revengerat | d91912b4b945e88e881e54573390e6723cfc41916b6546453b59e60f9beee337

Analysis

max time kernel
143s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250502-en
resource tags

arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2025, 02:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

REVENGE-RAT.js
Size

1.2MB
MD5

8ff99e0a81c684cefbc2a752c44f30a1
SHA1

61b8dbc7483abcb72d2c633e6309feb26ac16eb0
SHA256

4f7aa725bb1c08b1ca9179e2efd09d48b62ad6a9cd89a1937ae3842363f5280e
SHA512

7aaee800cc8dbd8f2ededc4d0454476307c14621fde0c4edbe6d4088cb2dc2e9a2ab4d4f04891a2923cac10ed2c6d436d121f9a52f327e55096a318389ace364
SSDEEP

24576:ZU+R0Eg650x+M5+7Yzx0rpdizEAikr2d212SrO7cZbZ8xxTBE/lhEIirIzW0rvWx:v

Score

10^/10

revengerat tenakt discovery execution persistence trojan

Malware Config

Extracted

Family

revengerat

Botnet

tenakt

94.23.220.50:559

Mutex

RV_MUTEX-YtjWSTUKIWwi

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\International\Geo\Nation	tacbvfff.exe

Drops startup file 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msta.exe	foldani.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cjnsta.vbs	foldani.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tenakt.js	foldani.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hadiya.lnk	foldani.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\elBV.URL	foldani.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\inststa.exe	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msta.exe	foldani.exe

Executes dropped EXE 6 IoCs

pid	Process
4760	tacbvfff.exe
5452	tacbvfff.exe
5980	foldani.exe
1932	foldani.exe
928	foldani.exe
2400	foldani.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tenakna = "C:\\Users\\Admin\\Documents\\foldani.exe"	foldani.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4760 set thread context of 5452	4760	tacbvfff.exe	89
PID 5980 set thread context of 1932	5980	foldani.exe	95
PID 928 set thread context of 2400	928	foldani.exe	132

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	foldani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tacbvfff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tacbvfff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	foldani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	foldani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	foldani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3684	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5452	tacbvfff.exe
Token: SeDebugPrivilege	1932	foldani.exe
Token: SeDebugPrivilege	2400	foldani.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5656 wrote to memory of 4760	5656	wscript.exe	88
PID 5656 wrote to memory of 4760	5656	wscript.exe	88
PID 5656 wrote to memory of 4760	5656	wscript.exe	88
PID 4760 wrote to memory of 5452	4760	tacbvfff.exe	89
PID 4760 wrote to memory of 5452	4760	tacbvfff.exe	89
PID 4760 wrote to memory of 5452	4760	tacbvfff.exe	89
PID 4760 wrote to memory of 5452	4760	tacbvfff.exe	89
PID 4760 wrote to memory of 5452	4760	tacbvfff.exe	89
PID 4760 wrote to memory of 5452	4760	tacbvfff.exe	89
PID 4760 wrote to memory of 5452	4760	tacbvfff.exe	89
PID 5452 wrote to memory of 5980	5452	tacbvfff.exe	94
PID 5452 wrote to memory of 5980	5452	tacbvfff.exe	94
PID 5452 wrote to memory of 5980	5452	tacbvfff.exe	94
PID 5980 wrote to memory of 1932	5980	foldani.exe	95
PID 5980 wrote to memory of 1932	5980	foldani.exe	95
PID 5980 wrote to memory of 1932	5980	foldani.exe	95
PID 5980 wrote to memory of 1932	5980	foldani.exe	95
PID 5980 wrote to memory of 1932	5980	foldani.exe	95
PID 5980 wrote to memory of 1932	5980	foldani.exe	95
PID 5980 wrote to memory of 1932	5980	foldani.exe	95
PID 1932 wrote to memory of 4476	1932	foldani.exe	96
PID 1932 wrote to memory of 4476	1932	foldani.exe	96
PID 1932 wrote to memory of 4476	1932	foldani.exe	96
PID 4476 wrote to memory of 3028	4476	vbc.exe	98
PID 4476 wrote to memory of 3028	4476	vbc.exe	98
PID 4476 wrote to memory of 3028	4476	vbc.exe	98
PID 1932 wrote to memory of 3684	1932	foldani.exe	100
PID 1932 wrote to memory of 3684	1932	foldani.exe	100
PID 1932 wrote to memory of 3684	1932	foldani.exe	100
PID 1932 wrote to memory of 1684	1932	foldani.exe	103
PID 1932 wrote to memory of 1684	1932	foldani.exe	103
PID 1932 wrote to memory of 1684	1932	foldani.exe	103
PID 4864 wrote to memory of 928	4864	cmd.exe	105
PID 4864 wrote to memory of 928	4864	cmd.exe	105
PID 4864 wrote to memory of 928	4864	cmd.exe	105
PID 1684 wrote to memory of 2792	1684	vbc.exe	106
PID 1684 wrote to memory of 2792	1684	vbc.exe	106
PID 1684 wrote to memory of 2792	1684	vbc.exe	106
PID 1932 wrote to memory of 4184	1932	foldani.exe	107
PID 1932 wrote to memory of 4184	1932	foldani.exe	107
PID 1932 wrote to memory of 4184	1932	foldani.exe	107
PID 4184 wrote to memory of 1376	4184	vbc.exe	109
PID 4184 wrote to memory of 1376	4184	vbc.exe	109
PID 4184 wrote to memory of 1376	4184	vbc.exe	109
PID 1932 wrote to memory of 2008	1932	foldani.exe	110
PID 1932 wrote to memory of 2008	1932	foldani.exe	110
PID 1932 wrote to memory of 2008	1932	foldani.exe	110
PID 2008 wrote to memory of 6052	2008	vbc.exe	112
PID 2008 wrote to memory of 6052	2008	vbc.exe	112
PID 2008 wrote to memory of 6052	2008	vbc.exe	112
PID 1932 wrote to memory of 5512	1932	foldani.exe	113
PID 1932 wrote to memory of 5512	1932	foldani.exe	113
PID 1932 wrote to memory of 5512	1932	foldani.exe	113
PID 5512 wrote to memory of 4444	5512	vbc.exe	115
PID 5512 wrote to memory of 4444	5512	vbc.exe	115
PID 5512 wrote to memory of 4444	5512	vbc.exe	115
PID 1932 wrote to memory of 3100	1932	foldani.exe	116
PID 1932 wrote to memory of 3100	1932	foldani.exe	116
PID 1932 wrote to memory of 3100	1932	foldani.exe	116
PID 3100 wrote to memory of 2316	3100	vbc.exe	118
PID 3100 wrote to memory of 2316	3100	vbc.exe	118
PID 3100 wrote to memory of 2316	3100	vbc.exe	118
PID 1932 wrote to memory of 5772	1932	foldani.exe	119
PID 1932 wrote to memory of 5772	1932	foldani.exe	119

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\REVENGE-RAT.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5656
- C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe
  "C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe
    "C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5452
  - - C:\Users\Admin\Documents\foldani.exe
      "C:\Users\Admin\Documents\foldani.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5980
    - - C:\Users\Admin\Documents\foldani.exe
        
        "C:\Users\Admin\Documents\foldani.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8f078akf.cmdline"
        6⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDCCE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFDFA0EC07C4D4D14B44A9DDB92494D16.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 10 /tn "bladzabi" /tr "C:\Users\Admin\Documents\foldani.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3684
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oorz0xxi.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDB9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF5726CC6C4F440EE87103E9EC73739E1.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x88x2qcm.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE93.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD9262FA5C899405AB65F6BE11CF93C3.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1376
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e5zymfbu.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF9D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9508228E4FFE431082EB917ED1958293.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6052
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vbf1zknr.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5512
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE02A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF9976BB286594E1F9542F1F8AE5F1D5C.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4444
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t0daoep-.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E9B846BFA0346F8A9A3B5971C13CDE5.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zrxw8mnx.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE143.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc226F2E2DFDC749C99EB51BEDA61A1.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3556
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wit6ldeq.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3908
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE1D0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9293AB3BAE9B4A9EA7843BBE6FBFED1A.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5656
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\osa5xo2k.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE23D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc684FE5F1348F4FD195AB74111DACA43D.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c9t2d8ne.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE2CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc80A73A074DD94F38B62C615B8BDAF3F7.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\foldani.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Users\Admin\Documents\foldani.exe
  C:\Users\Admin\Documents\foldani.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:928
- - C:\Users\Admin\Documents\foldani.exe
    "C:\Users\Admin\Documents\foldani.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2400

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\tacbvfff.exe.log

Filesize
496B

MD5
cb76b18ebed3a9f05a14aed43d35fba6

SHA1
836a4b4e351846fca08b84149cb734cb59b8c0d6

SHA256
8d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349

SHA512
7631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f078akf.0.vb

Filesize
145B

MD5
61413d4417a1d9d90bb2796d38b37e96

SHA1
719fcd1e9c0c30c9c940b38890805d7a89fd0fe5

SHA256
24c081f2f8589c160e6c556507f9a9590983445b933ce6a73f889b5096c211d7

SHA512
9d8ef98bcae56a7abe678f08ba4ef76a135a14f6ca63c02a6e1ea2ddda233802e2aad6c4fc309026e16cd3a8e87a04fe6d4a0acfb9736cca6d670926c83d6cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f078akf.cmdline

Filesize
195B

MD5
c915d1d98c54ccd5df48752d94531759

SHA1
15b19d4c6f9f594b6e696d8891b36165836fb3ae

SHA256
642a02a548e0f09a1ffebbc304c1c9c5f58bd25ce73ec304e5d764abe97f89d0

SHA512
41c9f6038a2c36c3391b0283a5474d9b8f7acc19605d7dca5249943352afdf24de2c18490fb9e1b2a51ae9abc68feef6e8b1913adb25bce3ff80b955d99a33e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDCCE.tmp

Filesize
1KB

MD5
22d00802943e627874f7b58a9b2990d2

SHA1
53d4381281d59d13b83773747e44f74ec8c52449

SHA256
1895eceb08bd537234a6291504e9b85d4c81958d2cbf2641883c708336b18122

SHA512
f9019c2e974a9e5b96af7610cff183af94b9316fec3559e6f665a15cd2eb9def9ce3a798675c7750150e8bc688400c575c5b16bf4702d81938b54b04bc2f9015

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDDB9.tmp

Filesize
1KB

MD5
19531439a00f525c9c025a05de554500

SHA1
3dca28055577a1894cb97b10239207f7d085324c

SHA256
0cf1168657f1534c690012fcb22067e001362650e0a0d2d427b1cf63dda5761f

SHA512
427fca1bfd4af28b592da28a7260b96f22e48fd38cba4f855a955221d954b051698fece315078037788f97b6d4fdcaa1a1c1037717f357e1eb8cfcc988624425

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDE93.tmp

Filesize
1KB

MD5
97364464bb9390e93c9a0847017293c7

SHA1
72038707259aeb30f253e7a4b4aaea6725284de9

SHA256
f8112ff4ebda43d1cde9774d5b0064ec77db5896aac888d5c4bdc1cddc8afa69

SHA512
66d93be44563b2a6fb763fa66984c90759a0b9ce7ad112bc5bf472638ed355368349bfbc87bd60ef2c4bcafa7c05b501115da78482abf63e2c46e8b1fcaa8918

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDF9D.tmp

Filesize
1KB

MD5
7c756b7b3bd83866bfab6372c2692993

SHA1
f52f9c04735760c1134a1b8b49eeee83fce54403

SHA256
c6fc257405dc15372a8f0c6e9c4efd5f5e96c88dd5973ce853df0884a0427c39

SHA512
96af744d0ce7ce03feb4481edecf305527c9a989900900a2866a151cf643f9f161dd910e15e043e43b49e45c17d77176cd2f7deebed46763f1c1a94c9a4d8df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE02A.tmp

Filesize
1KB

MD5
c2237c98c5f0a17efc79679f935ed209

SHA1
f9f0d016c37fbd9226b7c7610fbb8d86162ccf9d

SHA256
5130bd52f386f88b1ccff508f80ba0f43baeea63b9ec6220bd5b56ca3c5e034a

SHA512
42393a739963283123cf422c0d2dab9ba9d73fc2d5bf0b7256f1fbe7473f4419db6927612bb0304bee73f869ad8556e234ae9f390f9b4c5112bb56e4ced5c188

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE0C6.tmp

Filesize
1KB

MD5
46b10a7bb3b6cd03edacc698f04fa5d0

SHA1
a79d66b10dcf0d6f3338ef7f29f75168e3564173

SHA256
c9de796312bb25f8c5d0c20b5d8e03f3a00698c7c369bc3fd682fc86f164dcee

SHA512
b7d5c319c0f6b562224f559ae1183b147897fade2dd2c66cf6b0897a2c55d37204a37221af7a79b27c227c689c9de7b2d901e909702c42efa6b173694e5f0a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE143.tmp

Filesize
1KB

MD5
60e893fe9e5ee963d83365002cfb1529

SHA1
7c5e733572c7750864a24e98496107c8591bcd07

SHA256
b4d5752dad9425f97f4d34517ca094203f883a8a366b23a3afba86d464306453

SHA512
41539e8c17f6f5de5860fcd5f7a32073b1c12469dac34bf102ee5cb20b47e311da1430af66cf5b41e8063c67218839b0a6901affb57741ae50a6bff9fcaf991c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE1D0.tmp

Filesize
1KB

MD5
7fdddf1c67e216a4bf10a52fbd608180

SHA1
c742fd58bd8d5e4fe4c09882dda098b74710e4b7

SHA256
b18b9883579a6da91ce06bbfa906b01f4cd2d28028369fa7687d539b0eb35176

SHA512
006572b25dfa8cd35e26620a2d51c4439244d1608b8919eedcc0074d66e446c92c27c3690cb841e601e37206a6a446d67bee25b6434a1f8d2d6670c6d6d0406e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE23D.tmp

Filesize
1KB

MD5
beb511204e4cca408dfce998759d6bd3

SHA1
5b5e022f69afd871eebef3ef423b6df927c758b0

SHA256
0147ec7ec3abc37306b38cdf2f250db033f9cea9b82075b07255f615265d44dd

SHA512
c12df900ef305ce1f1115cdc8cdb976c717f7529558c07a3093cfa7509505e37b6a3dbb3e4c3ca3abb7b68a58f03d9ee033a2bb26ee97f3f9e4e09fb328c708f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE2CA.tmp

Filesize
1KB

MD5
cb8deb2e023ca954e2ca007bee720cf6

SHA1
7ca3c75bd4ed817fccac2baae2e5b25094cc113d

SHA256
ab435723fc6f26700d4dd13b516079b16679e2e66bda81bd5dca8a0a50bf01ce

SHA512
ce8f3c0fc9a59e248fc9368b106eaa702f65625d67d4b9d4120783cc47ee462ab0b447423c3b25051c856efbd53382b9512071560711f3165a9325bd5dc48083

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9t2d8ne.0.vb

Filesize
287B

MD5
9cc0fccb33a41b06335022ada540e8f9

SHA1
e3f1239c08f98d8fbf66237f34b54854ea7b799a

SHA256
b3007d9bef050c2dd5b7c6376ccfc00929cd51f23fcd6cbc254b139ddaf81a49

SHA512
9558ae7a93851c901293c8971d141915ed99bbe98c23855e8d4584936bf3b793904ff452d61e620614cd90c7dc2f385f86fee73cfbe4e6ddf6ee9f71b8e2f6eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9t2d8ne.cmdline

Filesize
180B

MD5
145774400ab441e02b367e7cbf1344db

SHA1
ab197d54ebe792f8ee40c6125a0e3aff0875b78b

SHA256
7ab147308a6858e29968603060ee3d4746f86ce1d472c88367035cec92711cf6

SHA512
28b56ed01400ee5d4be154d9c5eb8c86ae628b01d75706da76cb2751d8fadceb35514ed72c883d37c69a5ab8ee08f60e719b6324169ff0342eebfe5da8eda3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5zymfbu.0.vb

Filesize
284B

MD5
6989ad9512c924a0d9771ce7e3360199

SHA1
1bcc5312adf332719db83156f493ad365f5bdec6

SHA256
f80c2d143ea239ba9c96fda416193860cd3d3216e264b856466375bb14618168

SHA512
13a0b21b94c5865ec82e4d3d4fca50f2a1948428acc696601ced1f1bf1044338eb5aeee504ca645bd0f6e6c20b2869b832a7fb693618baea756e740af86d5536

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5zymfbu.cmdline

Filesize
177B

MD5
e0fde5f1f94779b24867636a1f154a94

SHA1
220686347115c224cafc3ad6212dd8d6089bb99b

SHA256
057c4ee89a90b54905115b09a78b303e57fd6ae31e1d081c16e6414c64424891

SHA512
6421ceefe72b44ccc809cd1be13b95d56f6c75db15698ec0e451d8d0c9503496cb7a71aa66014d72b9f354ae825b3dc5812e443a14046ad873d935499ce12286

Download Submit
C:\Users\Admin\AppData\Local\Temp\oorz0xxi.0.vb

Filesize
268B

MD5
fe8760874e21534538e34dc52009e8b0

SHA1
26a9ac419f9530d6045b691f3b0ecfed323be002

SHA256
1be68e1d0beb3861fd8a519cc4c4d0b4122cbea7109bcf3e08f294705579d439

SHA512
24c249972146048e134b86e909d51d04d3b821605cb08383921e80f6c3595dc65f9315abbd53704387bdda5c2691b5218658823f1de80e39d25152c9d367c6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\oorz0xxi.cmdline

Filesize
161B

MD5
91e1cf40d82c7a35afb80158eb8b95b4

SHA1
7191e3f3e31f52a1659626449d9c5b7ef63c2fce

SHA256
fbd8ce9c6e57a23d7d7d9bf5ab33538a2584e050a9028ec07e131e2a519a255a

SHA512
4f66637d4017a8b2274907e1954ae49d0a8422e42a194b97abd5068854fe66c712a8ae706ce6e0a5a1e676312448cf7ec22579136c7945be4a5bb620516f91b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\osa5xo2k.0.vb

Filesize
284B

MD5
62caeb4021ea9d333101382b04d7ac1c

SHA1
ebe2bb042b8a9c6771161156d1abdce9d8d43367

SHA256
e466fcc723dfa8d713c6e7c2208581f1c94ecf06a5dd2e3b83d3a93636badbd7

SHA512
e283647c6e24d912833229ce80055d103359ace1e83c051227d40a672691491ef612ea639ebc896d01ff132c5f101132b5397e5c59a8ddbf11e58fdd2052247c

Download Submit
C:\Users\Admin\AppData\Local\Temp\osa5xo2k.cmdline

Filesize
177B

MD5
4d1429b3300327168420aa63d89d3eeb

SHA1
a005add859b5870a5aa44fd8f25d892be649f4e9

SHA256
aae36c5ac1bb5a763854d763c8a242feeb34e0187649d07f81d2868df349f222

SHA512
5603138833a4d5523b56e3b6875e43a6765fb33593a5cc68f3c2774b2994288e5bd7ce4c61908e049489616a39f14c896dcbd640e3896fbd30b30477c2b23018

Download Submit
C:\Users\Admin\AppData\Local\Temp\t0daoep-.0.vb

Filesize
285B

MD5
b34b98a6937711fa5ca663f0de61d5bb

SHA1
c371025912ab08ae52ff537aaa9cd924dbce6dcc

SHA256
f1dbc184336bf86e88e1cbc422009ff85febd6bc887ae483bc10109f30ebf69a

SHA512
2c27a72d8a2d120a222add219a0e4f11af38421433210ced930c37ccb9a0cc419fe01e45c874aee2c99613785fa4d44a66fa73c41e4dce9810d4deb24476b98f

Download Submit
C:\Users\Admin\AppData\Local\Temp\t0daoep-.cmdline

Filesize
178B

MD5
51517583907c0c2a4641a854f0f98f15

SHA1
371ad6b9d2d7915b10adef1e26b510664801faa1

SHA256
640301f6d1b741361b3d641d32f5894c6d694543fa8525a4f86b3d529c56eb46

SHA512
c791668f55d638e1374dcde87f93a305473ccc35f7ec14f9280e4fbcf0e960f2e6947ebc8b2f00ea8a0a66b63b2d5f5fa4d35d3b0a27aeaf1cbe27e6715fea4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe

Filesize
234KB

MD5
3d3e7a0dc5fd643ca49e89c1a0c3bc4f

SHA1
30281283f34f39b9c4fc4c84712255ad0240e969

SHA256
32d49dc703d8c827ca9ff7d5389debf7314b062a989db36d1360aae21a77db0e

SHA512
93ae1ac6739d91488b88f487a252a411d85dc52a409489a61315235e4a3ec6a178cceac207426b779a1494ab792422263652f1ad310b8bab7ad296d2e7222e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc226F2E2DFDC749C99EB51BEDA61A1.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc80A73A074DD94F38B62C615B8BDAF3F7.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD9262FA5C899405AB65F6BE11CF93C3.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF5726CC6C4F440EE87103E9EC73739E1.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF9976BB286594E1F9542F1F8AE5F1D5C.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFDFA0EC07C4D4D14B44A9DDB92494D16.TMP

Filesize
644B

MD5
55335ad1de079999f8d39f6c22fa06b6

SHA1
f54e032ad3e7be3cc25cd59db11070d303c2d46d

SHA256
e05c551536a5ee7a7c82b70d01f0b893db89b3dab1cd4c56ea9580e3901071ac

SHA512
ca8c2f680c3d6a61c8ad18b899f7d731f610dc043729a775fd6eade6e11332c1f32c7cf60464b6b3fd41aead9b0c65bc13934574740179931d931516c13027ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbf1zknr.0.vb

Filesize
285B

MD5
9a478476d20a01771bcc5a342accfb4e

SHA1
314cd193e7dae0d95483be2eae5402ce5d215daa

SHA256
e08019db10e6857bff648942f49ae96e3b9159b75e8e62643a8da0ff5b0f3a40

SHA512
56903e24de594dd009ee292ab91ba9333db2426c3da63ceba3242439a1fa5981f390f6185250cb53739e9cfd37dcec6e85bed5641d04f017e29016985cdd3f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbf1zknr.cmdline

Filesize
178B

MD5
87982d092973c5a51cecd9855856a727

SHA1
6b2e5fd15a79b1f80c1242b023e1237904deae09

SHA256
8c486683abda0e81eb9f66d6c53cfa7b135eecbf18dfb9aeb4184517ab3fa9c4

SHA512
d8decfb56885770cc22264a72cda11c103e1656d536a191d9c642a6723c611cea9b3f3747ed939e98fe7b201848078925c9aa9e62bbe4a05f91508e95d849e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\wit6ldeq.0.vb

Filesize
278B

MD5
6d569859e5e2c6ed7c5f91d34ab9f56d

SHA1
7bcd42359b8049010a28b6441d585c955b238910

SHA256
3352cf84b9c7b33c2dd6e2194ff24e6a5bd0da7bb829c6cadcf9b33c65f21e78

SHA512
accd61c856a1f862699566e9f0cea6a30ab0261fa5fd048a00a5a98bf827184ebfdf1c3c879987bb2210626e71c390f2f366bea02f9ec3219cce4c15ef7ea0d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wit6ldeq.cmdline

Filesize
171B

MD5
624710148fddb00202a8688215774eff

SHA1
61a85be546fafa78388dcddbf5baac603d38ea74

SHA256
04569352d12124e3c87d0c357cfdb8212d1c7d1706c7721c4b0c9e24139199d5

SHA512
7e72a5d884bfd8c82cc3280ed1803315dadb084ddfcb01fe61930fa1ba2eafee72488ec5c287dd5532ea1b30abbc52e2aff8ae83ca208e5174f8baa980d87e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\x88x2qcm.0.vb

Filesize
274B

MD5
05ab526df31c8742574a1c0aab404c5d

SHA1
5e9b4cabec3982be6a837defea27dd087a50b193

SHA256
0453a179e3926d451c45952c7704686fbe7f35ec91d2b3b4d9dc909f6b7a8430

SHA512
1575da9de9cc37d3fb9fdc2a14aeb56d1debfd09534f231a0eddec35cb20ed25032eb709cb907d5d504a450278fe810d6f297939f11b63935518a4bfeb1b4c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\x88x2qcm.cmdline

Filesize
167B

MD5
d86aeb408a2f5137d8d08b3fc6752938

SHA1
3a3508492dce8604d95b9dca1f5cdc3b4a6f3a58

SHA256
f58c627334f83f90a4fd100f79d564b8f23596cdeba60aaeb5bfd12e3aa276ed

SHA512
e229485575e87a199cc1f0508b9a672c9a7907ee788644babde1350730a38104a83777a9236157e7ef5e9247b6389877c84e5cc421d326b5c9fd0825a4f43c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\zrxw8mnx.0.vb

Filesize
288B

MD5
af52f4c74c8b6e9be1a6ccd73d633366

SHA1
186f43720a10ffd61e5f174399fb604813cfc0a1

SHA256
2d85e489480ba62f161d16a8f46fb85083ab53f2d9efe702ce2e49e0d68eca07

SHA512
c521dacb09ddfe56e326cf75f9f40adc269a9b48ea3217e55c6381e836d226066ecf9721650ce74aebb763cd1d22f3d1f06b4567ee7683ba83f5f00ef41ae99e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zrxw8mnx.cmdline

Filesize
181B

MD5
12559d9959ff23a42fe6a5023fdb8e56

SHA1
122c4894f21e9f574e8a3fa96c54c6466ebe077b

SHA256
b8f9147b5453be5338ae9bb10d52415571e2ba08509dd0649909cee48091720c

SHA512
32ea0d539272c1e74c0c9efe001b1b4b4d574cbdb590bb55e81771dec1cb98fdae90893ad8dfb5fe6a8ded8273778127f696fc250c7dd57681b47cb547379993

Download Submit
memory/4760-15-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/4760-11-0x0000000074AC2000-0x0000000074AC3000-memory.dmp

Filesize
4KB

Download
memory/4760-12-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/4760-23-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/4760-13-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/4760-14-0x0000000074AC2000-0x0000000074AC3000-memory.dmp

Filesize
4KB

Download
memory/5452-25-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/5452-17-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5452-16-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5452-20-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/5452-22-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/5452-24-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/5452-38-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads