asyncrat | ee66a185008549b9ca0c687a78aa6a69e4770dd12cab9dc63d5346c1f570904b

Resubmissions

12/03/2025, 21:32

250312-1dmynatxey 10

11/03/2025, 16:10

250311-tmgdxaxnx4 10

06/03/2025, 02:30

250306-cze8yav1az 10

Analysis

max time kernel
900s
max time network
901s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe
Size

376KB
MD5

5022069109525eccc6b1f9aea5310c30
SHA1

07427c696897bbe46a384aed624c4fd0b55d155c
SHA256

977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1
SHA512

d2c6b6175bf776d61efdeaf522ff5b73da883d84dfa10804d4bab2e0c8e83b82af839a0328e4ef1493dddf323edc2c496df55f13e99912b27a6b61d4cd363600
SSDEEP

6144:nqEVr2/qK1pyQh6taaDBZ5/jsJVNA/yrg2Nz7Dw6qXaWB7dybpFr1:qEVr2/q08Qh2akBZdjsJVNA/92NjuaWE

Score

10^/10

asyncrat revengerat default nyancatrevenge discovery rat trojan

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

hpdndbnb.duckdns.org:2404

Mutex

90a49aa7c27647e

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

gpmaw.duckdns.org:3040

gpmaw.duckdns.org:2020

gpmaw.duckdns.org:4040

hpdndbnb.duckdns.org:3040

hpdndbnb.duckdns.org:2020

hpdndbnb.duckdns.org:4040

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
Acrobat Reader .exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	ASapAC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	AsyncClient no setting.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Adobe Reader.exe

Executes dropped EXE 10 IoCs

pid	Process
2192	ASapAC.exe
2704	ASapAC.exe
212	AsyncClient no setting.exe
4428	AsyncClient no setting.exe
1444	ASapAC.exe
3768	ASapAC.exe
4604	ASapAC.exe
2448	ASapAC.exe
3952	Adobe Reader.exe
3444	Adobe Reader.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3364 set thread context of 3612	3364	977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe	89
PID 2192 set thread context of 2704	2192	ASapAC.exe	104
PID 212 set thread context of 4428	212	AsyncClient no setting.exe	111
PID 1444 set thread context of 3768	1444	ASapAC.exe	113
PID 4604 set thread context of 2448	4604	ASapAC.exe	123
PID 3952 set thread context of 3444	3952	Adobe Reader.exe	127

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1020	1444	WerFault.exe	112
4296	4604	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe Reader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe Reader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ASapAC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ASapAC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ASapAC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient no setting.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient no setting.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ASapAC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ASapAC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ASapAC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5028	schtasks.exe
4148	schtasks.exe
4960	schtasks.exe
1236	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3364	977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe
Token: SeDebugPrivilege	2192	ASapAC.exe
Token: SeDebugPrivilege	212	AsyncClient no setting.exe
Token: SeDebugPrivilege	1444	ASapAC.exe
Token: SeDebugPrivilege	4604	ASapAC.exe
Token: SeDebugPrivilege	3952	Adobe Reader.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 3612	3364	977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe	89
PID 3364 wrote to memory of 3612	3364	977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe	89
PID 3364 wrote to memory of 3612	3364	977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe	89
PID 3364 wrote to memory of 3612	3364	977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe	89
PID 3364 wrote to memory of 3612	3364	977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe	89
PID 3364 wrote to memory of 3612	3364	977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe	89
PID 3364 wrote to memory of 3612	3364	977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe	89
PID 3364 wrote to memory of 3612	3364	977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe	89
PID 3364 wrote to memory of 3488	3364	977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe	98
PID 3364 wrote to memory of 3488	3364	977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe	98
PID 3364 wrote to memory of 3488	3364	977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe	98
PID 3364 wrote to memory of 3992	3364	977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe	100
PID 3364 wrote to memory of 3992	3364	977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe	100
PID 3364 wrote to memory of 3992	3364	977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe	100
PID 3488 wrote to memory of 5028	3488	cmd.exe	102
PID 3488 wrote to memory of 5028	3488	cmd.exe	102
PID 3488 wrote to memory of 5028	3488	cmd.exe	102
PID 2192 wrote to memory of 2704	2192	ASapAC.exe	104
PID 2192 wrote to memory of 2704	2192	ASapAC.exe	104
PID 2192 wrote to memory of 2704	2192	ASapAC.exe	104
PID 2192 wrote to memory of 2704	2192	ASapAC.exe	104
PID 2192 wrote to memory of 2704	2192	ASapAC.exe	104
PID 2192 wrote to memory of 2704	2192	ASapAC.exe	104
PID 2192 wrote to memory of 2704	2192	ASapAC.exe	104
PID 2192 wrote to memory of 2704	2192	ASapAC.exe	104
PID 2192 wrote to memory of 212	2192	ASapAC.exe	105
PID 2192 wrote to memory of 212	2192	ASapAC.exe	105
PID 2192 wrote to memory of 212	2192	ASapAC.exe	105
PID 2192 wrote to memory of 1224	2192	ASapAC.exe	106
PID 2192 wrote to memory of 1224	2192	ASapAC.exe	106
PID 2192 wrote to memory of 1224	2192	ASapAC.exe	106
PID 2192 wrote to memory of 5064	2192	ASapAC.exe	107
PID 2192 wrote to memory of 5064	2192	ASapAC.exe	107
PID 2192 wrote to memory of 5064	2192	ASapAC.exe	107
PID 1224 wrote to memory of 4148	1224	cmd.exe	110
PID 1224 wrote to memory of 4148	1224	cmd.exe	110
PID 1224 wrote to memory of 4148	1224	cmd.exe	110
PID 212 wrote to memory of 4428	212	AsyncClient no setting.exe	111
PID 212 wrote to memory of 4428	212	AsyncClient no setting.exe	111
PID 212 wrote to memory of 4428	212	AsyncClient no setting.exe	111
PID 212 wrote to memory of 4428	212	AsyncClient no setting.exe	111
PID 212 wrote to memory of 4428	212	AsyncClient no setting.exe	111
PID 212 wrote to memory of 4428	212	AsyncClient no setting.exe	111
PID 212 wrote to memory of 4428	212	AsyncClient no setting.exe	111
PID 212 wrote to memory of 4428	212	AsyncClient no setting.exe	111
PID 1444 wrote to memory of 3768	1444	ASapAC.exe	113
PID 1444 wrote to memory of 3768	1444	ASapAC.exe	113
PID 1444 wrote to memory of 3768	1444	ASapAC.exe	113
PID 1444 wrote to memory of 3768	1444	ASapAC.exe	113
PID 1444 wrote to memory of 3768	1444	ASapAC.exe	113
PID 1444 wrote to memory of 3768	1444	ASapAC.exe	113
PID 1444 wrote to memory of 3768	1444	ASapAC.exe	113
PID 1444 wrote to memory of 3768	1444	ASapAC.exe	113
PID 212 wrote to memory of 4748	212	AsyncClient no setting.exe	118
PID 212 wrote to memory of 4748	212	AsyncClient no setting.exe	118
PID 212 wrote to memory of 4748	212	AsyncClient no setting.exe	118
PID 212 wrote to memory of 2004	212	AsyncClient no setting.exe	119
PID 212 wrote to memory of 2004	212	AsyncClient no setting.exe	119
PID 212 wrote to memory of 2004	212	AsyncClient no setting.exe	119
PID 4748 wrote to memory of 4960	4748	cmd.exe	122
PID 4748 wrote to memory of 4960	4748	cmd.exe	122
PID 4748 wrote to memory of 4960	4748	cmd.exe	122
PID 4604 wrote to memory of 2448	4604	ASapAC.exe	123
PID 4604 wrote to memory of 2448	4604	ASapAC.exe	123

C:\Users\Admin\AppData\Local\Temp\977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe
"C:\Users\Admin\AppData\Local\Temp\977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Users\Admin\AppData\Local\Temp\977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe
  "C:\Users\Admin\AppData\Local\Temp\977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3612
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\ASapAC\ASapAC.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\ASapAC\ASapAC.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1.exe" "C:\Users\Admin\AppData\Local\Temp\ASapAC\ASapAC.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3992

C:\Users\Admin\AppData\Local\Temp\ASapAC\ASapAC.exe
C:\Users\Admin\AppData\Local\Temp\ASapAC\ASapAC.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\ASapAC\ASapAC.exe
  "C:\Users\Admin\AppData\Local\Temp\ASapAC\ASapAC.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\ASapAC\AsyncClient no setting.exe
  "C:\Users\Admin\AppData\Local\Temp\ASapAC\AsyncClient no setting.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Users\Admin\AppData\Local\Temp\ASapAC\AsyncClient no setting.exe
    "C:\Users\Admin\AppData\Local\Temp\ASapAC\AsyncClient no setting.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4428
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Adobe Reader\Adobe Reader.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4748
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Adobe Reader\Adobe Reader.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4960
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\ASapAC\AsyncClient no setting.exe" "C:\Users\Admin\AppData\Roaming\Adobe Reader\Adobe Reader.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\ASapAC\ASapAC.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\ASapAC\ASapAC.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4148
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\ASapAC\ASapAC.exe" "C:\Users\Admin\AppData\Local\Temp\ASapAC\ASapAC.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5064

C:\Users\Admin\AppData\Local\Temp\ASapAC\ASapAC.exe
C:\Users\Admin\AppData\Local\Temp\ASapAC\ASapAC.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\ASapAC\ASapAC.exe
  "C:\Users\Admin\AppData\Local\Temp\ASapAC\ASapAC.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 816
  2⤵
  - Program crash
  PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1444 -ip 1444
1⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\ASapAC\ASapAC.exe
C:\Users\Admin\AppData\Local\Temp\ASapAC\ASapAC.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\AppData\Local\Temp\ASapAC\ASapAC.exe
  "C:\Users\Admin\AppData\Local\Temp\ASapAC\ASapAC.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 816
  2⤵
  - Program crash
  PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4604 -ip 4604
1⤵
PID:264

C:\Users\Admin\AppData\Roaming\Adobe Reader\Adobe Reader.exe
"C:\Users\Admin\AppData\Roaming\Adobe Reader\Adobe Reader.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3952
- C:\Users\Admin\AppData\Roaming\Adobe Reader\Adobe Reader.exe
  "C:\Users\Admin\AppData\Roaming\Adobe Reader\Adobe Reader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3444
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Adobe Reader\Adobe Reader.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2376
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Adobe Reader\Adobe Reader.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1236
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Adobe Reader\Adobe Reader.exe" "C:\Users\Admin\AppData\Roaming\Adobe Reader\Adobe Reader.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ASapAC.exe.log

Filesize
321B

MD5
08027eeee0542c93662aef98d70095e4

SHA1
42402c02bf4763fcd6fb0650fc13386f2eae8f9b

SHA256
1b9ec007ac8e7de37c61313c5e1b9444df6dc0cd9110553bfa281b13204a646d

SHA512
c4e7a17a1dc1f27c91791439d92435a5d750a065508e9539c9af458f21472a7ce45ba0666ef6855a00386e1a75c518d0908b82d929084a1b67ca4c65997a5979

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASapAC\ASapAC.exe

Filesize
376KB

MD5
5022069109525eccc6b1f9aea5310c30

SHA1
07427c696897bbe46a384aed624c4fd0b55d155c

SHA256
977e5ce44a0ca0b374857f1f9ba476376ab41b7edf1117a3f5b805a69244f6f1

SHA512
d2c6b6175bf776d61efdeaf522ff5b73da883d84dfa10804d4bab2e0c8e83b82af839a0328e4ef1493dddf323edc2c496df55f13e99912b27a6b61d4cd363600

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASapAC\AsyncClient no setting.exe

Filesize
280KB

MD5
211fe2f27eb6bb501821766ffe46f8c6

SHA1
cdb9c540719567b7ef64677f1fe030de377cb534

SHA256
6497a1878d2676ba6e4184692baceb2147f09a0cf6ce117ff09c8d759a64d3df

SHA512
fcf4c0284577d770f29520910c6e3d6121a35a9d68748708e8e9556d5ec811813525df7820e7b632122289de4e095f8a989a999f662526bf00c853f3057c9089

Download Submit
memory/212-33-0x00000000005E0000-0x000000000062C000-memory.dmp

Filesize
304KB

Download
memory/2192-20-0x00000000003B0000-0x0000000000414000-memory.dmp

Filesize
400KB

Download
memory/3364-5-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3364-4-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/3364-7-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/3364-8-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3364-6-0x0000000005A50000-0x0000000005A5A000-memory.dmp

Filesize
40KB

Download
memory/3364-1-0x0000000000310000-0x0000000000374000-memory.dmp

Filesize
400KB

Download
memory/3364-2-0x0000000005BE0000-0x0000000006184000-memory.dmp

Filesize
5.6MB

Download
memory/3364-3-0x00000000056D0000-0x0000000005762000-memory.dmp

Filesize
584KB

Download
memory/3364-15-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3364-0-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/3612-10-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3612-13-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3612-12-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3612-11-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/3952-46-0x0000000000240000-0x000000000028C000-memory.dmp

Filesize
304KB

Download
memory/4428-36-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads