Malware Analysis Report

2024-11-30 20:06

Sample ID 240509-ae5xrafd61
Target f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d
SHA256 f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d
Tags
stealc zgrat discovery rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d

Threat Level: Known bad

The file f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d was found to be: Known bad.

Malicious Activity Summary

stealc zgrat discovery rat stealer

Detect ZGRat V1

ZGRat

Stealc

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Program crash

Enumerates physical storage devices

Unsigned PE

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 00:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 00:08

Reported

2024-05-09 00:13

Platform

win7-20240419-en

Max time kernel

287s

Max time network

290s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

ZGRat

rat zgrat

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1co.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1co.1.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1co.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1co.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1co.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u1co.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u1co.0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d.exe C:\Users\Admin\AppData\Local\Temp\u1co.0.exe
PID 1752 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d.exe C:\Users\Admin\AppData\Local\Temp\u1co.0.exe
PID 1752 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d.exe C:\Users\Admin\AppData\Local\Temp\u1co.0.exe
PID 1752 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d.exe C:\Users\Admin\AppData\Local\Temp\u1co.0.exe
PID 1752 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d.exe C:\Users\Admin\AppData\Local\Temp\u1co.1.exe
PID 1752 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d.exe C:\Users\Admin\AppData\Local\Temp\u1co.1.exe
PID 1752 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d.exe C:\Users\Admin\AppData\Local\Temp\u1co.1.exe
PID 1752 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d.exe C:\Users\Admin\AppData\Local\Temp\u1co.1.exe
PID 2640 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\u1co.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 2640 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\u1co.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 2640 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\u1co.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 2640 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\u1co.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d.exe

"C:\Users\Admin\AppData\Local\Temp\f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d.exe"

C:\Users\Admin\AppData\Local\Temp\u1co.0.exe

"C:\Users\Admin\AppData\Local\Temp\u1co.0.exe"

C:\Users\Admin\AppData\Local\Temp\u1co.1.exe

"C:\Users\Admin\AppData\Local\Temp\u1co.1.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

Network

Country Destination Domain Proto
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 download.iolo.net udp
FR 185.93.2.251:80 download.iolo.net tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
DE 185.172.128.150:80 tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
DE 185.172.128.150:80 tcp
DE 185.172.128.150:80 tcp
DE 185.172.128.150:80 tcp
DE 185.172.128.150:80 tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp

Files

memory/1752-1-0x0000000000400000-0x0000000002B23000-memory.dmp

\Users\Admin\AppData\Local\Temp\u1co.0.exe

MD5 816cbc57fc20eb01645497ed35bdeb19
SHA1 3222b725c5031a12b310ef8c1b8bb120b345c80e
SHA256 c15c3a1a771770d1f3a838cdb6d0fcffea562e42d118b37087dd6022fff13c53
SHA512 2bf23ac407844682107c68705e0ac072d7a8767f0c9a8c2bb913cc394e6c85bd22a7024c5253130f4a5b26a083e9518f2d4f21b775da6d2812ab808587aa399e

\Users\Admin\AppData\Local\Temp\u1co.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/1752-33-0x0000000000400000-0x0000000002B23000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 28c7db1dbeddb75836051eede132b078
SHA1 de05706069f790932238d3da647f7a9f515c0df1
SHA256 16176168324a2a8d177f35845d3b44422f170dde47c0adce3279ce9e7b6ef095
SHA512 9e5f576e76527bdc54bed8cb8e150978850874af1919c1dc4f70fc2053b50a670342d9b127c4dbe2c931bd9269dfd5840885962deb4d346c6ace374db03c69f7

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 c97009ae578183ddaaeb2e08b0ad389f
SHA1 eb3ff1c848451332fa1cac617cf969a783cbc8e1
SHA256 6816905dc255011fd4666673ec89590ea8c9754b8f2709e4e52f459a5be2be13
SHA512 94e849c91b2759a2f1d6af0a51480adf87a86d48274a11e8a228f23490499e1b499fadf10f6399b230202986bb61322c9924626c156c9a5325c3c2ff867ebe43

memory/2444-59-0x0000000000400000-0x0000000002574000-memory.dmp

memory/2640-69-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2904-70-0x0000000000DE0000-0x0000000004614000-memory.dmp

memory/2904-71-0x000000001EEB0000-0x000000001EFBA000-memory.dmp

memory/2904-72-0x00000000005B0000-0x00000000005C0000-memory.dmp

memory/2904-73-0x000000001E010000-0x000000001E01C000-memory.dmp

memory/2904-74-0x0000000000AD0000-0x0000000000AE4000-memory.dmp

memory/2904-75-0x000000001E130000-0x000000001E154000-memory.dmp

memory/2904-77-0x000000001E160000-0x000000001E16A000-memory.dmp

memory/2904-78-0x000000001E210000-0x000000001E23A000-memory.dmp

memory/2904-79-0x000000001EDE0000-0x000000001EE92000-memory.dmp

memory/2904-80-0x0000000000260000-0x000000000026A000-memory.dmp

memory/2904-84-0x000000001FD50000-0x0000000020050000-memory.dmp

memory/2904-86-0x0000000000280000-0x000000000028A000-memory.dmp

memory/2904-87-0x00000000007F0000-0x00000000007FA000-memory.dmp

memory/2904-88-0x000000001E240000-0x000000001E2A2000-memory.dmp

memory/2904-89-0x0000000000AA0000-0x0000000000AC2000-memory.dmp

memory/2904-92-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

memory/2904-98-0x0000000000280000-0x000000000028A000-memory.dmp

memory/2904-97-0x0000000000280000-0x000000000028A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\cb82900d7c0d19605a9c1adc1be5fc0aee77ab3bfdbb4ee40526b56ef2d7a2ce\233e66b09bd94fe0886ed005362d2a26.tmp

MD5 8b2ab52db65998bb7a328ee92c2bafbd
SHA1 e5836f9c94dbf702fd60fb9c84bcae2bdb4b1ebe
SHA256 852bf8fa90883762af60659a52bef265d31ca760235de84900bc53fe267146fc
SHA512 4ccc8849271d63ff177a7682d39f4c8c454742cacb546c205331a1924303e91d4da378f3968e3157674aabb486e7b34f9e3d8585836ca55530f4918694f44fe9

memory/2444-111-0x0000000000400000-0x0000000002574000-memory.dmp

memory/2444-120-0x0000000000400000-0x0000000002574000-memory.dmp

memory/2444-129-0x0000000000400000-0x0000000002574000-memory.dmp

memory/2444-133-0x0000000000400000-0x0000000002574000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 00:08

Reported

2024-05-09 00:13

Platform

win10-20240404-en

Max time kernel

296s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

ZGRat

rat zgrat

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3po.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3po.1.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\u3po.0.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3po.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3po.1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3po.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u3po.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u3po.0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3po.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3po.0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4812 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d.exe C:\Users\Admin\AppData\Local\Temp\u3po.0.exe
PID 4812 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d.exe C:\Users\Admin\AppData\Local\Temp\u3po.0.exe
PID 4812 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d.exe C:\Users\Admin\AppData\Local\Temp\u3po.0.exe
PID 4812 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d.exe C:\Users\Admin\AppData\Local\Temp\u3po.1.exe
PID 4812 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d.exe C:\Users\Admin\AppData\Local\Temp\u3po.1.exe
PID 4812 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d.exe C:\Users\Admin\AppData\Local\Temp\u3po.1.exe
PID 1608 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\u3po.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 1608 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\u3po.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d.exe

"C:\Users\Admin\AppData\Local\Temp\f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d.exe"

C:\Users\Admin\AppData\Local\Temp\u3po.0.exe

"C:\Users\Admin\AppData\Local\Temp\u3po.0.exe"

C:\Users\Admin\AppData\Local\Temp\u3po.1.exe

"C:\Users\Admin\AppData\Local\Temp\u3po.1.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1072

Network

Country Destination Domain Proto
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
US 8.8.8.8:53 228.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 59.128.172.185.in-addr.arpa udp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 45.87.157.20.in-addr.arpa udp
US 8.8.8.8:53 download.iolo.net udp
FR 185.93.2.251:443 download.iolo.net tcp
US 8.8.8.8:53 251.2.93.185.in-addr.arpa udp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
DE 185.172.128.150:80 tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
DE 185.172.128.150:80 tcp
DE 185.172.128.150:80 tcp
US 20.157.87.45:80 tcp
US 8.8.8.8:53 106.246.116.51.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 80.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/4812-1-0x0000000002E30000-0x0000000002F30000-memory.dmp

memory/4812-2-0x0000000002C80000-0x0000000002CEC000-memory.dmp

memory/4812-3-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3po.0.exe

MD5 816cbc57fc20eb01645497ed35bdeb19
SHA1 3222b725c5031a12b310ef8c1b8bb120b345c80e
SHA256 c15c3a1a771770d1f3a838cdb6d0fcffea562e42d118b37087dd6022fff13c53
SHA512 2bf23ac407844682107c68705e0ac072d7a8767f0c9a8c2bb913cc394e6c85bd22a7024c5253130f4a5b26a083e9518f2d4f21b775da6d2812ab808587aa399e

memory/4812-17-0x0000000000400000-0x000000000046F000-memory.dmp

memory/4812-16-0x0000000002C80000-0x0000000002CEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3po.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/4812-12-0x0000000000400000-0x0000000002B23000-memory.dmp

memory/4812-15-0x0000000000400000-0x0000000002B23000-memory.dmp

memory/4412-26-0x0000000000400000-0x0000000002574000-memory.dmp

memory/1608-42-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/4412-52-0x0000000000400000-0x0000000002574000-memory.dmp

memory/1608-55-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/4468-56-0x0000020B10400000-0x0000020B13C34000-memory.dmp

memory/4468-59-0x0000020B15A70000-0x0000020B15A7C000-memory.dmp

memory/4468-58-0x0000020B15A20000-0x0000020B15A30000-memory.dmp

memory/4468-57-0x0000020B2E4B0000-0x0000020B2E5BA000-memory.dmp

memory/4468-60-0x0000020B15A60000-0x0000020B15A74000-memory.dmp

memory/4468-61-0x0000020B2E2D0000-0x0000020B2E2F4000-memory.dmp

memory/4468-63-0x0000020B2E300000-0x0000020B2E32A000-memory.dmp

memory/4468-64-0x0000020B2E7F0000-0x0000020B2E8A2000-memory.dmp

memory/4468-65-0x0000020B2E8A0000-0x0000020B2E8F0000-memory.dmp

memory/4468-66-0x0000020B2E360000-0x0000020B2E382000-memory.dmp

memory/4468-62-0x0000020B2E2B0000-0x0000020B2E2BA000-memory.dmp

memory/4468-67-0x0000020B15A40000-0x0000020B15A4A000-memory.dmp

memory/4468-71-0x0000020B2E8F0000-0x0000020B2EBF0000-memory.dmp

memory/4468-73-0x0000020B32A40000-0x0000020B32A48000-memory.dmp

memory/4468-75-0x0000020B32AA0000-0x0000020B32AA8000-memory.dmp

memory/4468-74-0x0000020B32AC0000-0x0000020B32AF8000-memory.dmp

memory/4468-76-0x0000020B333D0000-0x0000020B333DA000-memory.dmp

memory/4468-78-0x0000020B33450000-0x0000020B33472000-memory.dmp

memory/4468-77-0x0000020B333F0000-0x0000020B33452000-memory.dmp

memory/4468-79-0x0000020B339A0000-0x0000020B33EC6000-memory.dmp

memory/4468-82-0x0000020B333E0000-0x0000020B333EC000-memory.dmp

memory/4468-83-0x0000020B33530000-0x0000020B335A6000-memory.dmp

memory/4468-85-0x0000020B33490000-0x0000020B334AE000-memory.dmp

memory/4412-88-0x0000000000400000-0x0000000002574000-memory.dmp

memory/4412-90-0x0000000000400000-0x0000000002574000-memory.dmp

memory/4412-92-0x0000000000400000-0x0000000002574000-memory.dmp