Malware Analysis Report

2024-10-23 19:30

Sample ID 240311-abx3qseg83
Target bf4f7264ef324c5c14dccd8679685d3f
SHA256 8fdc412291f33a96a35c93d3d2bf03b338054509cd855f60109809a8e74100fe
Tags
asyncrat azorult zgrat noip infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8fdc412291f33a96a35c93d3d2bf03b338054509cd855f60109809a8e74100fe

Threat Level: Known bad

The file bf4f7264ef324c5c14dccd8679685d3f was found to be: Known bad.

Malicious Activity Summary

asyncrat azorult zgrat noip infostealer rat trojan

AsyncRat

Azorult

Detect ZGRat V1

ZGRat

Async RAT payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 00:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 00:02

Reported

2024-03-11 00:05

Platform

win7-20240221-en

Max time kernel

146s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe"

Signatures

AsyncRat

rat asyncrat

Azorult

trojan infostealer azorult

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2772 set thread context of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\image.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2772 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2772 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2920 wrote to memory of 2424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe
PID 2920 wrote to memory of 2424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe
PID 2920 wrote to memory of 2424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe
PID 2920 wrote to memory of 2424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe
PID 2920 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\http.exe
PID 2920 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\http.exe
PID 2920 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\http.exe
PID 2920 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\http.exe
PID 2424 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3016 wrote to memory of 776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3016 wrote to memory of 776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3016 wrote to memory of 776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2364 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2364 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2364 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2364 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2364 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\image.exe
PID 2364 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\image.exe
PID 2364 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\image.exe
PID 2364 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\image.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe

"C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe

"C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe" 0

C:\Users\Admin\AppData\Local\Temp\http.exe

"C:\Users\Admin\AppData\Local\Temp\http.exe" 0

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "image" /tr '"C:\Users\Admin\AppData\Local\Temp\image.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp676A.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "image" /tr '"C:\Users\Admin\AppData\Local\Temp\image.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Local\Temp\image.exe

"C:\Users\Admin\AppData\Local\Temp\image.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 aka-mining.com udp
IR 5.144.130.35:80 aka-mining.com tcp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 aka-mining.com udp
IR 5.144.130.35:80 aka-mining.com tcp

Files

memory/2772-0-0x0000000000F00000-0x0000000000FC2000-memory.dmp

memory/2772-1-0x0000000074770000-0x0000000074E5E000-memory.dmp

memory/2772-2-0x0000000004DE0000-0x0000000004E20000-memory.dmp

memory/2772-3-0x0000000000A60000-0x0000000000AC2000-memory.dmp

memory/2772-4-0x00000000002C0000-0x00000000002D6000-memory.dmp

memory/2920-5-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2920-7-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2920-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2920-9-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2920-13-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2772-15-0x0000000074770000-0x0000000074E5E000-memory.dmp

memory/2920-16-0x0000000000400000-0x000000000042C000-memory.dmp

\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe

MD5 8c3cdf82f84a31b497d1373b787fd9bb
SHA1 168da558ad0428adc45a480e3e4cee4bda362c4c
SHA256 b26c1263561c56c98692762c18a0705bcf3b181f0ffc0681f7e9e3666b7036da
SHA512 83449e8d7a27512735b5c1b3158bd2b45fb72d1ae8ac8b6dc3cd0938c9ea0d4667b85817ed034d2e9ff32bafbca2bca131615cebc11a8a210c6d87268a5821f6

\Users\Admin\AppData\Local\Temp\http.exe

MD5 df42290ca661cacdbbd4c1a819ddfa15
SHA1 cf4fe62f6157f61f7e737dc46c913037587d0d56
SHA256 5b81be074935e496d7cfad72e6493986abd804adb37f3c7de41230c662968dbe
SHA512 f6f289bf5935e8f01e3357155b95f9bdae6935eb98eb50322770bf437890b02a27f052cca6659029fc3773142a95c52a035e5019421f320572c3a12ba13428a8

memory/2424-36-0x0000000000C10000-0x0000000000C22000-memory.dmp

memory/2424-37-0x0000000074270000-0x000000007495E000-memory.dmp

memory/2920-35-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2424-38-0x0000000000A70000-0x0000000000AB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp676A.tmp.bat

MD5 0eb5e855220b9d1ff882a2114791d0fc
SHA1 a40398e0c7627df9353922313a7ce8d9a3a068dd
SHA256 68ca1bb3b409a9400881177819a2fa3554e549f281482f9ce9dda7b2639af85e
SHA512 d7c4e014d5fdb4c9151af6f1f8770423c5c29672e88041bda04d86874479356245ac6b91c34b6f9b79c0f090d1f305801165e518a2c9dc0543bce4e81fdebec5

memory/2424-47-0x0000000074270000-0x000000007495E000-memory.dmp

memory/2840-52-0x0000000000990000-0x00000000009A2000-memory.dmp

memory/2840-53-0x0000000074390000-0x0000000074A7E000-memory.dmp

memory/2696-54-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2840-55-0x0000000004400000-0x0000000004440000-memory.dmp

memory/2696-57-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2840-58-0x0000000074390000-0x0000000074A7E000-memory.dmp

memory/2696-60-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 00:02

Reported

2024-03-11 00:05

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe"

Signatures

AsyncRat

rat asyncrat

Azorult

trojan infostealer azorult

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 756 set thread context of 2128 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\image.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 756 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 756 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 756 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 756 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 756 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 756 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 756 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2128 wrote to memory of 3048 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe
PID 2128 wrote to memory of 3048 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe
PID 2128 wrote to memory of 3048 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe
PID 2128 wrote to memory of 4632 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\http.exe
PID 2128 wrote to memory of 4632 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\http.exe
PID 2128 wrote to memory of 4632 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\http.exe
PID 3048 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe C:\Windows\SysWOW64\cmd.exe
PID 3804 wrote to memory of 464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3804 wrote to memory of 464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3804 wrote to memory of 464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 540 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 540 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 540 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3804 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\image.exe
PID 3804 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\image.exe
PID 3804 wrote to memory of 1440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\image.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe

"C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe

"C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe" 0

C:\Users\Admin\AppData\Local\Temp\http.exe

"C:\Users\Admin\AppData\Local\Temp\http.exe" 0

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "image" /tr '"C:\Users\Admin\AppData\Local\Temp\image.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3FC8.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "image" /tr '"C:\Users\Admin\AppData\Local\Temp\image.exe"'

C:\Users\Admin\AppData\Local\Temp\image.exe

"C:\Users\Admin\AppData\Local\Temp\image.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 aka-mining.com udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
IR 5.144.130.35:80 aka-mining.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 aka-mining.com udp
IR 5.144.130.35:80 aka-mining.com tcp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 rocking.ddns.net udp
US 8.8.8.8:53 rocking.ddns.net udp

Files

memory/756-0-0x0000000000E60000-0x0000000000F22000-memory.dmp

memory/756-1-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/756-2-0x00000000058E0000-0x000000000597C000-memory.dmp

memory/756-3-0x00000000058C0000-0x00000000058D0000-memory.dmp

memory/756-4-0x0000000005840000-0x00000000058A2000-memory.dmp

memory/756-5-0x0000000005F30000-0x00000000064D4000-memory.dmp

memory/756-6-0x0000000005A60000-0x0000000005AF2000-memory.dmp

memory/756-7-0x00000000058D0000-0x00000000058E6000-memory.dmp

memory/2128-8-0x0000000000400000-0x000000000042C000-memory.dmp

memory/756-11-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/2128-12-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe

MD5 8c3cdf82f84a31b497d1373b787fd9bb
SHA1 168da558ad0428adc45a480e3e4cee4bda362c4c
SHA256 b26c1263561c56c98692762c18a0705bcf3b181f0ffc0681f7e9e3666b7036da
SHA512 83449e8d7a27512735b5c1b3158bd2b45fb72d1ae8ac8b6dc3cd0938c9ea0d4667b85817ed034d2e9ff32bafbca2bca131615cebc11a8a210c6d87268a5821f6

C:\Users\Admin\AppData\Local\Temp\http.exe

MD5 df42290ca661cacdbbd4c1a819ddfa15
SHA1 cf4fe62f6157f61f7e737dc46c913037587d0d56
SHA256 5b81be074935e496d7cfad72e6493986abd804adb37f3c7de41230c662968dbe
SHA512 f6f289bf5935e8f01e3357155b95f9bdae6935eb98eb50322770bf437890b02a27f052cca6659029fc3773142a95c52a035e5019421f320572c3a12ba13428a8

memory/3048-32-0x0000000073D90000-0x0000000074540000-memory.dmp

memory/3048-31-0x0000000000A80000-0x0000000000A92000-memory.dmp

memory/2128-36-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3048-37-0x0000000005310000-0x0000000005320000-memory.dmp

memory/3048-42-0x0000000073D90000-0x0000000074540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3FC8.tmp.bat

MD5 3bb051858622805727f75dc626b835f2
SHA1 670b75408f6f4ba9c9973932db6cf9b6435b78cd
SHA256 d68ab47c83c797c8e23c9f4709e2787c73cb33302130284a7908a03ac9ae60d7
SHA512 09be6576b59bb6bacbdccf3f0bcf536ae3854e7bb68e017449cd78850ea192cc702b882214b1791677bf6303298e57da05abb0545e538e49c77b56d81162bdee

memory/1440-47-0x0000000073FA0000-0x0000000074750000-memory.dmp

memory/1440-48-0x0000000005300000-0x0000000005310000-memory.dmp

memory/4632-49-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1440-51-0x0000000073FA0000-0x0000000074750000-memory.dmp

memory/4632-52-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1440-53-0x0000000005300000-0x0000000005310000-memory.dmp

memory/4632-55-0x0000000000400000-0x0000000000420000-memory.dmp