Analysis Overview
SHA256
2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333
Threat Level: Known bad
The file 2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333 was found to be: Known bad.
Malicious Activity Summary
Stealc
Detect ZGRat V1
ZGRat
Downloads MZ/PE file
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-03 12:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-03 12:34
Reported
2024-04-03 12:37
Platform
win10v2004-20240226-en
Max time kernel
136s
Max time network
138s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
ZGRat
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe
"C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe"
C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe
"C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe"
C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe
"C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3596 -ip 3596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 1512
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5000 -ip 5000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 2320
C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe
"C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe
C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
Network
| Country | Destination | Domain | Proto |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.110.86.104.in-addr.arpa | udp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| US | 8.8.8.8:53 | 65.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| DE | 185.172.128.209:80 | 185.172.128.209 | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.87.157.20.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| FR | 185.93.2.251:443 | download.iolo.net | tcp |
| US | 8.8.8.8:53 | 251.2.93.185.in-addr.arpa | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| US | 8.8.8.8:53 | 9.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.150:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 8.8.8.8:53 | 150.155.9.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/3596-1-0x00000000008E0000-0x00000000009E0000-memory.dmp
memory/3596-2-0x00000000025D0000-0x000000000263C000-memory.dmp
memory/3596-3-0x0000000000400000-0x0000000000889000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u2rw.0.exe
| MD5 | 9105a03d2ead89d612c53f1dc322eb9e |
| SHA1 | af3d72c0f399ba16b678910e21eb04e8e6122bee |
| SHA256 | c975efca05f5c6f2abc2491a6f8d3d498438622d045c7370bf6d68a53e0241a7 |
| SHA512 | 4dd290c0ce5fd4414600f3c869a6ee6fba2c7b8ec856d6aed0dffb17253eb0c37b4945d2c5881d1fc40547c8f1b1ef22e63fce229ebfc19022e44b8ee87b2fcf |
memory/5000-13-0x00000000008C0000-0x00000000009C0000-memory.dmp
memory/5000-14-0x0000000002470000-0x0000000002497000-memory.dmp
memory/5000-15-0x0000000000400000-0x0000000000866000-memory.dmp
memory/5000-16-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/3596-64-0x0000000000400000-0x0000000000889000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\u2rw.1.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/5000-98-0x0000000000400000-0x0000000000866000-memory.dmp
memory/3596-99-0x00000000008E0000-0x00000000009E0000-memory.dmp
memory/4024-100-0x00000000027E0000-0x00000000027E1000-memory.dmp
memory/3596-105-0x0000000000400000-0x0000000000889000-memory.dmp
memory/5000-137-0x0000000000400000-0x0000000000866000-memory.dmp
memory/5000-138-0x00000000008C0000-0x00000000009C0000-memory.dmp
memory/5000-139-0x0000000000400000-0x0000000000866000-memory.dmp
memory/4024-140-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/4024-152-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/4704-153-0x00007FFCBC9A0000-0x00007FFCBD461000-memory.dmp
memory/4704-154-0x00000292033E0000-0x0000029206CD8000-memory.dmp
memory/4704-155-0x00000292222B0000-0x00000292222C0000-memory.dmp
memory/4704-156-0x00000292224B0000-0x00000292225C0000-memory.dmp
memory/4704-158-0x0000029208B80000-0x0000029208B8C000-memory.dmp
memory/4704-157-0x00000292070F0000-0x0000029207100000-memory.dmp
memory/4704-159-0x00000292089F0000-0x0000029208A04000-memory.dmp
memory/4704-160-0x0000029208B90000-0x0000029208BB4000-memory.dmp
memory/4704-161-0x0000029222210000-0x000002922221A000-memory.dmp
memory/4704-162-0x0000029222230000-0x000002922225A000-memory.dmp
memory/4704-163-0x00000292222C0000-0x0000029222372000-memory.dmp
memory/4704-164-0x0000029222700000-0x000002922277A000-memory.dmp
memory/4704-165-0x0000029222780000-0x00000292227E2000-memory.dmp
memory/4704-167-0x0000029222860000-0x00000292228D6000-memory.dmp
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
memory/4704-171-0x0000029222220000-0x000002922222A000-memory.dmp
memory/4704-175-0x00000292228E0000-0x0000029222BE0000-memory.dmp
memory/4704-180-0x00000292222B0000-0x00000292222C0000-memory.dmp
memory/4704-179-0x0000029222840000-0x0000029222848000-memory.dmp
memory/4704-181-0x00000292222B0000-0x00000292222C0000-memory.dmp
memory/4704-178-0x00000292222B0000-0x00000292222C0000-memory.dmp
memory/4704-182-0x0000029222C50000-0x0000029222C88000-memory.dmp
memory/4704-183-0x0000029222C10000-0x0000029222C1E000-memory.dmp
memory/4704-184-0x0000029222CC0000-0x0000029222CCA000-memory.dmp
memory/4704-185-0x0000029226B50000-0x0000029226B72000-memory.dmp
memory/4704-186-0x0000029227FC0000-0x00000292284E8000-memory.dmp
memory/4704-190-0x0000029222D40000-0x0000029222D90000-memory.dmp
memory/4704-189-0x00000292222B0000-0x00000292222C0000-memory.dmp
memory/4704-191-0x0000029222CD0000-0x0000029222CDC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\JDGCGHCGHC.exe
| MD5 | fe380780b5c35bd6d54541791151c2be |
| SHA1 | 7fe3a583cf91474c733f85cebf3c857682e269e1 |
| SHA256 | b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53 |
| SHA512 | ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c |
memory/5000-198-0x0000000000400000-0x0000000000866000-memory.dmp
memory/4164-199-0x0000000000230000-0x0000000000250000-memory.dmp
memory/4164-200-0x0000000072580000-0x0000000072D30000-memory.dmp
memory/4164-202-0x00000000023C0000-0x00000000023D0000-memory.dmp
memory/4164-205-0x0000000072580000-0x0000000072D30000-memory.dmp
memory/4704-206-0x0000029222D90000-0x0000029222DB2000-memory.dmp
memory/4704-207-0x0000029222D20000-0x0000029222D3E000-memory.dmp
memory/4704-209-0x00007FFCBC9A0000-0x00007FFCBD461000-memory.dmp
memory/4704-210-0x00000292222B0000-0x00000292222C0000-memory.dmp
memory/4704-211-0x00000292222B0000-0x00000292222C0000-memory.dmp
memory/4704-212-0x00000292222B0000-0x00000292222C0000-memory.dmp
memory/4704-213-0x00000292222B0000-0x00000292222C0000-memory.dmp
memory/4704-214-0x00000292222B0000-0x00000292222C0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-03 12:34
Reported
2024-04-03 12:37
Platform
win11-20240221-en
Max time kernel
132s
Max time network
133s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
ZGRat
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KEBKJDBAAK.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe
"C:\Users\Admin\AppData\Local\Temp\2de6b8b10f8e9eeae7e1918b8ce2e6a04ef3b5ca0956cae9acfad2d883a1a333.exe"
C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe
"C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe"
C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe
"C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4948 -ip 4948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 1040
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KEBKJDBAAK.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 2452
C:\Users\Admin\AppData\Local\Temp\KEBKJDBAAK.exe
"C:\Users\Admin\AppData\Local\Temp\KEBKJDBAAK.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\KEBKJDBAAK.exe
C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
Network
| Country | Destination | Domain | Proto |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| DE | 185.172.128.209:80 | 185.172.128.209 | tcp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| FR | 185.93.2.251:443 | download.iolo.net | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 20.9.155.150:443 | westus2-2.in.applicationinsights.azure.com | tcp |
Files
memory/4948-1-0x00000000009A0000-0x0000000000AA0000-memory.dmp
memory/4948-2-0x00000000026E0000-0x000000000274C000-memory.dmp
memory/4948-3-0x0000000000400000-0x0000000000889000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe
| MD5 | 9105a03d2ead89d612c53f1dc322eb9e |
| SHA1 | af3d72c0f399ba16b678910e21eb04e8e6122bee |
| SHA256 | c975efca05f5c6f2abc2491a6f8d3d498438622d045c7370bf6d68a53e0241a7 |
| SHA512 | 4dd290c0ce5fd4414600f3c869a6ee6fba2c7b8ec856d6aed0dffb17253eb0c37b4945d2c5881d1fc40547c8f1b1ef22e63fce229ebfc19022e44b8ee87b2fcf |
memory/4404-13-0x0000000000A90000-0x0000000000B90000-memory.dmp
memory/4404-14-0x00000000009D0000-0x00000000009F7000-memory.dmp
memory/4404-15-0x0000000000400000-0x0000000000866000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/4212-26-0x0000000002870000-0x0000000002871000-memory.dmp
memory/4948-27-0x0000000000400000-0x0000000000889000-memory.dmp
memory/4948-37-0x00000000026E0000-0x000000000274C000-memory.dmp
memory/4404-38-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/4404-128-0x0000000000400000-0x0000000000866000-memory.dmp
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
memory/4212-134-0x0000000000400000-0x00000000008AD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KEBKJDBAAK.exe
| MD5 | fe380780b5c35bd6d54541791151c2be |
| SHA1 | 7fe3a583cf91474c733f85cebf3c857682e269e1 |
| SHA256 | b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53 |
| SHA512 | ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c |
memory/3780-143-0x0000000000DD0000-0x0000000000DF0000-memory.dmp
memory/3780-144-0x0000000071C80000-0x0000000072431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | d823a7ed09a4edc565871aa3211fa946 |
| SHA1 | 719bbdec2c5800a3802c8e91a211ae104022454e |
| SHA256 | cba0455c183b857060ace176c34c422bafb1c583718e84b89929347b3629eb1c |
| SHA512 | 0f7caa12f18938a45ee9be627be954b05ebf7c28213ccb8058676a752ac7f79049548e00763b31347c89c55d9ff34dd4e864e95026b5b96014b2397ce69cabc4 |
memory/4404-152-0x0000000000400000-0x0000000000866000-memory.dmp
memory/4404-153-0x0000000000A90000-0x0000000000B90000-memory.dmp
memory/3780-155-0x0000000005710000-0x0000000005720000-memory.dmp
memory/3780-157-0x0000000071C80000-0x0000000072431000-memory.dmp
memory/4212-160-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/1012-161-0x00007FFC9A640000-0x00007FFC9B102000-memory.dmp
memory/1012-162-0x000002A3C0F40000-0x000002A3C4838000-memory.dmp
memory/1012-163-0x000002A3DEEB0000-0x000002A3DEEC0000-memory.dmp
memory/1012-164-0x000002A3DEFE0000-0x000002A3DF0F0000-memory.dmp
memory/1012-165-0x000002A3C6450000-0x000002A3C6460000-memory.dmp
memory/1012-166-0x000002A3DECF0000-0x000002A3DECFC000-memory.dmp
memory/1012-167-0x000002A3DECE0000-0x000002A3DECF4000-memory.dmp
memory/1012-168-0x000002A3DED50000-0x000002A3DED74000-memory.dmp
memory/1012-169-0x000002A3DED80000-0x000002A3DED8A000-memory.dmp
memory/1012-170-0x000002A3DF2E0000-0x000002A3DF392000-memory.dmp
memory/1012-171-0x000002A3DF0F0000-0x000002A3DF11A000-memory.dmp
memory/1012-172-0x000002A3DF390000-0x000002A3DF40A000-memory.dmp
memory/1012-173-0x000002A3DF120000-0x000002A3DF182000-memory.dmp
memory/1012-174-0x000002A3DF490000-0x000002A3DF506000-memory.dmp
memory/1012-175-0x000002A3C65F0000-0x000002A3C65FA000-memory.dmp
memory/1012-179-0x000002A3DF510000-0x000002A3DF810000-memory.dmp
memory/1012-181-0x000002A3DEEB0000-0x000002A3DEEC0000-memory.dmp
memory/1012-182-0x000002A3DEEB0000-0x000002A3DEEC0000-memory.dmp
memory/1012-184-0x000002A3DEEB0000-0x000002A3DEEC0000-memory.dmp
memory/1012-183-0x000002A3E38F0000-0x000002A3E38F8000-memory.dmp
memory/1012-185-0x000002A3E3870000-0x000002A3E38A8000-memory.dmp
memory/1012-186-0x000002A3E3840000-0x000002A3E384E000-memory.dmp
memory/1012-187-0x000002A3E41D0000-0x000002A3E41DA000-memory.dmp
memory/1012-188-0x000002A3E41E0000-0x000002A3E4202000-memory.dmp
memory/1012-189-0x000002A3E4730000-0x000002A3E4C58000-memory.dmp
memory/1012-192-0x000002A3E3FA0000-0x000002A3E3FF0000-memory.dmp
memory/1012-194-0x000002A3E3F50000-0x000002A3E3F5C000-memory.dmp
memory/1012-193-0x000002A3DEEB0000-0x000002A3DEEC0000-memory.dmp
memory/1012-195-0x000002A3E3FF0000-0x000002A3E4012000-memory.dmp
memory/1012-196-0x000002A3E4020000-0x000002A3E403E000-memory.dmp
memory/1012-198-0x00007FFC9A640000-0x00007FFC9B102000-memory.dmp
memory/1012-199-0x000002A3DEEB0000-0x000002A3DEEC0000-memory.dmp
memory/1012-200-0x000002A3DEEB0000-0x000002A3DEEC0000-memory.dmp
memory/1012-201-0x000002A3DEEB0000-0x000002A3DEEC0000-memory.dmp
memory/1012-202-0x000002A3DEEB0000-0x000002A3DEEC0000-memory.dmp
memory/1012-203-0x000002A3DEEB0000-0x000002A3DEEC0000-memory.dmp