Malware Analysis Report

2024-10-19 09:04

Sample ID 240318-ta3flscd76
Target er5thygfd.zip
SHA256 41a8b4bbde769dd1d866ea6bfb8912d092234cc6f80c37893b3797e2b7f4f612
Tags
purelogstealer zgrat rat stealer evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

41a8b4bbde769dd1d866ea6bfb8912d092234cc6f80c37893b3797e2b7f4f612

Threat Level: Known bad

The file er5thygfd.zip was found to be: Known bad.

Malicious Activity Summary

purelogstealer zgrat rat stealer evasion

PureLog Stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

ZGRat

Detect ZGRat V1

PureLog Stealer payload

Drops file in Drivers directory

Stops running service(s)

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-18 15:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-18 15:52

Reported

2024-03-18 15:54

Platform

win7-20231129-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PureLog Stealer

stealer purelogstealer

PureLog Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2168 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

Processes

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

"C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe"

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

Network

N/A

Files

memory/2168-1-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp

memory/2168-0-0x00000000011A0000-0x00000000018E8000-memory.dmp

memory/2168-2-0x000000001AD10000-0x000000001AD90000-memory.dmp

memory/2168-3-0x000000001B660000-0x000000001BDA0000-memory.dmp

memory/2168-4-0x000000001BE10000-0x000000001C550000-memory.dmp

memory/2168-5-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-6-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-8-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-10-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-12-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-14-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-16-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-18-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-20-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-22-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-24-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-26-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-28-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-30-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-32-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-34-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-36-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-38-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-40-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-42-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-44-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-46-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-48-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-50-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-52-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-54-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-56-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-58-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-60-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-62-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-64-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-66-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-68-0x000000001BE10000-0x000000001C54B000-memory.dmp

memory/2168-937-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2168-938-0x000000001C800000-0x000000001CED8000-memory.dmp

memory/2168-939-0x0000000001150000-0x000000000119C000-memory.dmp

memory/2168-1000-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-18 15:52

Reported

2024-03-18 15:54

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PureLog Stealer

stealer purelogstealer

PureLog Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4456 created 3384 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Windows\Explorer.EXE
PID 4456 created 3384 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Windows\Explorer.EXE
PID 4456 created 3384 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Windows\Explorer.EXE

ZGRat

rat zgrat

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A

Stops running service(s)

evasion

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1456 set thread context of 4456 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 4456 set thread context of 448 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Windows\System32\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1456 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1456 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1456 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1456 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1456 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1456 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1456 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1456 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1456 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1456 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1456 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1456 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1456 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1456 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1456 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 4412 wrote to memory of 1756 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4412 wrote to memory of 1756 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4412 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4412 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4412 wrote to memory of 3368 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4412 wrote to memory of 3368 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4412 wrote to memory of 1368 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4412 wrote to memory of 1368 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4412 wrote to memory of 1992 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4412 wrote to memory of 1992 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4456 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Windows\System32\svchost.exe
PID 5000 wrote to memory of 4112 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5000 wrote to memory of 4112 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5000 wrote to memory of 4756 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5000 wrote to memory of 4756 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5000 wrote to memory of 968 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5000 wrote to memory of 968 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5000 wrote to memory of 4452 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5000 wrote to memory of 4452 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

"C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe"

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 192.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

memory/1456-0-0x00000210D3EC0000-0x00000210D4608000-memory.dmp

memory/1456-1-0x00007FFDB2610000-0x00007FFDB30D1000-memory.dmp

memory/1456-2-0x00000210D4A00000-0x00000210D4A10000-memory.dmp

memory/1456-3-0x00000210EEB80000-0x00000210EF2C0000-memory.dmp

memory/1456-4-0x00000210EF2C0000-0x00000210EFA00000-memory.dmp

memory/1456-5-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-6-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-8-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-10-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-12-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-14-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-16-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-18-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-20-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-22-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-24-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-26-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-28-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-30-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-32-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-34-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-36-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-38-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-40-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-42-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-44-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-48-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-50-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-46-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-52-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-54-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-56-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-58-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-60-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-62-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-64-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-66-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-68-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp

memory/1456-937-0x00000210D49C0000-0x00000210D49C1000-memory.dmp

memory/1456-938-0x00000210EFA00000-0x00000210F00D8000-memory.dmp

memory/1456-939-0x00000210D4A10000-0x00000210D4A5C000-memory.dmp

memory/1456-943-0x00007FFDB2610000-0x00007FFDB30D1000-memory.dmp

memory/4456-945-0x0000000140000000-0x0000000140985000-memory.dmp

memory/4456-950-0x0000000140000000-0x0000000140985000-memory.dmp

memory/448-951-0x0000023FD5BD0000-0x0000023FD5BF0000-memory.dmp

memory/448-955-0x0000023F80050000-0x0000023F80070000-memory.dmp

memory/448-958-0x0000023F80050000-0x0000023F80070000-memory.dmp