Malware Analysis Report

2024-11-30 20:07

Sample ID 240509-aj85zafg3v
Target fcc6a313c45131c32d5f3de0a4f5a6b28355851fbf427782b5908954e31e622b
SHA256 fcc6a313c45131c32d5f3de0a4f5a6b28355851fbf427782b5908954e31e622b
Tags
stealc zgrat discovery rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fcc6a313c45131c32d5f3de0a4f5a6b28355851fbf427782b5908954e31e622b

Threat Level: Known bad

The file fcc6a313c45131c32d5f3de0a4f5a6b28355851fbf427782b5908954e31e622b was found to be: Known bad.

Malicious Activity Summary

stealc zgrat discovery rat stealer

Detect ZGRat V1

ZGRat

Stealc

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Program crash

Unsigned PE

Enumerates physical storage devices

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 00:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 00:15

Reported

2024-05-09 00:20

Platform

win7-20240508-en

Max time kernel

222s

Max time network

229s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fcc6a313c45131c32d5f3de0a4f5a6b28355851fbf427782b5908954e31e622b.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

ZGRat

rat zgrat

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1ps.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1ps.1.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1ps.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1ps.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1ps.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u1ps.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u1ps.0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\fcc6a313c45131c32d5f3de0a4f5a6b28355851fbf427782b5908954e31e622b.exe C:\Users\Admin\AppData\Local\Temp\u1ps.0.exe
PID 2224 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\fcc6a313c45131c32d5f3de0a4f5a6b28355851fbf427782b5908954e31e622b.exe C:\Users\Admin\AppData\Local\Temp\u1ps.0.exe
PID 2224 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\fcc6a313c45131c32d5f3de0a4f5a6b28355851fbf427782b5908954e31e622b.exe C:\Users\Admin\AppData\Local\Temp\u1ps.0.exe
PID 2224 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\fcc6a313c45131c32d5f3de0a4f5a6b28355851fbf427782b5908954e31e622b.exe C:\Users\Admin\AppData\Local\Temp\u1ps.0.exe
PID 2224 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\fcc6a313c45131c32d5f3de0a4f5a6b28355851fbf427782b5908954e31e622b.exe C:\Users\Admin\AppData\Local\Temp\u1ps.1.exe
PID 2224 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\fcc6a313c45131c32d5f3de0a4f5a6b28355851fbf427782b5908954e31e622b.exe C:\Users\Admin\AppData\Local\Temp\u1ps.1.exe
PID 2224 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\fcc6a313c45131c32d5f3de0a4f5a6b28355851fbf427782b5908954e31e622b.exe C:\Users\Admin\AppData\Local\Temp\u1ps.1.exe
PID 2224 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\fcc6a313c45131c32d5f3de0a4f5a6b28355851fbf427782b5908954e31e622b.exe C:\Users\Admin\AppData\Local\Temp\u1ps.1.exe
PID 2724 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\u1ps.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 2724 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\u1ps.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 2724 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\u1ps.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 2724 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\u1ps.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fcc6a313c45131c32d5f3de0a4f5a6b28355851fbf427782b5908954e31e622b.exe

"C:\Users\Admin\AppData\Local\Temp\fcc6a313c45131c32d5f3de0a4f5a6b28355851fbf427782b5908954e31e622b.exe"

C:\Users\Admin\AppData\Local\Temp\u1ps.0.exe

"C:\Users\Admin\AppData\Local\Temp\u1ps.0.exe"

C:\Users\Admin\AppData\Local\Temp\u1ps.1.exe

"C:\Users\Admin\AppData\Local\Temp\u1ps.1.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

Network

Country Destination Domain Proto
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 download.iolo.net udp
FR 143.244.56.49:80 download.iolo.net tcp
US 20.157.87.45:80 svc.iolo.com tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
DE 185.172.128.150:80 tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
DE 185.172.128.150:80 tcp
DE 185.172.128.150:80 tcp
DE 185.172.128.150:80 tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
DE 185.172.128.150:80 tcp
DE 185.172.128.150:80 tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp

Files

memory/2224-1-0x0000000002C00000-0x0000000002D00000-memory.dmp

memory/2224-2-0x0000000000310000-0x000000000037C000-memory.dmp

memory/2224-3-0x0000000000400000-0x000000000046F000-memory.dmp

\Users\Admin\AppData\Local\Temp\u1ps.0.exe

MD5 816cbc57fc20eb01645497ed35bdeb19
SHA1 3222b725c5031a12b310ef8c1b8bb120b345c80e
SHA256 c15c3a1a771770d1f3a838cdb6d0fcffea562e42d118b37087dd6022fff13c53
SHA512 2bf23ac407844682107c68705e0ac072d7a8767f0c9a8c2bb913cc394e6c85bd22a7024c5253130f4a5b26a083e9518f2d4f21b775da6d2812ab808587aa399e

\Users\Admin\AppData\Local\Temp\u1ps.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/2224-20-0x0000000000400000-0x0000000002B22000-memory.dmp

memory/2224-36-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2224-35-0x0000000000400000-0x0000000002B22000-memory.dmp

memory/1740-37-0x0000000000400000-0x0000000002574000-memory.dmp

memory/2724-61-0x0000000000400000-0x00000000008AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 b06095ce1ee6e9cb3190504d65571b54
SHA1 758cdf3ab46f5fbafb7a46bdcad82dc428650ad9
SHA256 c0fe9d4954fe439a6b08360fc4ba6e198113af62580d043528ea5346c8c37f31
SHA512 e95c296293b4e89a45e25e3361ac7d0cace4d3ac33d11a6f6c44167d822af52a53c711919e785b52e32f5ea4c152b9df23d12e9134adc8819b6f28fafeecf3e5

memory/2724-73-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/1048-75-0x0000000000880000-0x00000000040B4000-memory.dmp

memory/1048-76-0x000000001EDB0000-0x000000001EEBA000-memory.dmp

memory/1048-77-0x0000000005750000-0x0000000005760000-memory.dmp

memory/1048-78-0x00000000057F0000-0x00000000057FC000-memory.dmp

memory/1048-79-0x0000000005760000-0x0000000005774000-memory.dmp

memory/1048-80-0x000000001E4E0000-0x000000001E504000-memory.dmp

memory/1048-82-0x000000001E6C0000-0x000000001E6CA000-memory.dmp

memory/1048-83-0x000000001E6E0000-0x000000001E70A000-memory.dmp

memory/1048-84-0x000000001EBC0000-0x000000001EC72000-memory.dmp

memory/1048-85-0x0000000000280000-0x000000000028A000-memory.dmp

memory/1048-89-0x000000001FB50000-0x000000001FE50000-memory.dmp

memory/1048-91-0x0000000005990000-0x000000000599A000-memory.dmp

memory/1048-92-0x000000001E4B0000-0x000000001E4BA000-memory.dmp

memory/1048-93-0x000000001F750000-0x000000001F7B2000-memory.dmp

memory/1048-94-0x000000001E4C0000-0x000000001E4E2000-memory.dmp

memory/1048-97-0x000000001EA90000-0x000000001EA9C000-memory.dmp

memory/1048-102-0x0000000005990000-0x000000000599A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\63f93027eed6195cee9d6793abbff365863d6c04fe54f71a30d295ffeacda31a\91bd912025b340bc853f07fbdefcb87b.tmp

MD5 cd727ed386e9b1940b13d18af6f45d1c
SHA1 98d38a0af0e8719e01a1d15c345bad952c96ed7f
SHA256 8149c22314923356b0f4d12f0dc2bebe8cc348724b38285c20fdc58e7cb8c72e
SHA512 89f975aeb61c98fad6eec70381eb47b5b3e819fd12ac8eccb69172f8fdadc1cae79caa484892258cd761244378daec5c8864b0302a5b5aa03f579898f39ff978

memory/1740-114-0x0000000000400000-0x0000000002574000-memory.dmp

memory/1740-123-0x0000000000400000-0x0000000002574000-memory.dmp

memory/1740-127-0x0000000000400000-0x0000000002574000-memory.dmp

memory/1740-136-0x0000000000400000-0x0000000002574000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 00:15

Reported

2024-05-09 00:20

Platform

win10-20240404-en

Max time kernel

294s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fcc6a313c45131c32d5f3de0a4f5a6b28355851fbf427782b5908954e31e622b.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

ZGRat

rat zgrat

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3e8.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3e8.1.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\u3e8.0.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3e8.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3e8.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3e8.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u3e8.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u3e8.0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3e8.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3e8.0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4400 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\fcc6a313c45131c32d5f3de0a4f5a6b28355851fbf427782b5908954e31e622b.exe C:\Users\Admin\AppData\Local\Temp\u3e8.0.exe
PID 4400 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\fcc6a313c45131c32d5f3de0a4f5a6b28355851fbf427782b5908954e31e622b.exe C:\Users\Admin\AppData\Local\Temp\u3e8.0.exe
PID 4400 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\fcc6a313c45131c32d5f3de0a4f5a6b28355851fbf427782b5908954e31e622b.exe C:\Users\Admin\AppData\Local\Temp\u3e8.0.exe
PID 4400 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\fcc6a313c45131c32d5f3de0a4f5a6b28355851fbf427782b5908954e31e622b.exe C:\Users\Admin\AppData\Local\Temp\u3e8.1.exe
PID 4400 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\fcc6a313c45131c32d5f3de0a4f5a6b28355851fbf427782b5908954e31e622b.exe C:\Users\Admin\AppData\Local\Temp\u3e8.1.exe
PID 4400 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\fcc6a313c45131c32d5f3de0a4f5a6b28355851fbf427782b5908954e31e622b.exe C:\Users\Admin\AppData\Local\Temp\u3e8.1.exe
PID 3060 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\u3e8.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 3060 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\u3e8.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fcc6a313c45131c32d5f3de0a4f5a6b28355851fbf427782b5908954e31e622b.exe

"C:\Users\Admin\AppData\Local\Temp\fcc6a313c45131c32d5f3de0a4f5a6b28355851fbf427782b5908954e31e622b.exe"

C:\Users\Admin\AppData\Local\Temp\u3e8.0.exe

"C:\Users\Admin\AppData\Local\Temp\u3e8.0.exe"

C:\Users\Admin\AppData\Local\Temp\u3e8.1.exe

"C:\Users\Admin\AppData\Local\Temp\u3e8.1.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 1156

Network

Country Destination Domain Proto
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 228.128.172.185.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 59.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 45.87.157.20.in-addr.arpa udp
US 8.8.8.8:53 download.iolo.net udp
FR 143.244.56.51:443 download.iolo.net tcp
US 8.8.8.8:53 51.56.244.143.in-addr.arpa udp
US 20.157.87.45:80 svc.iolo.com tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 150.155.9.20.in-addr.arpa udp
DE 185.172.128.150:80 tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 80.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp

Files

memory/4400-1-0x0000000002C60000-0x0000000002D60000-memory.dmp

memory/4400-2-0x0000000002BF0000-0x0000000002C5C000-memory.dmp

memory/4400-3-0x0000000000400000-0x000000000046F000-memory.dmp

memory/4400-4-0x0000000000400000-0x0000000002B22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3e8.0.exe

MD5 816cbc57fc20eb01645497ed35bdeb19
SHA1 3222b725c5031a12b310ef8c1b8bb120b345c80e
SHA256 c15c3a1a771770d1f3a838cdb6d0fcffea562e42d118b37087dd6022fff13c53
SHA512 2bf23ac407844682107c68705e0ac072d7a8767f0c9a8c2bb913cc394e6c85bd22a7024c5253130f4a5b26a083e9518f2d4f21b775da6d2812ab808587aa399e

C:\Users\Admin\AppData\Local\Temp\u3e8.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/4400-16-0x0000000002BF0000-0x0000000002C5C000-memory.dmp

memory/4400-17-0x0000000000400000-0x000000000046F000-memory.dmp

memory/4400-15-0x0000000000400000-0x0000000002B22000-memory.dmp

memory/4320-41-0x0000000000400000-0x0000000002574000-memory.dmp

memory/3060-42-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/3060-54-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/4320-55-0x0000000000400000-0x0000000002574000-memory.dmp

memory/1732-56-0x0000026236430000-0x0000026239C64000-memory.dmp

memory/1732-57-0x0000026254460000-0x000002625456A000-memory.dmp

memory/1732-59-0x000002623BA60000-0x000002623BA6C000-memory.dmp

memory/1732-58-0x000002623B8A0000-0x000002623B8B0000-memory.dmp

memory/1732-60-0x000002623B8C0000-0x000002623B8D4000-memory.dmp

memory/1732-61-0x00000262542D0000-0x00000262542F4000-memory.dmp

memory/1732-64-0x00000262547A0000-0x0000026254852000-memory.dmp

memory/1732-65-0x00000262548B0000-0x0000026254900000-memory.dmp

memory/1732-63-0x0000026254320000-0x000002625434A000-memory.dmp

memory/1732-66-0x0000026254880000-0x00000262548A2000-memory.dmp

memory/1732-62-0x0000026254300000-0x000002625430A000-memory.dmp

memory/1732-67-0x0000026254310000-0x000002625431A000-memory.dmp

memory/1732-71-0x0000026254C70000-0x0000026254F70000-memory.dmp

memory/1732-73-0x0000026258DE0000-0x0000026258DE8000-memory.dmp

memory/1732-74-0x0000026259C70000-0x0000026259CA8000-memory.dmp

memory/1732-75-0x0000026258E40000-0x0000026258E48000-memory.dmp

memory/1732-78-0x0000026259FF0000-0x000002625A012000-memory.dmp

memory/1732-77-0x0000026259F90000-0x0000026259FF2000-memory.dmp

memory/1732-76-0x0000026259F70000-0x0000026259F7A000-memory.dmp

memory/1732-79-0x000002625A540000-0x000002625AA66000-memory.dmp

memory/1732-82-0x0000026259F80000-0x0000026259F8C000-memory.dmp

memory/1732-83-0x000002625A0D0000-0x000002625A146000-memory.dmp

memory/1732-84-0x000002625A030000-0x000002625A04E000-memory.dmp

memory/4320-88-0x0000000000400000-0x0000000002574000-memory.dmp

memory/4320-90-0x0000000000400000-0x0000000002574000-memory.dmp

memory/4320-92-0x0000000000400000-0x0000000002574000-memory.dmp