Analysis Overview
SHA256
283a84dafeb6ce11cce61dcb92acc91f1d284aea06bf4b71024cfd1ad4f9ff46
Threat Level: Known bad
The file 283a84dafeb6ce11cce61dcb92acc91f1d284aea06bf4b71024cfd1ad4f9ff46 was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
Stealc
ZGRat
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Reads data files stored by FTP clients
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 07:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 07:56
Reported
2024-05-10 07:58
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
134s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
ZGRat
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\283a84dafeb6ce11cce61dcb92acc91f1d284aea06bf4b71024cfd1ad4f9ff46.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\u1uw.1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1uw.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1uw.1.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1uw.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1uw.0.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\283a84dafeb6ce11cce61dcb92acc91f1d284aea06bf4b71024cfd1ad4f9ff46.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\u1uw.0.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u1uw.1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u1uw.1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u1uw.1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u1uw.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u1uw.0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1uw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1uw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1uw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1uw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1uw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1uw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1uw.1.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1uw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1uw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1uw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1uw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1uw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1uw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1uw.1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\283a84dafeb6ce11cce61dcb92acc91f1d284aea06bf4b71024cfd1ad4f9ff46.exe
"C:\Users\Admin\AppData\Local\Temp\283a84dafeb6ce11cce61dcb92acc91f1d284aea06bf4b71024cfd1ad4f9ff46.exe"
C:\Users\Admin\AppData\Local\Temp\u1uw.0.exe
"C:\Users\Admin\AppData\Local\Temp\u1uw.0.exe"
C:\Users\Admin\AppData\Local\Temp\u1uw.1.exe
"C:\Users\Admin\AppData\Local\Temp\u1uw.1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2408 -ip 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1008
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1912 -ip 1912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 2000
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 8.8.8.8:53 | 228.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | 45.87.157.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| FR | 185.93.2.251:443 | download.iolo.net | tcp |
| US | 8.8.8.8:53 | 251.2.93.185.in-addr.arpa | udp |
| DE | 185.172.128.150:80 | 185.172.128.150 | tcp |
| US | 8.8.8.8:53 | 150.128.172.185.in-addr.arpa | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.155.9.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
Files
memory/2408-2-0x0000000004260000-0x00000000042CC000-memory.dmp
memory/2408-3-0x0000000000400000-0x000000000046F000-memory.dmp
memory/2408-1-0x00000000028C0000-0x00000000029C0000-memory.dmp
memory/2408-4-0x0000000000400000-0x0000000002599000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u1uw.0.exe
| MD5 | adaa7779ccd1879d9466706724ca2974 |
| SHA1 | af546b538b5362ee19131e8d30b633c817417d15 |
| SHA256 | 7109bdc186a84c29affbe2882b747b8c32587ce4e8d4b39e770faa06d94431d8 |
| SHA512 | 96fa1c074b4f268393f17b400711898178ce8479272d5b6ca1405568dbe63cc618b46bfb5b80a8b97a7a796f6d4b60c3727beb2b2a13d7e749b3746b736bff87 |
C:\Users\Admin\AppData\Local\Temp\u1uw.1.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/2408-28-0x0000000000400000-0x000000000046F000-memory.dmp
memory/2408-27-0x0000000000400000-0x0000000002599000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 5ac800cbbeac6acdd9890a2998b1d772 |
| SHA1 | 71239b6a22f9ea83d3bff3a9a945a3d9a30cc9ce |
| SHA256 | 4cafc2926b716e62d4e3325b3b5db337d58908ae75b5962c422350e68ae18670 |
| SHA512 | 56935713fa96de54fd5f04592ca3d98aba397df980858dab87fa2af820b73d27730df5433b77fe3fc2aacfd5d40ec8853d1fc97262816ed5e06a1896803b5a9f |
memory/1912-49-0x0000000000400000-0x0000000002575000-memory.dmp
memory/1912-51-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/3640-92-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/3640-107-0x0000000000400000-0x00000000008AD000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/2060-125-0x0000026A26D60000-0x0000026A2A594000-memory.dmp
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
memory/2060-134-0x0000026A45D80000-0x0000026A45E8A000-memory.dmp
memory/2060-135-0x0000026A2C170000-0x0000026A2C180000-memory.dmp
memory/2060-136-0x0000026A2C210000-0x0000026A2C21C000-memory.dmp
memory/2060-137-0x0000026A2C180000-0x0000026A2C194000-memory.dmp
memory/2060-138-0x0000026A44B10000-0x0000026A44B34000-memory.dmp
memory/2060-139-0x0000026A2C140000-0x0000026A2C14A000-memory.dmp
memory/2060-140-0x0000026A45B20000-0x0000026A45B4A000-memory.dmp
memory/2060-141-0x0000026A45BC0000-0x0000026A45C72000-memory.dmp
memory/2060-142-0x0000026A46020000-0x0000026A46070000-memory.dmp
memory/2060-143-0x0000026A45FD0000-0x0000026A45FF2000-memory.dmp
memory/2060-144-0x0000026A2C150000-0x0000026A2C15A000-memory.dmp
memory/2060-148-0x0000026A46070000-0x0000026A46370000-memory.dmp
memory/2060-150-0x0000026A4AA90000-0x0000026A4AA98000-memory.dmp
memory/2060-152-0x0000026A4A3A0000-0x0000026A4A3AE000-memory.dmp
memory/2060-151-0x0000026A4A3D0000-0x0000026A4A408000-memory.dmp
memory/2060-153-0x0000026A4A3C0000-0x0000026A4A3C8000-memory.dmp
memory/2060-155-0x0000026A4B560000-0x0000026A4B5C2000-memory.dmp
memory/2060-154-0x0000026A4B2A0000-0x0000026A4B2AA000-memory.dmp
memory/2060-156-0x0000026A4B2D0000-0x0000026A4B2F2000-memory.dmp
memory/2060-157-0x0000026A4BAF0000-0x0000026A4C018000-memory.dmp
memory/2060-160-0x0000026A4B2F0000-0x0000026A4B2FC000-memory.dmp
memory/2060-162-0x0000026A4B3D0000-0x0000026A4B446000-memory.dmp
memory/1912-161-0x0000000000400000-0x0000000002575000-memory.dmp
memory/2060-163-0x0000026A46590000-0x0000026A465AE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 07:56
Reported
2024-05-10 07:58
Platform
win11-20240426-en
Max time kernel
125s
Max time network
128s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
ZGRat
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3s0.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3s0.1.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3s0.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3s0.0.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\283a84dafeb6ce11cce61dcb92acc91f1d284aea06bf4b71024cfd1ad4f9ff46.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\u3s0.0.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u3s0.1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u3s0.1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u3s0.1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u3s0.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u3s0.0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3s0.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3s0.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3s0.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3s0.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3s0.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3s0.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3s0.1.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3s0.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3s0.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3s0.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3s0.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3s0.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3s0.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3s0.1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\283a84dafeb6ce11cce61dcb92acc91f1d284aea06bf4b71024cfd1ad4f9ff46.exe
"C:\Users\Admin\AppData\Local\Temp\283a84dafeb6ce11cce61dcb92acc91f1d284aea06bf4b71024cfd1ad4f9ff46.exe"
C:\Users\Admin\AppData\Local\Temp\u3s0.0.exe
"C:\Users\Admin\AppData\Local\Temp\u3s0.0.exe"
C:\Users\Admin\AppData\Local\Temp\u3s0.1.exe
"C:\Users\Admin\AppData\Local\Temp\u3s0.1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4896 -ip 4896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1164
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4556 -ip 4556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 2448
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
Network
| Country | Destination | Domain | Proto |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.172.185.in-addr.arpa | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| DE | 185.172.128.150:80 | 185.172.128.150 | tcp |
| FR | 185.93.2.245:443 | download.iolo.net | tcp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 20.9.155.150:443 | westus2-2.in.applicationinsights.azure.com | tcp |
Files
memory/4896-1-0x0000000002790000-0x0000000002890000-memory.dmp
memory/4896-2-0x0000000004300000-0x000000000436C000-memory.dmp
memory/4896-3-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3s0.0.exe
| MD5 | adaa7779ccd1879d9466706724ca2974 |
| SHA1 | af546b538b5362ee19131e8d30b633c817417d15 |
| SHA256 | 7109bdc186a84c29affbe2882b747b8c32587ce4e8d4b39e770faa06d94431d8 |
| SHA512 | 96fa1c074b4f268393f17b400711898178ce8479272d5b6ca1405568dbe63cc618b46bfb5b80a8b97a7a796f6d4b60c3727beb2b2a13d7e749b3746b736bff87 |
C:\Users\Admin\AppData\Local\Temp\u3s0.1.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/4896-28-0x0000000000400000-0x000000000046F000-memory.dmp
memory/4896-27-0x0000000004300000-0x000000000436C000-memory.dmp
memory/4896-26-0x0000000000400000-0x0000000002599000-memory.dmp
memory/4556-34-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
memory/4556-119-0x0000000000400000-0x0000000002575000-memory.dmp
memory/4556-120-0x0000000000400000-0x0000000002575000-memory.dmp
memory/3848-122-0x0000000000400000-0x00000000008AD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 90ed6cc6bb3774629359976bca7ee6d9 |
| SHA1 | 89aebf09e3dc74bd35047acd8aeffe2e789ab604 |
| SHA256 | 711e140a458402c28ead086b09ded313b051aeea1ecabcb8160f70a2c785c7dc |
| SHA512 | b6f5f439f76541f8a5e464761ccd7fd196e73e1288ec5c1c1248adddcb0af038eba66210b2fbcdfbacb4401d34422978bf38cb0ed795c6350607a240e71501ba |
memory/3848-133-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/3748-134-0x0000021752F70000-0x00000217567A4000-memory.dmp
memory/3748-135-0x0000021770F30000-0x000002177103A000-memory.dmp
memory/3748-136-0x0000021758590000-0x00000217585A0000-memory.dmp
memory/3748-137-0x00000217586B0000-0x00000217586BC000-memory.dmp
memory/3748-138-0x00000217586A0000-0x00000217586B4000-memory.dmp
memory/3748-139-0x0000021770F00000-0x0000021770F24000-memory.dmp
memory/3748-142-0x0000021771200000-0x00000217712B2000-memory.dmp
memory/3748-141-0x00000217711D0000-0x00000217711FA000-memory.dmp
memory/3748-140-0x0000021771040000-0x000002177104A000-memory.dmp
memory/3748-143-0x0000021771300000-0x0000021771350000-memory.dmp
memory/3748-144-0x0000021771350000-0x0000021771372000-memory.dmp
memory/3748-145-0x0000021756C70000-0x0000021756C7A000-memory.dmp
memory/3748-149-0x0000021771380000-0x0000021771680000-memory.dmp
memory/3748-151-0x0000021775DC0000-0x0000021775DC8000-memory.dmp
memory/3748-153-0x00000217756D0000-0x00000217756DE000-memory.dmp
memory/3748-152-0x0000021775700000-0x0000021775738000-memory.dmp
memory/3748-154-0x00000217756F0000-0x00000217756F8000-memory.dmp
memory/3748-156-0x00000217760A0000-0x0000021776102000-memory.dmp
memory/3748-155-0x0000021775DD0000-0x0000021775DDA000-memory.dmp
memory/3748-157-0x0000021775E20000-0x0000021775E42000-memory.dmp
memory/3748-158-0x0000021776630000-0x0000021776B58000-memory.dmp
memory/3748-161-0x0000021775DE0000-0x0000021775DEC000-memory.dmp
memory/3748-162-0x0000021775F00000-0x0000021775F76000-memory.dmp
memory/3748-163-0x0000021775E60000-0x0000021775E7E000-memory.dmp