f05e490d1c38865f33aba02ce34000141d3108dcb9662a8b044186440c33ab9f4d28f435ac94921052fc8af5156a2aad86483ecc91cf4056
-
Filesize
1KB
MD5b992d05895c96f2f004ba5808cb13638
SHA1c2eafad706945cadc6e763037d7518567fe5b636
SHA2565bb74b683330977a0ccd00b57922abd78f3dde88e049e4e018382d95ab1e5a16
SHA5125fc4572e1eb2dbc07944d61104aa06a0037c8390f9c9c94208740940fd407c46903d9dc4cd15c583926b4ef8a32cc7f48ea0046604738be0b7a7cb432bcb6575
-
Filesize
1KB
MD5b456fc1745e12332a617a8f70dfa2d5c
SHA16cafa2867eddebccdddc5b67e38be2457fe6d2a8
SHA256bfe6e6f3e7b2fd4d2420519fc42ee3872eee220604186dd2d74e77114a6d4231
SHA512385c55889c7fb07c9cac544de87e3a88a896744b903fd2a7c37a37e050c1fbff555d32d78eb975b0a1ef260cf2ac08c1d01de9fdba087c6b653fb2997ebac429
-
Filesize
1KB
MD5970a8f538c72afa802c41c840346a147
SHA1bde15c986fa36f8d964e91e29f8793b0035e0dc4
SHA256a9856fcc73264eb444b246250e2300586d4488e85d298f7a7c95dafa2d7f51f4
SHA5123e83367a89526171a3ac9b4506c2e7f09384dfd75f7627ce314b8f8220cc06c0987aa4a53c747f7541a585edff1c777155d0f3216ac8241c490a91be5ee29fcc
-
Filesize
1KB
MD5dc61d59578c3e38e15946e378d1c8461
SHA195f5b561e690b451f0fa910057a12bdec196ded6
SHA256380779d5e047875f9e0eb7ea3a92b7bd33098c074bea8a639022450f7d6d5258
SHA512e07de7e9e84a5e7cff6e04128df4de4e441b4a98d23d7a2405de1355eeaec19951d3694b7d0ad8e7ee1e7c013dfb73072b1be1ad49cf60773d8233f0fcdecc87
-
Filesize
1KB
MD5f3dd626e2d75302d7f1ffa83a4b17afb
SHA184c0bbfed2d8c5be5db32062a0a26a8a3073e367
SHA256f5314e57d9d431891788e87b74cd89961a0c013d49ddd715ab0cd6ad70268b83
SHA51256c52f99218be6c5db463a246054b972cb4c8fa6af6773d2f13e386a11581d8b0c89f82f81ff98af74062bce2bde60a7bea9b7f92f26c4cda17236c467afa6dd
-
Filesize
1KB
MD522363577d8b4c5f9b771d987cbc2d492
SHA14671c6aed1b1e1d71dc95cc4bde9ad51515d6aaf
SHA25617e3b25e8abc9b958db3839e5b6d11619b927dee08ab2036dac675d38afc644c
SHA5129c55caaf38f36a6fd44884db39317554ba74daa57bebd719ea5970f8ec9bce180d07037c18b2790cfe7e0b0123ecefa335427677f44f645c27e5da92d955da13
-
Filesize
1KB
MD5bea34b59ef29810e380ac74b6795f7a5
SHA17e3d46751d15279e01a841a65667c891690ee6eb
SHA256d0b9b3b694227e89339e88470ac8cc06cfe06a08312d602078fec6e5c29ba760
SHA5125f0ca55f119d48cc02227569168cb67ada4fef3d6344348b8f508f22c4e81ba4d16506e42a582e0a9288d8ed1c29c1d79ed63729aee3262d0cdb022bfe691de9
-
Filesize
1KB
MD5789b03db9c2300508c53c4068f1f824c
SHA1050e3e95808143adc5b958dea6fc2325a68cfe39
SHA256f72d5dcdc474ae0219654df256670ab951c860ae8d5dde0c90bc134b5127ee2a
SHA5129a069d4792781874c745a100aa19c675760866a494f7f898f01b9dfded32a4bd406d10161ac04b7adbf39b0ce5359797519ab66ee69259b6b45b300a797a6b6f
-
Filesize
1KB
MD501f31fd4dea786a32db3faa034471f67
SHA1c3d81d731966865da2680518dd50f1af12c64b19
SHA256248706745c4a8330853ca7ce05352076e777136f4b17030491da930ccfa34a01
SHA512575a71169c0118ba62926d77f86d098f16807c7615c384fe17eb9dd09226a1b881d194ece846539985fb60c0b01dfd067e6fa583aae5c78b8d002d36cb466db1
-
Filesize
1KB
MD548e2acfa5cdb9b2206f90cd2fa895898
SHA175cc3f58c3a9fca003720856275b1d2e868f7432
SHA2563e9fe814367b9b7a95efa54446e83c557de1f6316b82fac2922600e7385e75cb
SHA5127c81db229e2405548487aa1a8112b4e2dd37798136e72526ca67d9f0c17f6bf40b8c0e9d78b99852fbb90b3ba931cf30883d0fa7c408d7fe7b6238ffb376684b
-
Filesize
285B
MD5b34b98a6937711fa5ca663f0de61d5bb
SHA1c371025912ab08ae52ff537aaa9cd924dbce6dcc
SHA256f1dbc184336bf86e88e1cbc422009ff85febd6bc887ae483bc10109f30ebf69a
SHA5122c27a72d8a2d120a222add219a0e4f11af38421433210ced930c37ccb9a0cc419fe01e45c874aee2c99613785fa4d44a66fa73c41e4dce9810d4deb24476b98f
-
Filesize
178B
MD5ca413309a847260de42db39c2ffd5e60
SHA1a8ead9749e5bb28383155fec0a983deb9eb6169c
SHA256c6c2b3ec18ef2017886d6757563f2b244d0ff9549f2c0a3c84cd4600519c5be6
SHA512b498d1e419d02b889166c87642dcf2997ba97e2d6daf6098ef35a408ba330fcde2ee0d8a7453726d840584b4c2234a60b1726cf3999776c64dd5707c76ac8944
-
Filesize
284B
MD56989ad9512c924a0d9771ce7e3360199
SHA11bcc5312adf332719db83156f493ad365f5bdec6
SHA256f80c2d143ea239ba9c96fda416193860cd3d3216e264b856466375bb14618168
SHA51213a0b21b94c5865ec82e4d3d4fca50f2a1948428acc696601ced1f1bf1044338eb5aeee504ca645bd0f6e6c20b2869b832a7fb693618baea756e740af86d5536
-
Filesize
177B
MD55b7ef8f501b46a36ade306f4601a9d6b
SHA1e8de1f56f70c88287a36d35d8024b07793c0ec88
SHA2563697e71b5db5ddab95b229839bb559512e72186cff11220d9fd4f379b6861b3b
SHA512dceac313f1905157e66f477a51563210ce7ea7caca3372b78ecab2bf150cefec4fffb60f4bd240cb858b79e366bdf95fdfc069997cc927ed2ac0b3475d1f61db
-
Filesize
288B
MD5af52f4c74c8b6e9be1a6ccd73d633366
SHA1186f43720a10ffd61e5f174399fb604813cfc0a1
SHA2562d85e489480ba62f161d16a8f46fb85083ab53f2d9efe702ce2e49e0d68eca07
SHA512c521dacb09ddfe56e326cf75f9f40adc269a9b48ea3217e55c6381e836d226066ecf9721650ce74aebb763cd1d22f3d1f06b4567ee7683ba83f5f00ef41ae99e
-
Filesize
181B
MD52877a4834ca328ac0795b57fb661c5d4
SHA112e2f0804e83713069d1f07bc9554c1dd9874b54
SHA256920ccb8d4fec8e9f79e19da3aeec4fe7b376f38c9c6b370ef46b63d333bb4adf
SHA51293d9e4c366fd0075f05613b79884eb0faf92c198d47db92f5e517e4202e0d618b4a559f9b50e3cf4f33b748ede5c95372d01bf4456e832b9b055fd6a3533f915
-
Filesize
268B
MD5fe8760874e21534538e34dc52009e8b0
SHA126a9ac419f9530d6045b691f3b0ecfed323be002
SHA2561be68e1d0beb3861fd8a519cc4c4d0b4122cbea7109bcf3e08f294705579d439
SHA51224c249972146048e134b86e909d51d04d3b821605cb08383921e80f6c3595dc65f9315abbd53704387bdda5c2691b5218658823f1de80e39d25152c9d367c6ed
-
Filesize
161B
MD5947a95a5e3dd6294e4dbba27e292602d
SHA1821aad10acba0d8fb2174d2f5c166f5efde61daa
SHA25652895da7cec105cfb14248de1cf55a57821b969a08cdf6112a8edb840ff7de88
SHA512c54bf56e446f5270c6db1c3360ec1da37f6ffe7a7bed3a46c27065659aa7b09aad7fb0a188b21cd294c13f607a880c15a98065d5136a1c3daa5622e497264f18
-
Filesize
274B
MD505ab526df31c8742574a1c0aab404c5d
SHA15e9b4cabec3982be6a837defea27dd087a50b193
SHA2560453a179e3926d451c45952c7704686fbe7f35ec91d2b3b4d9dc909f6b7a8430
SHA5121575da9de9cc37d3fb9fdc2a14aeb56d1debfd09534f231a0eddec35cb20ed25032eb709cb907d5d504a450278fe810d6f297939f11b63935518a4bfeb1b4c40
-
Filesize
167B
MD557a760a435b35b21a416636ae2c80afb
SHA1770fcc860d5e78c0c4b5c8973ee6d001a9794428
SHA256b900d121250aa6a22749d46fafcd02025e813ded46afcb4308faad65afc236b4
SHA51201c9e16589f2f0f21a7f821df1e15fc6eee798febef47f1dea892d99474842f8415eac25d8d09864375ce7e7c0e96cb84721a5c93cfe43dc42d1aaa8d98d037d
-
Filesize
285B
MD59a478476d20a01771bcc5a342accfb4e
SHA1314cd193e7dae0d95483be2eae5402ce5d215daa
SHA256e08019db10e6857bff648942f49ae96e3b9159b75e8e62643a8da0ff5b0f3a40
SHA51256903e24de594dd009ee292ab91ba9333db2426c3da63ceba3242439a1fa5981f390f6185250cb53739e9cfd37dcec6e85bed5641d04f017e29016985cdd3f29
-
Filesize
178B
MD5fd5da5045b10c67c654c86cf4db1c8d4
SHA12572c651e079c1626bd2375bb9b97e9ff6347672
SHA256314051c9f24c8f7073e28bc9a8c01cafa5c981a23ac3a85a107abc83b4cb5d15
SHA5129d0f6e54836f9e02119e1355cb755e56ff42ae1ed59ec25d02694efe741accfc4918a0ff38a7b5fe193d0d5ca0a902fd5eb404260d8a79ebc434d9ea51bb15e3
-
Filesize
234KB
MD53d3e7a0dc5fd643ca49e89c1a0c3bc4f
SHA130281283f34f39b9c4fc4c84712255ad0240e969
SHA25632d49dc703d8c827ca9ff7d5389debf7314b062a989db36d1360aae21a77db0e
SHA51293ae1ac6739d91488b88f487a252a411d85dc52a409489a61315235e4a3ec6a178cceac207426b779a1494ab792422263652f1ad310b8bab7ad296d2e7222e68
-
Filesize
278B
MD56d569859e5e2c6ed7c5f91d34ab9f56d
SHA17bcd42359b8049010a28b6441d585c955b238910
SHA2563352cf84b9c7b33c2dd6e2194ff24e6a5bd0da7bb829c6cadcf9b33c65f21e78
SHA512accd61c856a1f862699566e9f0cea6a30ab0261fa5fd048a00a5a98bf827184ebfdf1c3c879987bb2210626e71c390f2f366bea02f9ec3219cce4c15ef7ea0d7
-
Filesize
171B
MD507ff948d2a42c9c641fec2c63f0ebb7d
SHA1049408f84cd1a239ce7b33c40331f264e05d87e4
SHA2560ed08253d79a9c665176e778f5e68d8a454a144b3d7e16f6fc48705235b37a01
SHA5124d0c106942aa4bb223e8504318c6fc3f76974add52bd3f8d45b8898fe183f44fedf8dbda4f04258878d5d1da39d8451f994874572c72fd2a069d17379bbf7dd3
-
Filesize
668B
MD53906bddee0286f09007add3cffcaa5d5
SHA10e7ec4da19db060ab3c90b19070d39699561aae2
SHA2560deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA5120a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0
-
Filesize
644B
MD5dac60af34e6b37e2ce48ac2551aee4e7
SHA1968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA2562edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA5121f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084
-
Filesize
676B
MD585c61c03055878407f9433e0cc278eb7
SHA115a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA5127099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756
-
Filesize
684B
MD57a707b422baa7ca0bc8883cbe68961e7
SHA1addf3158670a318c3e8e6fdd6d560244b9e8860e
SHA256453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c
SHA51281147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9
-
Filesize
644B
MD555335ad1de079999f8d39f6c22fa06b6
SHA1f54e032ad3e7be3cc25cd59db11070d303c2d46d
SHA256e05c551536a5ee7a7c82b70d01f0b893db89b3dab1cd4c56ea9580e3901071ac
SHA512ca8c2f680c3d6a61c8ad18b899f7d731f610dc043729a775fd6eade6e11332c1f32c7cf60464b6b3fd41aead9b0c65bc13934574740179931d931516c13027ca
-
Filesize
684B
MD58135713eeb0cf1521c80ad8f3e7aad22
SHA11628969dc6256816b2ab9b1c0163fcff0971c154
SHA256e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a
SHA512a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4
-
Filesize
145B
MD561413d4417a1d9d90bb2796d38b37e96
SHA1719fcd1e9c0c30c9c940b38890805d7a89fd0fe5
SHA25624c081f2f8589c160e6c556507f9a9590983445b933ce6a73f889b5096c211d7
SHA5129d8ef98bcae56a7abe678f08ba4ef76a135a14f6ca63c02a6e1ea2ddda233802e2aad6c4fc309026e16cd3a8e87a04fe6d4a0acfb9736cca6d670926c83d6cd4
-
Filesize
195B
MD5cf0e357e82ee9b831cc85ed592d521ed
SHA1a8c4f524497dd1b67db40a58713128fd385273e6
SHA256bcab4fbbcb9cd8c461f0fa5135149f657e97ece8ab304ff7586dee290622bad9
SHA512af811990a4f10d158eb3b9c98df9a9a0a0369a07b9aadc5d994e4c0052919b331356cb1f05d7f594ee405f2de7527fbfdbe39000513b49394d081711c95397a5