Malware Analysis Report

2025-06-16 01:16

Sample ID 231207-jlbrxsbeh6
Target Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
SHA256 ed5f392d0095487edd0f112db6a14bbd3e9dc13454e63bf17bb0816d15e93f31
Tags
remcos zgrat remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed5f392d0095487edd0f112db6a14bbd3e9dc13454e63bf17bb0816d15e93f31

Threat Level: Known bad

The file Payment Advice-BCS_ECS9522023032900460039_16922_952.exe was found to be: Known bad.

Malicious Activity Summary

remcos zgrat remotehost rat

Detect ZGRat V1

Remcos

ZGRat

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-07 07:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-07 07:44

Reported

2023-12-07 07:47

Platform

win7-20231023-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Remcos

rat remcos

ZGRat

rat zgrat

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1764 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\schtasks.exe
PID 1764 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\schtasks.exe
PID 1764 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\schtasks.exe
PID 1764 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\schtasks.exe
PID 1764 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1764 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1764 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1764 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1764 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1764 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1764 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1764 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1764 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1764 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1764 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1764 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 1764 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe

"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XOXpOFSvB.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XOXpOFSvB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8BDB.tmp"

C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe

"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"

Network

Country Destination Domain Proto
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp

Files

memory/1764-0-0x0000000000D80000-0x0000000000E8A000-memory.dmp

memory/1764-1-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/1764-2-0x00000000043E0000-0x0000000004420000-memory.dmp

memory/1764-3-0x00000000002D0000-0x00000000002E4000-memory.dmp

memory/1764-4-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/1764-5-0x00000000043E0000-0x0000000004420000-memory.dmp

memory/1764-6-0x00000000002E0000-0x00000000002EC000-memory.dmp

memory/1764-7-0x0000000005D30000-0x0000000005DF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8BDB.tmp

MD5 515c05874baad4082d2a53bda7d179fe
SHA1 3b92eb40408a67dc574de6f552979e8eaa7d5b75
SHA256 54251cb2f6fcffbcc0612c1653e12ad0f7467481f3c5f43740e2ed1393a6ff4a
SHA512 1c7ba3689ecf9a861110953aea8cec246b1f31cd6ac215cecada986b5b1cd33d56f109b7df4ca3a5e0ec059c66f7c68d454f776948ae0d1e6c81f169d59d4519

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 474f083a5034e87ba59083011003b2d4
SHA1 29600d1813b7b0576ed56762efcbb0cf7ac4b957
SHA256 c9784a628643639a6166ff207f811ddefb88d77e6badbbb371e14ac93d129acb
SHA512 7f2c755fb2b520ba240ca6acb71b4708ea48888ed32b182600b697164ea811eb0b58fad33221219d3a96d9cd0b7004721b6b713f9f29485d95dd9be0e9c5b239

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RPNHA7S0NBV9HK2BDGXZ.temp

MD5 474f083a5034e87ba59083011003b2d4
SHA1 29600d1813b7b0576ed56762efcbb0cf7ac4b957
SHA256 c9784a628643639a6166ff207f811ddefb88d77e6badbbb371e14ac93d129acb
SHA512 7f2c755fb2b520ba240ca6acb71b4708ea48888ed32b182600b697164ea811eb0b58fad33221219d3a96d9cd0b7004721b6b713f9f29485d95dd9be0e9c5b239

memory/1764-20-0x00000000042A0000-0x00000000042A6000-memory.dmp

memory/1764-21-0x0000000005DF0000-0x0000000005E70000-memory.dmp

memory/2744-22-0x000000006F410000-0x000000006F9BB000-memory.dmp

memory/2788-23-0x000000006F410000-0x000000006F9BB000-memory.dmp

memory/2744-24-0x0000000002530000-0x0000000002570000-memory.dmp

memory/2788-25-0x000000006F410000-0x000000006F9BB000-memory.dmp

memory/2744-26-0x000000006F410000-0x000000006F9BB000-memory.dmp

memory/2788-27-0x00000000026F0000-0x0000000002730000-memory.dmp

memory/2788-28-0x00000000026F0000-0x0000000002730000-memory.dmp

memory/2484-29-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-31-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-33-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-34-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-35-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-36-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-37-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-38-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2484-41-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1764-43-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/2484-44-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2788-46-0x00000000026F0000-0x0000000002730000-memory.dmp

memory/2744-45-0x0000000002530000-0x0000000002570000-memory.dmp

memory/2484-47-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-49-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-48-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-50-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-51-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2744-54-0x000000006F410000-0x000000006F9BB000-memory.dmp

memory/2788-53-0x000000006F410000-0x000000006F9BB000-memory.dmp

memory/2484-55-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-56-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-58-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-59-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-60-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-61-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-63-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-64-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-65-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-67-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-68-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-69-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-71-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-72-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-73-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-75-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-76-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-77-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-79-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-80-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-81-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-82-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-84-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-85-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-86-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-88-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-89-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-90-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-92-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-93-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-94-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-96-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-97-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2484-98-0x0000000000400000-0x0000000000480000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-07 07:44

Reported

2023-12-07 07:47

Platform

win10v2004-20231130-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Remcos

rat remcos

ZGRat

rat zgrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4432 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\schtasks.exe
PID 4432 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\schtasks.exe
PID 4432 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Windows\SysWOW64\schtasks.exe
PID 4432 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 4432 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 4432 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 4432 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 4432 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 4432 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 4432 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 4432 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 4432 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 4432 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 4432 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
PID 4432 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe

"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XOXpOFSvB.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XOXpOFSvB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF6F3.tmp"

C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe

"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 45.128.234.54:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
N/A 127.0.0.1:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp
N/A 127.0.0.1:56932 tcp
US 45.128.234.54:56932 tcp

Files

memory/4432-0-0x0000000000250000-0x000000000035A000-memory.dmp

memory/4432-1-0x0000000075250000-0x0000000075A00000-memory.dmp

memory/4432-2-0x0000000005360000-0x0000000005904000-memory.dmp

memory/4432-3-0x0000000004DB0000-0x0000000004E42000-memory.dmp

memory/4432-4-0x0000000005010000-0x0000000005020000-memory.dmp

memory/4432-5-0x0000000004D40000-0x0000000004D4A000-memory.dmp

memory/4432-6-0x00000000047B0000-0x00000000047C4000-memory.dmp

memory/4432-7-0x0000000075250000-0x0000000075A00000-memory.dmp

memory/4432-8-0x0000000005010000-0x0000000005020000-memory.dmp

memory/4432-9-0x0000000004840000-0x000000000484C000-memory.dmp

memory/4432-10-0x00000000062E0000-0x00000000063A0000-memory.dmp

memory/4432-11-0x000000000A110000-0x000000000A1AC000-memory.dmp

memory/2420-17-0x0000000075250000-0x0000000075A00000-memory.dmp

memory/2420-18-0x00000000027A0000-0x00000000027B0000-memory.dmp

memory/2420-16-0x00000000027B0000-0x00000000027E6000-memory.dmp

memory/2420-19-0x0000000005380000-0x00000000059A8000-memory.dmp

memory/2680-20-0x0000000075250000-0x0000000075A00000-memory.dmp

memory/2680-21-0x0000000002A30000-0x0000000002A40000-memory.dmp

memory/2680-22-0x0000000002A30000-0x0000000002A40000-memory.dmp

memory/2420-23-0x0000000004FF0000-0x0000000005012000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF6F3.tmp

MD5 7be95a3a75d29579a17360ea5d3415fe
SHA1 3a58c8663d66fde3a28129cada92e147b59cc0dd
SHA256 e52c89eaa1635bc0641699a4ed67132fcb1ee454fa32d0f46ddb0d6b97c3ac2c
SHA512 3380d66d9d0d5beea73527e738b298dd8075f86ffd1eedcb7bc650273c928aa9255587cb615f84e0b85ea2e7418f9a560615315e8ce435c30c397952b6443dd5

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uphijcha.zjj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2420-35-0x0000000005C00000-0x0000000005C66000-memory.dmp

memory/2420-25-0x0000000005A20000-0x0000000005A86000-memory.dmp

memory/4432-45-0x000000000A0B0000-0x000000000A0B6000-memory.dmp

memory/2680-46-0x0000000005A90000-0x0000000005DE4000-memory.dmp

memory/1012-49-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-48-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-51-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-52-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2420-55-0x00000000060A0000-0x00000000060BE000-memory.dmp

memory/1012-54-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4432-53-0x0000000075250000-0x0000000075A00000-memory.dmp

memory/1012-56-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2420-57-0x0000000006620000-0x000000000666C000-memory.dmp

memory/4432-47-0x0000000006010000-0x0000000006090000-memory.dmp

memory/2420-72-0x0000000006600000-0x000000000661E000-memory.dmp

memory/2680-67-0x0000000073D20000-0x0000000073D6C000-memory.dmp

memory/2680-59-0x0000000006FD0000-0x0000000007002000-memory.dmp

memory/2420-73-0x00000000027A0000-0x00000000027B0000-memory.dmp

memory/2680-83-0x0000000007210000-0x00000000072B3000-memory.dmp

memory/2680-84-0x0000000002A30000-0x0000000002A40000-memory.dmp

memory/2420-61-0x0000000073D20000-0x0000000073D6C000-memory.dmp

memory/2680-60-0x000000007F020000-0x000000007F030000-memory.dmp

memory/2420-85-0x0000000075250000-0x0000000075A00000-memory.dmp

memory/2420-58-0x000000007F330000-0x000000007F340000-memory.dmp

memory/2680-86-0x0000000002A30000-0x0000000002A40000-memory.dmp

memory/2680-88-0x0000000007970000-0x0000000007FEA000-memory.dmp

memory/2420-89-0x0000000007440000-0x000000000744A000-memory.dmp

memory/2420-87-0x00000000073D0000-0x00000000073EA000-memory.dmp

memory/2420-90-0x0000000007650000-0x00000000076E6000-memory.dmp

memory/2680-91-0x0000000007530000-0x0000000007541000-memory.dmp

memory/2420-94-0x0000000007710000-0x000000000772A000-memory.dmp

memory/2420-95-0x00000000076F0000-0x00000000076F8000-memory.dmp

memory/2420-93-0x0000000007610000-0x0000000007624000-memory.dmp

memory/2680-92-0x0000000007560000-0x000000000756E000-memory.dmp

memory/2680-99-0x0000000075250000-0x0000000075A00000-memory.dmp

memory/2420-98-0x0000000075250000-0x0000000075A00000-memory.dmp

memory/1012-100-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-102-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-103-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-104-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-106-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-107-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-108-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-110-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-111-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-112-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-114-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-115-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-116-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-118-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-119-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-120-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-122-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-123-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-124-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-126-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-127-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-128-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-130-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-131-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-132-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-134-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-135-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-136-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-138-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-139-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-140-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-142-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-143-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-144-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-146-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-147-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-148-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-150-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-151-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-152-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-154-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-155-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1012-156-0x0000000000400000-0x0000000000480000-memory.dmp