Malware Analysis Report

2025-06-16 01:18

Sample ID 231207-jh4zashhgk
Target Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
SHA256 ed5f392d0095487edd0f112db6a14bbd3e9dc13454e63bf17bb0816d15e93f31
Tags
remcos zgrat remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed5f392d0095487edd0f112db6a14bbd3e9dc13454e63bf17bb0816d15e93f31

Threat Level: Known bad

The file Payment Advice-BCS_ECS9522023032900460039_16922_952.exe was found to be: Known bad.

Malicious Activity Summary

remcos zgrat remotehost rat

Remcos

ZGRat

Detect ZGRat V1

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-07 07:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-07 07:41

Reported

2023-12-07 07:43

Platform

win7-20231025-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Remcos

rat remcos

ZGRat

rat zgrat

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1980 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\schtasks.exe
PID 1980 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\schtasks.exe
PID 1980 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\schtasks.exe
PID 1980 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\schtasks.exe
PID 1980 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1980 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1980 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1980 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1980 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1980 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1980 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1980 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1980 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1980 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1980 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1980 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1980 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe

"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XOXpOFSvB.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XOXpOFSvB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFEC9.tmp"

C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe

"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"

Network

Country Destination Domain Proto
US 45.128.234.54:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
N/A 127.0.0.1:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp

Files

memory/1980-0-0x0000000001200000-0x000000000130A000-memory.dmp

memory/1980-1-0x0000000074A00000-0x00000000750EE000-memory.dmp

memory/1980-2-0x00000000005E0000-0x0000000000620000-memory.dmp

memory/1980-3-0x00000000003F0000-0x0000000000404000-memory.dmp

memory/1980-4-0x0000000074A00000-0x00000000750EE000-memory.dmp

memory/1980-5-0x00000000005E0000-0x0000000000620000-memory.dmp

memory/1980-6-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1980-7-0x0000000008240000-0x0000000008300000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFEC9.tmp

MD5 b0e136f8ea6281d13f08d10f06799ae3
SHA1 70274df5e272effcd14a02fed97e127c8915c463
SHA256 e6de63613a8436294f5c0563756639df9a4312a64b835b7eada3a5ae4058a3d1
SHA512 28ce0d27d755ff0c702d6488e55bdb0e1d807f8a9c338c1a2ce7da53d89761c26dd296901ef7ecee706f692f04b2de64c20b6ce167c9de07b1b0867bfa5f5972

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\948YRQV0ENS48FJIVYSM.temp

MD5 fe3a08652c6658b3fba58266e195fcf7
SHA1 e3fe28af62f28231f10ea68764365992d615fb0c
SHA256 7a203df2da067fa2b93101830c52a121017ac0e010fa4af6374920240f743f29
SHA512 41e2532af1c9f2ff17f7598a8e6cddddc3ca9d5abcb22df435d0ffc843dbadd3c7443cfe60ed04b0bd7d90fca25596581a3fafa4e646c80869a6ff13a77952d7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 fe3a08652c6658b3fba58266e195fcf7
SHA1 e3fe28af62f28231f10ea68764365992d615fb0c
SHA256 7a203df2da067fa2b93101830c52a121017ac0e010fa4af6374920240f743f29
SHA512 41e2532af1c9f2ff17f7598a8e6cddddc3ca9d5abcb22df435d0ffc843dbadd3c7443cfe60ed04b0bd7d90fca25596581a3fafa4e646c80869a6ff13a77952d7

memory/1980-20-0x0000000000D00000-0x0000000000D06000-memory.dmp

memory/2608-22-0x000000006F890000-0x000000006FE3B000-memory.dmp

memory/1980-21-0x0000000005ED0000-0x0000000005F50000-memory.dmp

memory/2864-23-0x000000006F890000-0x000000006FE3B000-memory.dmp

memory/2608-24-0x00000000023E0000-0x0000000002420000-memory.dmp

memory/2608-25-0x000000006F890000-0x000000006FE3B000-memory.dmp

memory/2864-27-0x0000000001BE0000-0x0000000001C20000-memory.dmp

memory/2964-26-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-29-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-31-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-32-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-34-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-36-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-38-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-40-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-42-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2964-44-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1980-46-0x0000000074A00000-0x00000000750EE000-memory.dmp

memory/2964-47-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-49-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-50-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-48-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-51-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-52-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2608-54-0x000000006F890000-0x000000006FE3B000-memory.dmp

memory/2864-55-0x000000006F890000-0x000000006FE3B000-memory.dmp

memory/2964-56-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-57-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-58-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-60-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-61-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-62-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-64-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-65-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-66-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-68-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-69-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-70-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-72-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-73-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-74-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-76-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-77-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-78-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-80-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-81-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-82-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-84-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-85-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-86-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-87-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-89-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-90-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-91-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-93-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-94-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2964-95-0x0000000000400000-0x0000000000480000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-07 07:41

Reported

2023-12-07 07:43

Platform

win10v2004-20231127-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Remcos

rat remcos

ZGRat

rat zgrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5028 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5028 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\schtasks.exe
PID 5028 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\schtasks.exe
PID 5028 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\schtasks.exe
PID 5028 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 5028 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 5028 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 5028 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 5028 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 5028 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 5028 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 5028 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 5028 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 5028 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 5028 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 5028 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 5028 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 5028 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 5028 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe

"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XOXpOFSvB.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XOXpOFSvB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp29DA.tmp"

C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe

"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"

C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe

"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 65.252.72.23.in-addr.arpa udp
US 45.128.234.54:56932 tcp
US 45.128.234.54:56932 tcp
US 8.8.8.8:53 122.175.53.84.in-addr.arpa udp
US 45.128.234.54:56932 tcp
US 45.128.234.54:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 45.128.234.54:56932 tcp
US 45.128.234.54:56932 tcp
US 45.128.234.54:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
N/A 127.0.0.1:56932 tcp
N/A 127.0.0.1:56932 tcp
N/A 127.0.0.1:56932 tcp
N/A 127.0.0.1:56932 tcp
N/A 127.0.0.1:56932 tcp
N/A 127.0.0.1:56932 tcp
N/A 127.0.0.1:56932 tcp
N/A 127.0.0.1:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp

Files

memory/5028-0-0x0000000000400000-0x000000000050A000-memory.dmp

memory/5028-1-0x0000000075040000-0x00000000757F0000-memory.dmp

memory/5028-2-0x0000000005420000-0x00000000059C4000-memory.dmp

memory/5028-3-0x0000000004F10000-0x0000000004FA2000-memory.dmp

memory/5028-4-0x0000000005140000-0x0000000005150000-memory.dmp

memory/5028-5-0x00000000050B0000-0x00000000050BA000-memory.dmp

memory/5028-6-0x0000000004910000-0x0000000004924000-memory.dmp

memory/5028-7-0x0000000075040000-0x00000000757F0000-memory.dmp

memory/5028-8-0x0000000005140000-0x0000000005150000-memory.dmp

memory/5028-9-0x00000000049A0000-0x00000000049AC000-memory.dmp

memory/5028-10-0x0000000007EA0000-0x0000000007F60000-memory.dmp

memory/5028-11-0x000000000A2E0000-0x000000000A37C000-memory.dmp

memory/4864-16-0x0000000005240000-0x0000000005276000-memory.dmp

memory/4864-17-0x0000000075040000-0x00000000757F0000-memory.dmp

memory/4864-19-0x00000000058E0000-0x0000000005F08000-memory.dmp

memory/4864-20-0x00000000052A0000-0x00000000052B0000-memory.dmp

memory/4864-18-0x00000000052A0000-0x00000000052B0000-memory.dmp

memory/1428-21-0x0000000075040000-0x00000000757F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp29DA.tmp

MD5 d12bc4d4b295b2f4d420356bfd0da2c0
SHA1 17d589c2831d3cdc77c0819ff1610613a12322ee
SHA256 b02acc7ba3c8a38078a71fa6329cbc410eed8fcdff96a4b7203bd9ea0a7932d9
SHA512 346ca1c47b9d336abf12f1d5483ac51afd339220095a571e1625d8fbb7f5dd2f109d9b61cf27b301bdb9bf9a1fe6272932564758ca8bd1009b290e78620c2bdc

memory/4864-24-0x0000000006080000-0x00000000060E6000-memory.dmp

memory/1428-25-0x0000000005660000-0x00000000056C6000-memory.dmp

memory/1428-23-0x0000000004D10000-0x0000000004D32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ohhss5pw.enh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5028-31-0x0000000007D10000-0x0000000007D16000-memory.dmp

memory/5028-36-0x000000000A580000-0x000000000A600000-memory.dmp

memory/4732-47-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-46-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4864-48-0x0000000006210000-0x0000000006564000-memory.dmp

memory/4732-50-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-53-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-55-0x0000000000400000-0x0000000000480000-memory.dmp

memory/5028-54-0x0000000075040000-0x00000000757F0000-memory.dmp

memory/4732-52-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-51-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4864-56-0x0000000006800000-0x000000000681E000-memory.dmp

memory/4864-57-0x0000000006840000-0x000000000688C000-memory.dmp

memory/4864-58-0x00000000052A0000-0x00000000052B0000-memory.dmp

memory/1428-59-0x0000000002530000-0x0000000002540000-memory.dmp

memory/1428-61-0x0000000006C80000-0x0000000006CB2000-memory.dmp

memory/1428-62-0x00000000758F0000-0x000000007593C000-memory.dmp

memory/1428-60-0x000000007F420000-0x000000007F430000-memory.dmp

memory/4864-63-0x00000000758F0000-0x000000007593C000-memory.dmp

memory/1428-74-0x0000000006C60000-0x0000000006C7E000-memory.dmp

memory/4864-84-0x0000000007A20000-0x0000000007AC3000-memory.dmp

memory/4864-64-0x000000007F640000-0x000000007F650000-memory.dmp

memory/4864-85-0x0000000008160000-0x00000000087DA000-memory.dmp

memory/4864-86-0x0000000007B10000-0x0000000007B2A000-memory.dmp

memory/4864-87-0x0000000007B80000-0x0000000007B8A000-memory.dmp

memory/4732-88-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1428-90-0x0000000007280000-0x0000000007316000-memory.dmp

memory/4864-91-0x0000000007D10000-0x0000000007D21000-memory.dmp

memory/1428-92-0x0000000007230000-0x000000000723E000-memory.dmp

memory/4864-93-0x0000000007D50000-0x0000000007D64000-memory.dmp

memory/1428-94-0x0000000007340000-0x000000000735A000-memory.dmp

memory/4864-95-0x0000000007E30000-0x0000000007E38000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1428-102-0x0000000075040000-0x00000000757F0000-memory.dmp

memory/4864-101-0x0000000075040000-0x00000000757F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f8831e0aeffd24d465e9a8218a963f08
SHA1 89136e81cab114c12ba0a47f634b27f2e29529b7
SHA256 3ca2ceb5b77d5f6c465b2138e9eaff861042f22e8f6b93b1099251b0fa44eef1
SHA512 9baa9a9b9d0543386c9c1bcc3f8d2778f9339976647b89466a29b7045a8c6e48869f0f4df8cadcdc78fe25c233fb19e5ea462b0784f84170c356f070be0c0f81

memory/4732-103-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-104-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-105-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-107-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-108-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-109-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-111-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-112-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-113-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-114-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-116-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-117-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-118-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-120-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-121-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-122-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-124-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-125-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-126-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-128-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-129-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-130-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-132-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-133-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-134-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-136-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-137-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-138-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-140-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-141-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-142-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-144-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-145-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-146-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-148-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-149-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-150-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-152-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-153-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-154-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-156-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-157-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4732-158-0x0000000000400000-0x0000000000480000-memory.dmp