Malware Analysis Report

2024-10-19 09:04

Sample ID 240318-slkjhacc5s
Target er5thygfd.zip
SHA256 41a8b4bbde769dd1d866ea6bfb8912d092234cc6f80c37893b3797e2b7f4f612
Tags
purelogstealer zgrat rat stealer evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

41a8b4bbde769dd1d866ea6bfb8912d092234cc6f80c37893b3797e2b7f4f612

Threat Level: Known bad

The file er5thygfd.zip was found to be: Known bad.

Malicious Activity Summary

purelogstealer zgrat rat stealer evasion

PureLog Stealer

PureLog Stealer payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Detect ZGRat V1

ZGRat

Stops running service(s)

Drops file in Drivers directory

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-18 15:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-18 15:12

Reported

2024-03-18 15:18

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PureLog Stealer

stealer purelogstealer

PureLog Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2256 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2256 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

Processes

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

"C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe"

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

Network

N/A

Files

memory/2256-0-0x0000000000BF0000-0x0000000001338000-memory.dmp

memory/2256-1-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

memory/2256-2-0x000000001B400000-0x000000001B480000-memory.dmp

memory/2256-3-0x000000001B940000-0x000000001C080000-memory.dmp

memory/2256-4-0x000000001C080000-0x000000001C7C0000-memory.dmp

memory/2256-5-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-6-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-8-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-10-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-12-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-14-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-16-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-18-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-20-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-22-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-24-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-26-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-28-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-30-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-32-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-34-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-36-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-38-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-40-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-42-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-44-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-46-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-48-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-50-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-52-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-54-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-56-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-58-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-60-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-62-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-64-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-66-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-68-0x000000001C080000-0x000000001C7BB000-memory.dmp

memory/2256-909-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

memory/2256-938-0x000000001B400000-0x000000001B480000-memory.dmp

memory/2256-939-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2256-940-0x000000001CDC0000-0x000000001D498000-memory.dmp

memory/2256-941-0x0000000000540000-0x000000000058C000-memory.dmp

memory/2256-1002-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-18 15:12

Reported

2024-03-18 15:18

Platform

win10-20240221-en

Max time kernel

300s

Max time network

303s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PureLog Stealer

stealer purelogstealer

PureLog Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2104 created 3300 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Windows\Explorer.EXE
PID 2104 created 3300 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Windows\Explorer.EXE
PID 2104 created 3300 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Windows\Explorer.EXE

ZGRat

rat zgrat

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A

Stops running service(s)

evasion

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3452 set thread context of 2104 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2104 set thread context of 2332 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Windows\System32\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3452 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 3452 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 3452 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 3452 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 3452 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 3452 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 3452 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 3452 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 3452 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 3452 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 3452 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 3452 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 3452 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 3452 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 3452 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1844 wrote to memory of 2408 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1844 wrote to memory of 2408 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1844 wrote to memory of 2484 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1844 wrote to memory of 2484 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1844 wrote to memory of 3720 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1844 wrote to memory of 3720 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1844 wrote to memory of 864 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1844 wrote to memory of 864 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1844 wrote to memory of 1864 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1844 wrote to memory of 1864 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 1724 wrote to memory of 4648 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1724 wrote to memory of 4648 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2104 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Windows\System32\svchost.exe
PID 1724 wrote to memory of 4044 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1724 wrote to memory of 4044 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1724 wrote to memory of 2908 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1724 wrote to memory of 2908 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1724 wrote to memory of 1316 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1724 wrote to memory of 1316 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

"C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe"

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp

Files

memory/3452-0-0x0000027805E80000-0x00000278065C8000-memory.dmp

memory/3452-1-0x00007FFB50710000-0x00007FFB510FC000-memory.dmp

memory/3452-2-0x0000027806940000-0x0000027806950000-memory.dmp

memory/3452-3-0x0000027820B80000-0x00000278212C0000-memory.dmp

memory/3452-4-0x00000278212C0000-0x0000027821A00000-memory.dmp

memory/3452-5-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-6-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-8-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-10-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-12-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-14-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-16-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-18-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-20-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-22-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-24-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-26-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-28-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-30-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-32-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-34-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-36-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-38-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-40-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-42-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-44-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-46-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-48-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-50-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-52-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-54-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-56-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-58-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-60-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-62-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-64-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-66-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-68-0x00000278212C0000-0x00000278219FB000-memory.dmp

memory/3452-937-0x0000027806960000-0x0000027806961000-memory.dmp

memory/3452-938-0x0000027821A00000-0x00000278220D8000-memory.dmp

memory/3452-939-0x0000027806A20000-0x0000027806A6C000-memory.dmp

memory/3452-944-0x00007FFB50710000-0x00007FFB510FC000-memory.dmp

memory/2104-945-0x0000000140000000-0x0000000140985000-memory.dmp

memory/2104-950-0x0000000140000000-0x0000000140985000-memory.dmp

memory/2332-953-0x0000028D2C610000-0x0000028D2C630000-memory.dmp

memory/2332-958-0x0000028D2C630000-0x0000028D2C650000-memory.dmp

memory/2332-961-0x0000028D2C630000-0x0000028D2C650000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-18 15:12

Reported

2024-03-18 15:18

Platform

win10v2004-20240226-en

Max time kernel

315s

Max time network

319s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PureLog Stealer

stealer purelogstealer

PureLog Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1636 created 3512 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Windows\Explorer.EXE
PID 1636 created 3512 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Windows\Explorer.EXE
PID 1636 created 3512 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Windows\Explorer.EXE

ZGRat

rat zgrat

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A

Stops running service(s)

evasion

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5032 set thread context of 1636 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1636 set thread context of 3972 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Windows\System32\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5032 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 5032 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 5032 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 5032 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 5032 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 5032 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 5032 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 5032 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 5032 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 5032 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 5032 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 5032 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 5032 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 5032 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 5032 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 2304 wrote to memory of 3252 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2304 wrote to memory of 3252 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2304 wrote to memory of 2068 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2304 wrote to memory of 2068 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2304 wrote to memory of 3664 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2304 wrote to memory of 3664 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2304 wrote to memory of 3476 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2304 wrote to memory of 3476 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2304 wrote to memory of 3228 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 2304 wrote to memory of 3228 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4964 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4964 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 1636 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Windows\System32\svchost.exe
PID 4964 wrote to memory of 4320 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4964 wrote to memory of 4320 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4964 wrote to memory of 1000 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4964 wrote to memory of 1000 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4964 wrote to memory of 4820 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4964 wrote to memory of 4820 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

"C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/5032-0-0x000001AE3A550000-0x000001AE3AC98000-memory.dmp

memory/5032-1-0x000001AE55110000-0x000001AE55850000-memory.dmp

memory/5032-2-0x00007FF96FD50000-0x00007FF970811000-memory.dmp

memory/5032-3-0x000001AE3CA30000-0x000001AE3CA40000-memory.dmp

memory/5032-4-0x000001AE55850000-0x000001AE55F90000-memory.dmp

memory/5032-5-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-6-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-8-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-10-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-12-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-14-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-16-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-18-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-20-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-22-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-24-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-26-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-28-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-30-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-32-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-34-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-36-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-38-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-40-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-42-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-44-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-46-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-48-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-50-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-52-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-54-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-56-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-58-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-60-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-62-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-64-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-66-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-68-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

memory/5032-844-0x00007FF96FD50000-0x00007FF970811000-memory.dmp

memory/5032-938-0x000001AE3B050000-0x000001AE3B051000-memory.dmp

memory/5032-939-0x000001AE55F90000-0x000001AE56668000-memory.dmp

memory/5032-940-0x000001AE56670000-0x000001AE566BC000-memory.dmp

memory/5032-941-0x000001AE3CA30000-0x000001AE3CA40000-memory.dmp

memory/5032-945-0x00007FF96FD50000-0x00007FF970811000-memory.dmp

memory/1636-947-0x0000000140000000-0x0000000140985000-memory.dmp

memory/1636-952-0x0000000140000000-0x0000000140985000-memory.dmp

memory/3972-953-0x000001C237650000-0x000001C237670000-memory.dmp

memory/3972-958-0x000001C2376C0000-0x000001C2376E0000-memory.dmp

memory/3972-961-0x000001C2376C0000-0x000001C2376E0000-memory.dmp

memory/3972-981-0x000001C2376C0000-0x000001C2376E0000-memory.dmp

memory/3972-982-0x000001C2376E0000-0x000001C237700000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-18 15:12

Reported

2024-03-18 15:18

Platform

win11-20240221-en

Max time kernel

300s

Max time network

292s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PureLog Stealer

stealer purelogstealer

PureLog Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 5100 created 3356 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Windows\Explorer.EXE
PID 5100 created 3356 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Windows\Explorer.EXE
PID 5100 created 3356 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Windows\Explorer.EXE

ZGRat

rat zgrat

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A

Stops running service(s)

evasion

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1448 set thread context of 5100 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 5100 set thread context of 2212 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Windows\System32\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1448 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1448 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1448 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1448 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1448 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1448 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1448 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1448 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1448 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1448 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1448 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1448 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1448 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1448 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 1448 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
PID 3632 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3632 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3632 wrote to memory of 3196 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3632 wrote to memory of 3196 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3632 wrote to memory of 3396 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3632 wrote to memory of 3396 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3632 wrote to memory of 4608 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3632 wrote to memory of 4608 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3632 wrote to memory of 3060 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3632 wrote to memory of 3060 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 5100 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe C:\Windows\System32\svchost.exe
PID 2360 wrote to memory of 480 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2360 wrote to memory of 480 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2360 wrote to memory of 628 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2360 wrote to memory of 628 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2360 wrote to memory of 2112 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2360 wrote to memory of 2112 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2360 wrote to memory of 3628 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 2360 wrote to memory of 3628 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

"C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe"

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp

Files

memory/1448-0-0x00000163D70C0000-0x00000163D7808000-memory.dmp

memory/1448-1-0x00007FFD5A960000-0x00007FFD5B422000-memory.dmp

memory/1448-2-0x00000163D9600000-0x00000163D9610000-memory.dmp

memory/1448-3-0x00000163F1CF0000-0x00000163F2430000-memory.dmp

memory/1448-4-0x00000163F2430000-0x00000163F2B70000-memory.dmp

memory/1448-5-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-6-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-8-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-10-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-12-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-14-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-16-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-18-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-20-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-22-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-24-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-26-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-28-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-30-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-32-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-34-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-36-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-38-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-40-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-42-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-44-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-46-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-48-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-50-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-52-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-54-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-56-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-58-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-60-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-62-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-64-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-66-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-68-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

memory/1448-937-0x00000163D7C20000-0x00000163D7C21000-memory.dmp

memory/1448-938-0x00000163F2B70000-0x00000163F3248000-memory.dmp

memory/1448-939-0x00000163D95B0000-0x00000163D95FC000-memory.dmp

memory/1448-944-0x00007FFD5A960000-0x00007FFD5B422000-memory.dmp

memory/5100-945-0x0000000140000000-0x0000000140985000-memory.dmp

memory/5100-950-0x0000000140000000-0x0000000140985000-memory.dmp

memory/2212-951-0x000002100E4C0000-0x000002100E4E0000-memory.dmp

memory/2212-955-0x0000021000040000-0x0000021000060000-memory.dmp

memory/2212-958-0x0000021000040000-0x0000021000060000-memory.dmp

memory/2212-975-0x0000021000040000-0x0000021000060000-memory.dmp

memory/2212-976-0x0000021000060000-0x0000021000080000-memory.dmp

memory/2212-979-0x0000021000040000-0x0000021000060000-memory.dmp

memory/2212-980-0x0000021000060000-0x0000021000080000-memory.dmp