Malware Analysis Report

2025-06-15 20:06

Sample ID 240515-mnqweadf24
Target 03750c25185f729355e52cf86c433756997d72042bf3a705abf6a3e45e671012
SHA256 03750c25185f729355e52cf86c433756997d72042bf3a705abf6a3e45e671012
Tags
agenttesla execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03750c25185f729355e52cf86c433756997d72042bf3a705abf6a3e45e671012

Threat Level: Known bad

The file 03750c25185f729355e52cf86c433756997d72042bf3a705abf6a3e45e671012 was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger persistence spyware stealer trojan

AgentTesla

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 10:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 10:36

Reported

2024-05-15 10:39

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2040 set thread context of 2392 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\SysWOW64\schtasks.exe
PID 2040 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\SysWOW64\schtasks.exe
PID 2040 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\SysWOW64\schtasks.exe
PID 2040 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\SysWOW64\schtasks.exe
PID 2040 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2040 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2040 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2040 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2040 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2040 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2040 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2040 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2040 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2040 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2040 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2040 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2040 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2040 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2040 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2040 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2040 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2040 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2040 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe

"C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ClBZCJCLlsf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ClBZCJCLlsf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D94.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

N/A

Files

memory/2040-0-0x000000007492E000-0x000000007492F000-memory.dmp

memory/2040-1-0x0000000000FA0000-0x0000000001058000-memory.dmp

memory/2040-2-0x0000000074920000-0x000000007500E000-memory.dmp

memory/2040-3-0x0000000000410000-0x0000000000430000-memory.dmp

memory/2040-4-0x0000000000450000-0x0000000000460000-memory.dmp

memory/2040-5-0x00000000004A0000-0x00000000004B6000-memory.dmp

memory/2040-6-0x0000000005230000-0x00000000052B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4D94.tmp

MD5 8dc1a1bd72d86709333f810f4f37e95c
SHA1 d53d43a0535beb5cba8ba9b70c072e7029b2fb55
SHA256 67f99432463b533067b71fde430f30aedff1649592621a7024f3cadfe7346f57
SHA512 d3a359565d42a0821cffba882a80206a79c939fa9dca3d01619fece64ae39eb2ee75a5304477e189dddd09b9b345e286ab85ef8e4434c92b21f3974569d7f45a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\68FAN50BDL2CXVD7FVIM.temp

MD5 54dbf2b7bfa0d8445c0ed04dcbd2e1cf
SHA1 4c74ae88ba7640cac8a7583496f18cbbf4978369
SHA256 4e1cf062cd828af4367aa130e1235cdef7cf657be2e29ff1fdf63f08989e4045
SHA512 983451675644561af3191bde7789189b36dcd7b09f052a64439f15670ecb33df085d30aeefa27bba625588ecb92556cdd1adbd7c615e0d0d7409c1d1f9e04c87

memory/2392-25-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2392-19-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2392-21-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2392-30-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2392-29-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2392-28-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2392-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2392-23-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2040-31-0x0000000074920000-0x000000007500E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 10:36

Reported

2024-05-15 10:39

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5096 set thread context of 4004 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5096 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\SysWOW64\schtasks.exe
PID 5096 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\SysWOW64\schtasks.exe
PID 5096 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\SysWOW64\schtasks.exe
PID 5096 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5096 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5096 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5096 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5096 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5096 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5096 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5096 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe

"C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ClBZCJCLlsf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ClBZCJCLlsf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8201.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/5096-0-0x000000007465E000-0x000000007465F000-memory.dmp

memory/5096-1-0x0000000000B10000-0x0000000000BC8000-memory.dmp

memory/5096-2-0x0000000005BD0000-0x0000000006174000-memory.dmp

memory/5096-3-0x0000000005620000-0x00000000056B2000-memory.dmp

memory/5096-4-0x00000000055E0000-0x00000000055EA000-memory.dmp

memory/5096-6-0x0000000005850000-0x00000000058EC000-memory.dmp

memory/5096-5-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/5096-7-0x00000000069F0000-0x0000000006A10000-memory.dmp

memory/5096-8-0x0000000006A30000-0x0000000006A40000-memory.dmp

memory/5096-9-0x0000000006A40000-0x0000000006A56000-memory.dmp

memory/5096-10-0x0000000007100000-0x0000000007184000-memory.dmp

memory/4052-15-0x0000000002C40000-0x0000000002C76000-memory.dmp

memory/4052-17-0x0000000005740000-0x0000000005D68000-memory.dmp

memory/4052-16-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/4052-18-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/4052-19-0x0000000074650000-0x0000000074E00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8201.tmp

MD5 6dae49276286b3bf1a4eb0f559ce317a
SHA1 ff1fee9349b4eefb1ecb6ae4239dc567818abe7c
SHA256 d230ffeb0f9401a285a7b61f14553337063aca1a22a23bacac9b2cd534068e2a
SHA512 647b6405e368e5e6f17810cc4fd1a3bc2a1795402f8eb3fe923ed8b6b8a79edbbfb0393280a0cd34d86a2b558cc8fd10d666358958848dece714cddf3f02a950

memory/4796-21-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/4796-22-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/5096-23-0x000000007465E000-0x000000007465F000-memory.dmp

memory/4796-27-0x0000000005420000-0x0000000005486000-memory.dmp

memory/4796-26-0x0000000004C80000-0x0000000004CE6000-memory.dmp

memory/4004-28-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gso24qbg.5jp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4052-30-0x0000000005F60000-0x00000000062B4000-memory.dmp

memory/5096-41-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/5096-29-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/4796-25-0x0000000004BE0000-0x0000000004C02000-memory.dmp

memory/4796-24-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/4052-51-0x0000000006510000-0x000000000652E000-memory.dmp

memory/4052-52-0x0000000006540000-0x000000000658C000-memory.dmp

memory/4796-54-0x0000000070D20000-0x0000000070D6C000-memory.dmp

memory/4796-66-0x0000000006C60000-0x0000000006D03000-memory.dmp

memory/4052-65-0x0000000070D20000-0x0000000070D6C000-memory.dmp

memory/4796-64-0x0000000006BF0000-0x0000000006C0E000-memory.dmp

memory/4796-53-0x0000000006C10000-0x0000000006C42000-memory.dmp

memory/4052-76-0x0000000007E80000-0x00000000084FA000-memory.dmp

memory/4796-77-0x0000000006FC0000-0x0000000006FDA000-memory.dmp

memory/4052-78-0x00000000078B0000-0x00000000078BA000-memory.dmp

memory/4052-79-0x0000000007AC0000-0x0000000007B56000-memory.dmp

memory/4052-80-0x0000000007A40000-0x0000000007A51000-memory.dmp

memory/4052-82-0x0000000007A70000-0x0000000007A7E000-memory.dmp

memory/4052-83-0x0000000007A80000-0x0000000007A94000-memory.dmp

memory/4052-84-0x0000000007B80000-0x0000000007B9A000-memory.dmp

memory/4796-85-0x00000000072E0000-0x00000000072E8000-memory.dmp

memory/4052-89-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/4796-88-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/4004-90-0x0000000006110000-0x0000000006160000-memory.dmp