Malware Analysis Report

2024-11-30 20:11

Sample ID 240509-jltyhagb41
Target bf8483792084de63b9f5e74934aeed7e8aa9de61a1fa89ab518d54367eb70449
SHA256 bf8483792084de63b9f5e74934aeed7e8aa9de61a1fa89ab518d54367eb70449
Tags
stealc zgrat discovery rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf8483792084de63b9f5e74934aeed7e8aa9de61a1fa89ab518d54367eb70449

Threat Level: Known bad

The file bf8483792084de63b9f5e74934aeed7e8aa9de61a1fa89ab518d54367eb70449 was found to be: Known bad.

Malicious Activity Summary

stealc zgrat discovery rat stealer

ZGRat

Detect ZGRat V1

Stealc

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Checks installed software on the system

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 07:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 07:45

Reported

2024-05-09 07:48

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf8483792084de63b9f5e74934aeed7e8aa9de61a1fa89ab518d54367eb70449.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

ZGRat

rat zgrat

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\u2ng.1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bf8483792084de63b9f5e74934aeed7e8aa9de61a1fa89ab518d54367eb70449.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2ng.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2ng.1.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u2ng.1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u2ng.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u2ng.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u2ng.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u2ng.0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2ng.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2ng.0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3436 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\bf8483792084de63b9f5e74934aeed7e8aa9de61a1fa89ab518d54367eb70449.exe C:\Users\Admin\AppData\Local\Temp\u2ng.0.exe
PID 3436 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\bf8483792084de63b9f5e74934aeed7e8aa9de61a1fa89ab518d54367eb70449.exe C:\Users\Admin\AppData\Local\Temp\u2ng.0.exe
PID 3436 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\bf8483792084de63b9f5e74934aeed7e8aa9de61a1fa89ab518d54367eb70449.exe C:\Users\Admin\AppData\Local\Temp\u2ng.0.exe
PID 3436 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\bf8483792084de63b9f5e74934aeed7e8aa9de61a1fa89ab518d54367eb70449.exe C:\Users\Admin\AppData\Local\Temp\u2ng.1.exe
PID 3436 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\bf8483792084de63b9f5e74934aeed7e8aa9de61a1fa89ab518d54367eb70449.exe C:\Users\Admin\AppData\Local\Temp\u2ng.1.exe
PID 3436 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\bf8483792084de63b9f5e74934aeed7e8aa9de61a1fa89ab518d54367eb70449.exe C:\Users\Admin\AppData\Local\Temp\u2ng.1.exe
PID 1436 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\u2ng.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 1436 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\u2ng.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bf8483792084de63b9f5e74934aeed7e8aa9de61a1fa89ab518d54367eb70449.exe

"C:\Users\Admin\AppData\Local\Temp\bf8483792084de63b9f5e74934aeed7e8aa9de61a1fa89ab518d54367eb70449.exe"

C:\Users\Admin\AppData\Local\Temp\u2ng.0.exe

"C:\Users\Admin\AppData\Local\Temp\u2ng.0.exe"

C:\Users\Admin\AppData\Local\Temp\u2ng.1.exe

"C:\Users\Admin\AppData\Local\Temp\u2ng.1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3436 -ip 3436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 1148

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1276

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
BE 88.221.83.200:443 www.bing.com tcp
US 8.8.8.8:53 200.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
BE 88.221.83.200:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 228.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 59.128.172.185.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 45.87.157.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 download.iolo.net udp
FR 143.244.56.49:443 download.iolo.net tcp
US 8.8.8.8:53 49.56.244.143.in-addr.arpa udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 148.155.9.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 185.172.128.150:80 tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 185.172.128.150:80 tcp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3436-2-0x0000000004780000-0x00000000047EC000-memory.dmp

memory/3436-1-0x0000000002DE0000-0x0000000002EE0000-memory.dmp

memory/3436-3-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u2ng.0.exe

MD5 9e88e3d67df59d91ac93c667e3123f6d
SHA1 7cf56935426ce91f3d2615c1631f69fdd4bbd6b2
SHA256 902d6d157cdc6f26839d51e169eb02ced9502be81181bfd9d4eabeea9044fe65
SHA512 df9335682f1fccb90df0130bfa6d02b6b4280da2c3e8f877203db0ec9e56f8477528b50de76a2104849c65bfaf2fec62543e4a093d03967effd95aba0e463224

C:\Users\Admin\AppData\Local\Temp\u2ng.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/3436-32-0x0000000000400000-0x0000000002B19000-memory.dmp

memory/3436-35-0x0000000000400000-0x000000000046F000-memory.dmp

memory/3436-34-0x0000000004780000-0x00000000047EC000-memory.dmp

memory/4032-40-0x0000000000400000-0x0000000002AFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 4355306006eb987ff58d61ff7f965c66
SHA1 228f0da4510ce0944fff86bdd7ba00ae73bdf6b6
SHA256 909200b5b1a0b36cb0732f9ee76d92ae4a367ae80bcd1dc8f823bdb99e5945c1
SHA512 736af66ad24bbe20115a67a9827ca5cfc68774f56cfa6f2145fba3015a0dd962820c26983d246db4ec2232958f9a88c7ff5c368d048a7147471479eafc645f05

memory/4032-56-0x0000000000400000-0x0000000002AFE000-memory.dmp

memory/1436-58-0x0000000000400000-0x00000000008AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 94b1fee83a5a2626acb3379e808962ca
SHA1 5035cbd3b2444deb138ec1edcf5f2f80b34f24c5
SHA256 3d29ffc65b8d19a6ac0703f2a7b24ac6102b8435b3de126bf597ca59017dd318
SHA512 ea8a169b6fa4e489f1d739b685307d62a25c878303c3855daf2dc38c81965b0bedd303293338d670f8a602e7a54b4354a2cbb35966e1346d51fdbb850ea1beb0

memory/1436-69-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/4648-70-0x0000015D851D0000-0x0000015D88A04000-memory.dmp

memory/4648-71-0x0000015DA3F20000-0x0000015DA402A000-memory.dmp

memory/4648-73-0x0000015DA3EE0000-0x0000015DA3EEC000-memory.dmp

memory/4648-72-0x0000015D8A6F0000-0x0000015D8A700000-memory.dmp

memory/4648-74-0x0000015DA2ED0000-0x0000015DA2EE4000-memory.dmp

memory/4648-75-0x0000015DA3EF0000-0x0000015DA3F14000-memory.dmp

memory/4648-76-0x0000015DA4030000-0x0000015DA403A000-memory.dmp

memory/4648-77-0x0000015DA42F0000-0x0000015DA431A000-memory.dmp

memory/4648-78-0x0000015DA4320000-0x0000015DA43D2000-memory.dmp

memory/4648-79-0x0000015DA4420000-0x0000015DA4470000-memory.dmp

memory/4648-80-0x0000015DA4470000-0x0000015DA4492000-memory.dmp

memory/4648-81-0x0000015DA4040000-0x0000015DA404A000-memory.dmp

memory/4648-85-0x0000015DA44A0000-0x0000015DA47A0000-memory.dmp

memory/4648-87-0x0000015DA8EC0000-0x0000015DA8EC8000-memory.dmp

memory/4648-89-0x0000015DA87D0000-0x0000015DA87DE000-memory.dmp

memory/4648-88-0x0000015DA8800000-0x0000015DA8838000-memory.dmp

memory/4648-90-0x0000015DA87F0000-0x0000015DA87F8000-memory.dmp

memory/4648-93-0x0000015DA99F0000-0x0000015DA9A12000-memory.dmp

memory/4648-92-0x0000015DA9990000-0x0000015DA99F2000-memory.dmp

memory/4648-91-0x0000015DA9970000-0x0000015DA997A000-memory.dmp

memory/4648-94-0x0000015DA9F40000-0x0000015DAA468000-memory.dmp

memory/4648-97-0x0000015DA96F0000-0x0000015DA96FC000-memory.dmp

memory/4648-98-0x0000015DA97D0000-0x0000015DA9846000-memory.dmp

memory/4648-99-0x0000015DA9730000-0x0000015DA974E000-memory.dmp

memory/4032-103-0x0000000000400000-0x0000000002AFE000-memory.dmp

memory/4032-105-0x0000000000400000-0x0000000002AFE000-memory.dmp

memory/4032-107-0x0000000000400000-0x0000000002AFE000-memory.dmp

memory/4032-109-0x0000000000400000-0x0000000002AFE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 07:45

Reported

2024-05-09 07:48

Platform

win11-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf8483792084de63b9f5e74934aeed7e8aa9de61a1fa89ab518d54367eb70449.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

ZGRat

rat zgrat

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u18c.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u18c.1.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u18c.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u18c.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u18c.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u18c.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u18c.0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u18c.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u18c.0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1596 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\bf8483792084de63b9f5e74934aeed7e8aa9de61a1fa89ab518d54367eb70449.exe C:\Users\Admin\AppData\Local\Temp\u18c.0.exe
PID 1596 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\bf8483792084de63b9f5e74934aeed7e8aa9de61a1fa89ab518d54367eb70449.exe C:\Users\Admin\AppData\Local\Temp\u18c.0.exe
PID 1596 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\bf8483792084de63b9f5e74934aeed7e8aa9de61a1fa89ab518d54367eb70449.exe C:\Users\Admin\AppData\Local\Temp\u18c.0.exe
PID 1596 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\bf8483792084de63b9f5e74934aeed7e8aa9de61a1fa89ab518d54367eb70449.exe C:\Users\Admin\AppData\Local\Temp\u18c.1.exe
PID 1596 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\bf8483792084de63b9f5e74934aeed7e8aa9de61a1fa89ab518d54367eb70449.exe C:\Users\Admin\AppData\Local\Temp\u18c.1.exe
PID 1596 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\bf8483792084de63b9f5e74934aeed7e8aa9de61a1fa89ab518d54367eb70449.exe C:\Users\Admin\AppData\Local\Temp\u18c.1.exe
PID 3104 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\u18c.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 3104 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\u18c.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bf8483792084de63b9f5e74934aeed7e8aa9de61a1fa89ab518d54367eb70449.exe

"C:\Users\Admin\AppData\Local\Temp\bf8483792084de63b9f5e74934aeed7e8aa9de61a1fa89ab518d54367eb70449.exe"

C:\Users\Admin\AppData\Local\Temp\u18c.0.exe

"C:\Users\Admin\AppData\Local\Temp\u18c.0.exe"

C:\Users\Admin\AppData\Local\Temp\u18c.1.exe

"C:\Users\Admin\AppData\Local\Temp\u18c.1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1596 -ip 1596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 1160

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1556 -ip 1556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 1208

Network

Country Destination Domain Proto
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 228.128.172.185.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
US 20.157.87.45:80 svc.iolo.com tcp
FR 185.93.2.246:443 download.iolo.net tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
DE 185.172.128.150:80 tcp
DE 185.172.128.150:80 tcp
DE 185.172.128.150:80 tcp
US 52.111.227.11:443 tcp
DE 185.172.128.150:80 tcp
DE 185.172.128.150:80 tcp

Files

memory/1596-1-0x0000000002D60000-0x0000000002E60000-memory.dmp

memory/1596-2-0x0000000004890000-0x00000000048FC000-memory.dmp

memory/1596-3-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u18c.0.exe

MD5 9e88e3d67df59d91ac93c667e3123f6d
SHA1 7cf56935426ce91f3d2615c1631f69fdd4bbd6b2
SHA256 902d6d157cdc6f26839d51e169eb02ced9502be81181bfd9d4eabeea9044fe65
SHA512 df9335682f1fccb90df0130bfa6d02b6b4280da2c3e8f877203db0ec9e56f8477528b50de76a2104849c65bfaf2fec62543e4a093d03967effd95aba0e463224

memory/1596-7-0x0000000000400000-0x0000000002B19000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u18c.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/1596-35-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1596-34-0x0000000004890000-0x00000000048FC000-memory.dmp

memory/1596-33-0x0000000000400000-0x0000000002B19000-memory.dmp

memory/3104-56-0x0000000000400000-0x00000000008AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 dd8dce544d40de13fb6c21d8a2128764
SHA1 aecac66166c65392f410547d6c95d0a46a9b5cc4
SHA256 20837ec38928388d8438d4b995cb731fa45b803cf1147ab517095559e51edaa6
SHA512 4b732a631efd026adf2c9abd5837bd6dbed603a5d4edd177af03e4e563d148de316a88bc070b113ebf26bf11a1050c561685a577550123c76264a242845b02f6

memory/3104-67-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/3112-68-0x0000025940E40000-0x0000025944674000-memory.dmp

memory/3112-69-0x000002595EFF0000-0x000002595F0FA000-memory.dmp

memory/3112-70-0x0000025946580000-0x0000025946590000-memory.dmp

memory/3112-71-0x000002595ED60000-0x000002595ED6C000-memory.dmp

memory/3112-72-0x000002595ED50000-0x000002595ED64000-memory.dmp

memory/3112-73-0x000002595EDC0000-0x000002595EDE4000-memory.dmp

memory/3112-74-0x000002595EDF0000-0x000002595EDFA000-memory.dmp

memory/3112-75-0x000002595F100000-0x000002595F12A000-memory.dmp

memory/3112-76-0x000002595F2B0000-0x000002595F362000-memory.dmp

memory/3112-77-0x000002595F3B0000-0x000002595F400000-memory.dmp

memory/3112-78-0x000002595F400000-0x000002595F422000-memory.dmp

memory/3112-79-0x0000025944B20000-0x0000025944B2A000-memory.dmp

memory/3112-83-0x000002595F430000-0x000002595F730000-memory.dmp

memory/3112-85-0x0000025963E50000-0x0000025963E58000-memory.dmp

memory/3112-86-0x0000025963790000-0x00000259637C8000-memory.dmp

memory/3112-87-0x0000025963760000-0x000002596376E000-memory.dmp

memory/3112-88-0x0000025963780000-0x0000025963788000-memory.dmp

memory/3112-89-0x00000259637F0000-0x00000259637FA000-memory.dmp

memory/3112-90-0x0000025964140000-0x00000259641A2000-memory.dmp

memory/3112-91-0x0000025963E60000-0x0000025963E82000-memory.dmp

memory/3112-92-0x00000259646D0000-0x0000025964BF8000-memory.dmp

memory/3112-95-0x0000025963E80000-0x0000025963E8C000-memory.dmp

memory/3112-96-0x0000025964270000-0x00000259642E6000-memory.dmp

memory/3112-97-0x00000259641D0000-0x00000259641EE000-memory.dmp

memory/1556-99-0x0000000000400000-0x0000000002AFE000-memory.dmp

memory/3112-100-0x000002595EE30000-0x000002595EFE3000-memory.dmp

memory/1556-101-0x0000000000400000-0x0000000002AFE000-memory.dmp

memory/1556-105-0x0000000000400000-0x0000000002AFE000-memory.dmp

memory/1556-110-0x0000000000400000-0x0000000002AFE000-memory.dmp

memory/1556-114-0x0000000000400000-0x0000000002AFE000-memory.dmp

memory/1556-118-0x0000000000400000-0x0000000002AFE000-memory.dmp