Overview
overview
10Static
static
1008751be484...2d.dll
windows10-2004-x64
100a9f79abd4...51.exe
windows10-2004-x64
30di3x.exe
windows10-2004-x64
104a30275f14...ab.dll
windows10-2004-x64
102019-09-02...10.exe
windows10-2004-x64
102c01b00772...eb.exe
windows10-2004-x64
731.exe
windows10-2004-x64
103DMark 11 ...on.exe
windows10-2004-x64
342f9729255...61.exe
windows10-2004-x64
105da0116af4...18.exe
windows10-2004-x64
10c2716fcc73...86.exe
windows10-2004-x64
1069c56d12ed...6b.exe
windows10-2004-x64
10905d572f23...50.exe
windows10-2004-x64
10948340be97...54.exe
windows10-2004-x64
1095560f1a46...f9.dll
windows10-2004-x64
10Archive.zi...3e.exe
windows10-2004-x64
8DiskIntern...en.exe
windows10-2004-x64
3f28e02bd1e...8a.exe
windows10-2004-x64
10ForceOp 2....ce.exe
windows10-2004-x64
7HYDRA.exe
windows10-2004-x64
10#/power.exe
windows10-2004-x64
#/sant.exe
windows10-2004-x64
#/ufx.exe
windows10-2004-x64
#/va.exe
windows10-2004-x64
KLwC6vii.exe
windows10-2004-x64
1Keygen.exe
windows10-2004-x64
10Lonelyscre...ox.exe
windows10-2004-x64
3LtHv0O2KZDK4M637.exe
windows10-2004-x64
10Magic_File...ja.exe
windows10-2004-x64
3OnlineInstaller.exe
windows10-2004-x64
8REVENGE-RAT.js
windows10-2004-x64
10Remouse.Mi...cg.exe
windows10-2004-x64
3Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2025, 20:42
Static task
static1
Behavioral task
behavioral1
Sample
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral3
Sample
0di3x.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral4
Sample
4a30275f14f80c6e11d5a253d7d004eda98651010e0aa47f744cf4105d1676ab.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral5
Sample
2019-09-02_22-41-10.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral6
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral7
Sample
31.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral8
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral9
Sample
42f972925508a82236e8533567487761.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral10
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral11
Sample
c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral12
Sample
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral13
Sample
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral14
Sample
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral15
Sample
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral16
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral17
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral18
Sample
f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral19
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral20
Sample
HYDRA.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral21
Sample
#/power.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral22
Sample
#/sant.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral23
Sample
#/ufx.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral24
Sample
#/va.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral25
Sample
KLwC6vii.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral26
Sample
Keygen.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral27
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral28
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral29
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral30
Sample
OnlineInstaller.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral31
Sample
REVENGE-RAT.js
Resource
win10v2004-20250502-en
Behavioral task
behavioral32
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v2004-20250502-en
General
-
Target
REVENGE-RAT.js
-
Size
1.2MB
-
MD5
8ff99e0a81c684cefbc2a752c44f30a1
-
SHA1
61b8dbc7483abcb72d2c633e6309feb26ac16eb0
-
SHA256
4f7aa725bb1c08b1ca9179e2efd09d48b62ad6a9cd89a1937ae3842363f5280e
-
SHA512
7aaee800cc8dbd8f2ededc4d0454476307c14621fde0c4edbe6d4088cb2dc2e9a2ab4d4f04891a2923cac10ed2c6d436d121f9a52f327e55096a318389ace364
-
SSDEEP
24576:ZU+R0Eg650x+M5+7Yzx0rpdizEAikr2d212SrO7cZbZ8xxTBE/lhEIirIzW0rvWx:v
Malware Config
Extracted
revengerat
tenakt
94.23.220.50:559
RV_MUTEX-YtjWSTUKIWwi
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation tacbvfff.exe Key value queried \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 7 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msta.exe foldani.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cjnsta.vbs foldani.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tenakt.js foldani.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hadiya.lnk foldani.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\elBV.URL foldani.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\inststa.exe vbc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msta.exe foldani.exe -
Executes dropped EXE 6 IoCs
pid Process 4248 tacbvfff.exe 5084 tacbvfff.exe 3004 foldani.exe 2484 foldani.exe 1688 foldani.exe 3948 foldani.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tenakna = "C:\\Users\\Admin\\Documents\\foldani.exe" foldani.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4248 set thread context of 5084 4248 tacbvfff.exe 98 PID 3004 set thread context of 2484 3004 foldani.exe 107 PID 1688 set thread context of 3948 1688 foldani.exe 146 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tacbvfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foldani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foldani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foldani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foldani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tacbvfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5032 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5084 tacbvfff.exe Token: SeDebugPrivilege 2484 foldani.exe Token: SeDebugPrivilege 3948 foldani.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2844 wrote to memory of 4248 2844 wscript.exe 85 PID 2844 wrote to memory of 4248 2844 wscript.exe 85 PID 2844 wrote to memory of 4248 2844 wscript.exe 85 PID 4248 wrote to memory of 5084 4248 tacbvfff.exe 98 PID 4248 wrote to memory of 5084 4248 tacbvfff.exe 98 PID 4248 wrote to memory of 5084 4248 tacbvfff.exe 98 PID 4248 wrote to memory of 5084 4248 tacbvfff.exe 98 PID 4248 wrote to memory of 5084 4248 tacbvfff.exe 98 PID 4248 wrote to memory of 5084 4248 tacbvfff.exe 98 PID 4248 wrote to memory of 5084 4248 tacbvfff.exe 98 PID 5084 wrote to memory of 3004 5084 tacbvfff.exe 106 PID 5084 wrote to memory of 3004 5084 tacbvfff.exe 106 PID 5084 wrote to memory of 3004 5084 tacbvfff.exe 106 PID 3004 wrote to memory of 2484 3004 foldani.exe 107 PID 3004 wrote to memory of 2484 3004 foldani.exe 107 PID 3004 wrote to memory of 2484 3004 foldani.exe 107 PID 3004 wrote to memory of 2484 3004 foldani.exe 107 PID 3004 wrote to memory of 2484 3004 foldani.exe 107 PID 3004 wrote to memory of 2484 3004 foldani.exe 107 PID 3004 wrote to memory of 2484 3004 foldani.exe 107 PID 2484 wrote to memory of 2316 2484 foldani.exe 109 PID 2484 wrote to memory of 2316 2484 foldani.exe 109 PID 2484 wrote to memory of 2316 2484 foldani.exe 109 PID 2316 wrote to memory of 2020 2316 vbc.exe 111 PID 2316 wrote to memory of 2020 2316 vbc.exe 111 PID 2316 wrote to memory of 2020 2316 vbc.exe 111 PID 2484 wrote to memory of 5032 2484 foldani.exe 113 PID 2484 wrote to memory of 5032 2484 foldani.exe 113 PID 2484 wrote to memory of 5032 2484 foldani.exe 113 PID 2484 wrote to memory of 3668 2484 foldani.exe 116 PID 2484 wrote to memory of 3668 2484 foldani.exe 116 PID 2484 wrote to memory of 3668 2484 foldani.exe 116 PID 1684 wrote to memory of 1688 1684 cmd.exe 118 PID 1684 wrote to memory of 1688 1684 cmd.exe 118 PID 1684 wrote to memory of 1688 1684 cmd.exe 118 PID 3668 wrote to memory of 4616 3668 vbc.exe 119 PID 3668 wrote to memory of 4616 3668 vbc.exe 119 PID 3668 wrote to memory of 4616 3668 vbc.exe 119 PID 2484 wrote to memory of 3576 2484 foldani.exe 120 PID 2484 wrote to memory of 3576 2484 foldani.exe 120 PID 2484 wrote to memory of 3576 2484 foldani.exe 120 PID 3576 wrote to memory of 3884 3576 vbc.exe 122 PID 3576 wrote to memory of 3884 3576 vbc.exe 122 PID 3576 wrote to memory of 3884 3576 vbc.exe 122 PID 2484 wrote to memory of 1880 2484 foldani.exe 123 PID 2484 wrote to memory of 1880 2484 foldani.exe 123 PID 2484 wrote to memory of 1880 2484 foldani.exe 123 PID 1880 wrote to memory of 2804 1880 vbc.exe 125 PID 1880 wrote to memory of 2804 1880 vbc.exe 125 PID 1880 wrote to memory of 2804 1880 vbc.exe 125 PID 2484 wrote to memory of 3832 2484 foldani.exe 126 PID 2484 wrote to memory of 3832 2484 foldani.exe 126 PID 2484 wrote to memory of 3832 2484 foldani.exe 126 PID 3832 wrote to memory of 3308 3832 vbc.exe 128 PID 3832 wrote to memory of 3308 3832 vbc.exe 128 PID 3832 wrote to memory of 3308 3832 vbc.exe 128 PID 2484 wrote to memory of 780 2484 foldani.exe 129 PID 2484 wrote to memory of 780 2484 foldani.exe 129 PID 2484 wrote to memory of 780 2484 foldani.exe 129 PID 780 wrote to memory of 4660 780 vbc.exe 131 PID 780 wrote to memory of 4660 780 vbc.exe 131 PID 780 wrote to memory of 4660 780 vbc.exe 131 PID 2484 wrote to memory of 4212 2484 foldani.exe 132 PID 2484 wrote to memory of 4212 2484 foldani.exe 132
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\REVENGE-RAT.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\Documents\foldani.exe"C:\Users\Admin\Documents\foldani.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\Documents\foldani.exe"C:\Users\Admin\Documents\foldani.exe"5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eh74ssvf.cmdline"6⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA350.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc63AAB2C55DDB45718A66F62A42BDC5A1.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:2020
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 10 /tn "bladzabi" /tr "C:\Users\Admin\Documents\foldani.exe"6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5032
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_brm9j2i.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA42A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8B2FACA169004D60A37834872A9F7EB.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:4616
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5adnjguk.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA4E6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc836984892F2244A385674E60D846DA39.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:3884
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aa5wqo0t.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5C1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc396906906FFF4FF7AA146C6D3FF4E9.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:2804
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2sqlf32f.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc81B247D36B9475D9ACAF7D53856B851.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:3308
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\chcl0qrj.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA776.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc528655647C24E31A832232768DA67EF.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:4660
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9cb3v7la.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:4212 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA803.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc61FEBB764FDE4596B39B42DD1178627A.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:2324
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jzsrtblp.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:3380 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA88F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD49CC442315A4F978EC166D72417DFE6.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:2492
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rytdsohu.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:4848 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA91C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB7E758F9495C4432B2BB12443584DF55.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:1400
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\itc0q2cb.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:1472 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA999.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEFA21CDB90684ECF805F9FF96CFCCEE1.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:2052
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\foldani.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\Documents\foldani.exeC:\Users\Admin\Documents\foldani.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Users\Admin\Documents\foldani.exe"C:\Users\Admin\Documents\foldani.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3948
-
-
Network
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
2JavaScript
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
496B
MD5cb76b18ebed3a9f05a14aed43d35fba6
SHA1836a4b4e351846fca08b84149cb734cb59b8c0d6
SHA2568d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349
SHA5127631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c
-
Filesize
285B
MD59a478476d20a01771bcc5a342accfb4e
SHA1314cd193e7dae0d95483be2eae5402ce5d215daa
SHA256e08019db10e6857bff648942f49ae96e3b9159b75e8e62643a8da0ff5b0f3a40
SHA51256903e24de594dd009ee292ab91ba9333db2426c3da63ceba3242439a1fa5981f390f6185250cb53739e9cfd37dcec6e85bed5641d04f017e29016985cdd3f29
-
Filesize
178B
MD584ca5c6b9f92fe544fc46946fbd2c1c7
SHA162fb7fb09a89f10915afd8de660ef1aca44a50b5
SHA2560f0bbb47615ae8d6c865dbfd6eceece478417875c999bb785294bef96adeb7af
SHA5127701ec7f09ab7ad91563e3584ac598507b39b719657a71d25c94cd99e9ba19ab869cef16aa48c7131bf13b1a127983c3564ea9243ae61161b532d2c9dd52a368
-
Filesize
274B
MD505ab526df31c8742574a1c0aab404c5d
SHA15e9b4cabec3982be6a837defea27dd087a50b193
SHA2560453a179e3926d451c45952c7704686fbe7f35ec91d2b3b4d9dc909f6b7a8430
SHA5121575da9de9cc37d3fb9fdc2a14aeb56d1debfd09534f231a0eddec35cb20ed25032eb709cb907d5d504a450278fe810d6f297939f11b63935518a4bfeb1b4c40
-
Filesize
167B
MD5199d92e77c6aaf12e1482790ae13de77
SHA1f6c0e02770b39a5503d03cc20a92f8a92329ed2d
SHA256cd5c7571b480da1e4084660059faa8dcf2524318342a7dbf687842c0e2fabd5f
SHA5122227fb1004aee46ed74f36e785f0573cf6b39a02ecd21665c95ecd6e465a9fb60fe2ffc968a5efc9208d1a434c2dc123418d2a86ba87e158e9048b39a0889ef9
-
Filesize
288B
MD5af52f4c74c8b6e9be1a6ccd73d633366
SHA1186f43720a10ffd61e5f174399fb604813cfc0a1
SHA2562d85e489480ba62f161d16a8f46fb85083ab53f2d9efe702ce2e49e0d68eca07
SHA512c521dacb09ddfe56e326cf75f9f40adc269a9b48ea3217e55c6381e836d226066ecf9721650ce74aebb763cd1d22f3d1f06b4567ee7683ba83f5f00ef41ae99e
-
Filesize
181B
MD51ed4fa5c9ad454a01d015cab85f53128
SHA16b0e5003f041ddf40c62ba7ca8bbdbdf0c5798ad
SHA256775515db3dbd9f79571d32fb4e8bc9823a628b3e543c762c486b893fedec2072
SHA512ce7014cd9aabc0fb36ef70c2d4ab529ad4b399d548fb91162d46477165413e145c3168740fcfb7ae6bf758b79151e7649570c1186e32eecde644300ba0820d79
-
Filesize
1KB
MD5e7c75ebad1ffd36c453d0cf0dbf8d584
SHA11ecceefdfa2769f5fc6a28b25804a9540f1dc203
SHA256aa9b7d4603fe0d08e87f1dd1fd40442dd54c10bd7aca5c1a684f8ea724bd7ebb
SHA5123b2e558cda9c4ce94049a0200be717d5653372d9984c49cbf126eaccc2f92c73f774e72cd7213654f49fbc694014594af3a9711b03cea24de8ff2fe30c039186
-
Filesize
1KB
MD5ddcc965f8cee9ffd8b069205888d7b34
SHA15fe79a2517b83d010834e98035ef58e402aea28a
SHA256e963f275cb47669ee158dafd50699d0fa3a222af766c1941255bfa9e55a149dc
SHA512d169808339383878f5000c17a5e3ee37199538d5a386ba874eed88f6dbc72169c5f1a8e3eb9c1676b980fd1fd13d77836abe9764e4cd729be8b2b28521e64057
-
Filesize
1KB
MD59cee8c69022f94bfb40c8ae29fa7e2b0
SHA142fa9e9005864720680072bea2c31bf15d66f788
SHA256da28dd73238a5dedbe8ee0da7c4b7ff7436f7dfa8cdbd0c0fa48604bf1b8f28d
SHA5125d81d9cf94f6e8454d73cf544e98a595975e17c461439dd6e8016d9c9fc653e47dc56810dffe372e4b534acb540a6e8ad35906de86d8db7e42771543761ecd7a
-
Filesize
1KB
MD5b1f5a1a9788ebb1617806bc3c33b49a7
SHA165c50286e97d452d4de17bc6d401f6ab897a6a21
SHA2563bc1d261dec7f74a46ef8714802150c0e27f5d1a1c7989b5b0255fabe8daaefe
SHA5120cd2e6e683dfbf295b4b8b7aaf4cb4d2826faf99cb4152d7735823a94cab3180ba5e64007f6776e5240991dd72ddde9b51bd7ce33e2b19f84191282b6ad4b61e
-
Filesize
1KB
MD5df5f78931d543897f45a33800d8d9743
SHA1b871928d956aacb7034e888df42c068a741e6b92
SHA2563f627779db381fa2d6544b8021d9d0bf5efd19b2050d05ecebc8f1a83b00ca45
SHA5124f35e0dbd412cad79618ae9affc44a7ea5c16b2e5317c8037675e41865e448d3347858067564da7653a582c50be2a42ebd68bd4b24be0a6bc7345c3dd3d49ae7
-
Filesize
1KB
MD58391fa3ee14f12d49f15f05ec77414d9
SHA1530a207918f8a0d506fbe67c6431d4e3f51b4f35
SHA2564281fc91a56204066b82159f3a4e14470cea6a806e06ff19c3d10c38348c9d09
SHA51292597bf82895a2501980d01d4e21e96752406872054d0827d1fb8f7fcc53ac2aad71f09e840b7f08900ba6832f484ca414459ff380f2aba4e967fa7d7565e047
-
Filesize
1KB
MD558a1a9965380b8b4f32a8fa430ed99c4
SHA1ab810defec6283804691cfc6840cb0b88605264b
SHA2561c666ed835d7fa4ce363eb834d5a27e3255e46139612d3cb227e269ba48010c2
SHA51210b91936b08847b7f9db914cf7144d4d38c4fdd976a8bfcb7c6826894d736e48b380b84a370cfda939a4d98a42e66bace37c4a12a9c7011e663a21b1755d1b53
-
Filesize
1KB
MD5236b081f42c108d6256b8aee6055a9e9
SHA1c627ca980989894ad7af8ee1da1bf19ca23f14ee
SHA25658fdeb3a1a3fa08ee7bb2d0a18f69a6efe07f57674fcbc210fc0ce17098d600e
SHA5127a1d34e5ef7273be8f718016b0efcc9fda05ad664d1d8132a8409f7700bc730c2120e7ceb88e6b667f3869e08731793505baa9c36fe59053d62718fb4bcb9566
-
Filesize
1KB
MD5747e8ef90614071ccdb961931d1273e4
SHA156d30517c0c76715960836bb751d2e27ea05e43f
SHA25619aa847cabeba7c2f7efe88bfa278dde7b84f0377ac17a3a5e42ad88b1fe08f2
SHA512b136b858847dff63e65ce9dfe08f03f97533b8c7fe50ca56142a2a338184b4157201d78b5c606705aca81f552e3b0cd835c4574aeb2e033b5e76e082a9bb1705
-
Filesize
1KB
MD53880e6f3fa2a750bd5030dc46580aef0
SHA100057ce5bee6be18ffe8ebe5824ac453b6f3125d
SHA2560894d97c0a26d52f17d8558d2b1d1f34fd7a21eab1049c9e7a0c805519a7119e
SHA512378b26805002e00e580123bebf029261be538176236b89843fb1d76bf928948006e0ec077a0b713045beea925b92112af9c61ef37ea6682514d3baeb69760783
-
Filesize
268B
MD5fe8760874e21534538e34dc52009e8b0
SHA126a9ac419f9530d6045b691f3b0ecfed323be002
SHA2561be68e1d0beb3861fd8a519cc4c4d0b4122cbea7109bcf3e08f294705579d439
SHA51224c249972146048e134b86e909d51d04d3b821605cb08383921e80f6c3595dc65f9315abbd53704387bdda5c2691b5218658823f1de80e39d25152c9d367c6ed
-
Filesize
161B
MD5bedecfe1ac27cd1eb64c502ac2c9a79c
SHA1f56859ea20a3f357fd9dc47f6891091f631ac3fe
SHA256218e26b0c45b81d7ac4d8c413036b2a4a26200c5a95dba392271ffb513795557
SHA51229bec6ff215038bf6df8d0e03602b6a2d3ec919ee075ce8bdb04181e520efb3990842cb3fdac19c2b2ea499ee5c128b0cf26bc4adf78f0df5c7fdb202e6a1db5
-
Filesize
284B
MD56989ad9512c924a0d9771ce7e3360199
SHA11bcc5312adf332719db83156f493ad365f5bdec6
SHA256f80c2d143ea239ba9c96fda416193860cd3d3216e264b856466375bb14618168
SHA51213a0b21b94c5865ec82e4d3d4fca50f2a1948428acc696601ced1f1bf1044338eb5aeee504ca645bd0f6e6c20b2869b832a7fb693618baea756e740af86d5536
-
Filesize
177B
MD50c6991772d9e285fd4ea7544f17409a8
SHA195443749c0abfd423e26b0ce0b9b00fafcd0e179
SHA2560dbd7ac2caace3ded7d07060153d6db79ccca9e394758efc803e3b62b3002a82
SHA512884e597c3275c5c4f5b502b7c8fde36beb9d17f1ab58929ae762bbbb3cef038348e29255a6d665ddca93e31d2b4e78242bbd6b87742f0a647245196a9461170a
-
Filesize
285B
MD5b34b98a6937711fa5ca663f0de61d5bb
SHA1c371025912ab08ae52ff537aaa9cd924dbce6dcc
SHA256f1dbc184336bf86e88e1cbc422009ff85febd6bc887ae483bc10109f30ebf69a
SHA5122c27a72d8a2d120a222add219a0e4f11af38421433210ced930c37ccb9a0cc419fe01e45c874aee2c99613785fa4d44a66fa73c41e4dce9810d4deb24476b98f
-
Filesize
178B
MD5019701d9f5f5054d27318fc39559cc3c
SHA131cd96b34453ec4c2fc0e602b4d0099fcd318a47
SHA256df2f3f74884b357dc9f4dccd9831cd80307df5b0e010bc0e54a66d29549a0d25
SHA512966bd108a3dbef810a7e6c59977797a15a0c103f84ad144da98f73aa0e35b11c8463b2e8d8264f0a276e6974d3070a0699ad150ee2614605d0928a3dbbb34fe7
-
Filesize
145B
MD561413d4417a1d9d90bb2796d38b37e96
SHA1719fcd1e9c0c30c9c940b38890805d7a89fd0fe5
SHA25624c081f2f8589c160e6c556507f9a9590983445b933ce6a73f889b5096c211d7
SHA5129d8ef98bcae56a7abe678f08ba4ef76a135a14f6ca63c02a6e1ea2ddda233802e2aad6c4fc309026e16cd3a8e87a04fe6d4a0acfb9736cca6d670926c83d6cd4
-
Filesize
195B
MD5140d5a3c09c6a756fa4fd9891fe5a701
SHA1eff6273e3cb1a131cdbebefb0ab981f3d9102508
SHA256ed8cc2f3f6ed9908d8f47a3f928719c950e33fbe8ee37c0a9caeb9e7f8ec903a
SHA5128c65526f2e0b4b40fe4eb90321ea986a0536edff739306658ed6c015c9d0bb834536005fd7f5c8e95d0453cd25c101628e10c1842a1d1475a53cb698987439e5
-
Filesize
287B
MD59cc0fccb33a41b06335022ada540e8f9
SHA1e3f1239c08f98d8fbf66237f34b54854ea7b799a
SHA256b3007d9bef050c2dd5b7c6376ccfc00929cd51f23fcd6cbc254b139ddaf81a49
SHA5129558ae7a93851c901293c8971d141915ed99bbe98c23855e8d4584936bf3b793904ff452d61e620614cd90c7dc2f385f86fee73cfbe4e6ddf6ee9f71b8e2f6eb
-
Filesize
180B
MD57d08ac243c55c64d6978389803c16ead
SHA1ba6de6fef1669ce50136e64844bb96805354aa2f
SHA2565efe7ede568698e0390ef8c81d89055e21ad3537b4778ff04e43d47b1e6eb7c7
SHA5123fe457d8b7ef4f25d39b888924bdf3cc28ad9df6e3147cd1e004ebf4a55f5c66802e865abee05da2e412bc8646b697b3d6d08a1d1b817dce4327d1536bc07370
-
Filesize
278B
MD56d569859e5e2c6ed7c5f91d34ab9f56d
SHA17bcd42359b8049010a28b6441d585c955b238910
SHA2563352cf84b9c7b33c2dd6e2194ff24e6a5bd0da7bb829c6cadcf9b33c65f21e78
SHA512accd61c856a1f862699566e9f0cea6a30ab0261fa5fd048a00a5a98bf827184ebfdf1c3c879987bb2210626e71c390f2f366bea02f9ec3219cce4c15ef7ea0d7
-
Filesize
171B
MD55a247638df05a2118ce82a57f4cd3f6f
SHA18050e5959a762c6f962ddfaf7ac3a92995057dd1
SHA2569499f5594d6d5c183e30efc21b4f431908ac142564d80aef4fcbc0311a5c21e7
SHA512443de643c885fcea472ed85cf9df5dd49887c3021b978ec8005d39b4a7e67f5339ea6bca7782816b129e081bb99e2079abbbd82c7dc3f623d146be0cd76d1d42
-
Filesize
284B
MD562caeb4021ea9d333101382b04d7ac1c
SHA1ebe2bb042b8a9c6771161156d1abdce9d8d43367
SHA256e466fcc723dfa8d713c6e7c2208581f1c94ecf06a5dd2e3b83d3a93636badbd7
SHA512e283647c6e24d912833229ce80055d103359ace1e83c051227d40a672691491ef612ea639ebc896d01ff132c5f101132b5397e5c59a8ddbf11e58fdd2052247c
-
Filesize
177B
MD51a5ee8471cda3d5b536e39db3396d58f
SHA1123ac66732b00855406b6aefd43afc8c31aaecf6
SHA2561f85f48ce5c4fda97c9100d391e47dc712d18ecf4175ea5f48a948048a07b798
SHA5122b41dcf35eafe3deb0f8e6d78dc5a84663862c3de458432c46bdcfa9309e3e4c2be041a3c25ef37142f46138baae7f86c9cf9a9fd9f0dd780283e92006e8419d
-
Filesize
234KB
MD53d3e7a0dc5fd643ca49e89c1a0c3bc4f
SHA130281283f34f39b9c4fc4c84712255ad0240e969
SHA25632d49dc703d8c827ca9ff7d5389debf7314b062a989db36d1360aae21a77db0e
SHA51293ae1ac6739d91488b88f487a252a411d85dc52a409489a61315235e4a3ec6a178cceac207426b779a1494ab792422263652f1ad310b8bab7ad296d2e7222e68
-
Filesize
684B
MD58135713eeb0cf1521c80ad8f3e7aad22
SHA11628969dc6256816b2ab9b1c0163fcff0971c154
SHA256e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a
SHA512a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4
-
Filesize
644B
MD555335ad1de079999f8d39f6c22fa06b6
SHA1f54e032ad3e7be3cc25cd59db11070d303c2d46d
SHA256e05c551536a5ee7a7c82b70d01f0b893db89b3dab1cd4c56ea9580e3901071ac
SHA512ca8c2f680c3d6a61c8ad18b899f7d731f610dc043729a775fd6eade6e11332c1f32c7cf60464b6b3fd41aead9b0c65bc13934574740179931d931516c13027ca
-
Filesize
676B
MD585c61c03055878407f9433e0cc278eb7
SHA115a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA5127099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756
-
Filesize
668B
MD53906bddee0286f09007add3cffcaa5d5
SHA10e7ec4da19db060ab3c90b19070d39699561aae2
SHA2560deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA5120a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0
-
Filesize
644B
MD5dac60af34e6b37e2ce48ac2551aee4e7
SHA1968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA2562edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA5121f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084
-
Filesize
684B
MD57a707b422baa7ca0bc8883cbe68961e7
SHA1addf3158670a318c3e8e6fdd6d560244b9e8860e
SHA256453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c
SHA51281147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9