General Info

File name

order no UOIMM20190830.pdf.z

Full analysis
https://app.any.run/tasks/474e87e1-fb21-478f-a53c-f4e951150dc2
Verdict
Malicious activity
Analysis date
10/9/2019, 20:15:14
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

keylogger

agenttesla

evasion

trojan

rat

Indicators:

MIME:
application/x-rar
File info:
RAR archive data, v4, os: Win32
MD5

489ed3838e316e3483bcf2e4152c7fa4

SHA1

551abdf62d4fe310fe098f7e6a8a78921e3dfa21

SHA256

09745f677fdebf9f23f710249449178bd7722b8d9b2d6344fec4d120c27aea40

SSDEEP

12288:fpbHoe1v1tvRaqOHeqPoaE/OUd/rPDNFXOhVn3TwCQRFH:fBoeNjRV/OGTPDNFe/3kR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
180 seconds
Additional time used
120 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
AGENTTESLA was detected
  • order no UOIMM20190830.bat (PID: 3864)
Actions looks like stealing of personal data
  • order no UOIMM20190830.bat (PID: 3864)
Application was dropped or rewritten from another process
  • order no UOIMM20190830.bat (PID: 3864)
  • order no UOIMM20190830.bat (PID: 2920)
Suspicious files were dropped or overwritten
  • WinRAR.exe (PID: 2276)
Starts application with an unusual extension
  • WinRAR.exe (PID: 2276)
  • order no UOIMM20190830.bat (PID: 2920)
Executable content was dropped or overwritten
  • WinRAR.exe (PID: 2276)
Creates files in the user directory
  • order no UOIMM20190830.bat (PID: 3864)
Reads the cookies of Mozilla Firefox
  • order no UOIMM20190830.bat (PID: 3864)
Connects to SMTP port
  • order no UOIMM20190830.bat (PID: 3864)
Reads the cookies of Google Chrome
  • order no UOIMM20190830.bat (PID: 3864)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rar
|   RAR compressed archive (v-4.x) (58.3%)
.rar
|   RAR compressed archive (gen) (41.6%)
EXIF
ZIP
CompressedSize:
524039
UncompressedSize:
868352
OperatingSystem:
Win32
ModifyDate:
2019:10:09 08:42:12
PackingMethod:
Normal
ArchivedFileName:
order no UOIMM20190830.bat

Screenshots

Processes

Total processes
35
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

+
drop and start start winrar.exe order no uoimm20190830.bat no specs #AGENTTESLA order no uoimm20190830.bat
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2276
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\order no UOIMM20190830.pdf.z.rar"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\acppage.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\local\temp\rar$dia2276.44281\order no uoimm20190830.bat

PID
2920
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$DIa2276.44281\order no UOIMM20190830.bat"
Path
C:\Users\admin\AppData\Local\Temp\Rar$DIa2276.44281\order no UOIMM20190830.bat
Indicators
No indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
apPLE
Description
COL
Version
1.00
Modules
Image
c:\users\admin\appdata\local\temp\rar$dia2276.44281\order no uoimm20190830.bat
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\apphelp.dll

PID
3864
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$DIa2276.44281\order no UOIMM20190830.bat"
Path
C:\Users\admin\AppData\Local\Temp\Rar$DIa2276.44281\order no UOIMM20190830.bat
Indicators
Parent process
order no UOIMM20190830.bat
User
admin
Integrity Level
MEDIUM
Version:
Company
apPLE
Description
COL
Version
1.00
Modules
Image
c:\systemroot\system32\ntdll.dll
c:\users\admin\appdata\local\temp\rar$dia2276.44281\order no uoimm20190830.bat
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\system32\bcrypt.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.security\d9a485330ec2708456134e4a9712a4ab\system.security.ni.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\vaultcli.dll
c:\windows\system32\security.dll
c:\windows\system32\secur32.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll

Registry activity

Total events
582
Read events
546
Write events
36
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2276
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2276
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2276
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
2276
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\Desktop\order no UOIMM20190830.pdf.z.rar
2276
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2276
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2276
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2276
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2276
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
@C:\Windows\System32\acppage.dll,-6002
Windows Batch File
2276
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2276
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3864
order no UOIMM20190830.bat
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\order no UOIMM20190830_RASAPI32
EnableFileTracing
0
3864
order no UOIMM20190830.bat
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\order no UOIMM20190830_RASAPI32
EnableConsoleTracing
0
3864
order no UOIMM20190830.bat
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\order no UOIMM20190830_RASAPI32
FileTracingMask
4294901760
3864
order no UOIMM20190830.bat
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\order no UOIMM20190830_RASAPI32
ConsoleTracingMask
4294901760
3864
order no UOIMM20190830.bat
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\order no UOIMM20190830_RASAPI32
MaxFileSize
1048576
3864
order no UOIMM20190830.bat
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\order no UOIMM20190830_RASAPI32
FileDirectory
%windir%\tracing
3864
order no UOIMM20190830.bat
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\order no UOIMM20190830_RASMANCS
EnableFileTracing
0
3864
order no UOIMM20190830.bat
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\order no UOIMM20190830_RASMANCS
EnableConsoleTracing
0
3864
order no UOIMM20190830.bat
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\order no UOIMM20190830_RASMANCS
FileTracingMask
4294901760
3864
order no UOIMM20190830.bat
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\order no UOIMM20190830_RASMANCS
ConsoleTracingMask
4294901760
3864
order no UOIMM20190830.bat
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\order no UOIMM20190830_RASMANCS
MaxFileSize
1048576
3864
order no UOIMM20190830.bat
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\order no UOIMM20190830_RASMANCS
FileDirectory
%windir%\tracing
3864
order no UOIMM20190830.bat
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US

Files activity

Executable files
1
Suspicious files
2
Text files
3
Unknown types
1

Dropped files

PID
Process
Filename
Type
2276
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DIa2276.44281\order no UOIMM20190830.bat
executable
MD5: afcd9f451fae64120bfff241590b838f
SHA256: 84eaa33081729b86640ada7cd6c8d01a5640fe2b67c7fa626504b2a1bdf13ceb
3864
order no UOIMM20190830.bat
C:\Users\admin\AppData\Roaming\g3rhhin3.r4b.zip
compressed
MD5: e617504378902af64c6c667c3e1bd48f
SHA256: b28ca3c3ace7d3f5d2de65649dca886a95de07d408bf411c261e4daa2b4f8d1c
3864
order no UOIMM20190830.bat
C:\Users\admin\AppData\Roaming\g3rhhin3.r4b\Firefox\Profiles\qldyz51w.default\cookies.sqlite
––
MD5:  ––
SHA256:  ––
3864
order no UOIMM20190830.bat
C:\Users\admin\AppData\Roaming\g3rhhin3.r4b\Chrome\Default\Cookies
––
MD5:  ––
SHA256:  ––
3864
order no UOIMM20190830.bat
C:\Users\admin\AppData\Local\Temp\637062453593347500_cf07c1e4-9d8f-42b0-a711-a361983ed977.db
sqlite
MD5: 0b3c43342ce2a99318aa0fe9e531c57b
SHA256: 0ccb4915e00390685621da3d75ebfd5edadc94155a79c66415a7f4e9763d71b8
2920
order no UOIMM20190830.bat
C:\Users\admin\AppData\Local\Temp\~DFC1B9FFA080161F7D.TMP
binary
MD5: 04c81cf9dccd1492aa33cb7d3dc63b7c
SHA256: 06408c99c1dd0de7b03297291ecedff1666caa889cf1425d06b125dd613197a5
3864
order no UOIMM20190830.bat
C:\Users\admin\AppData\Local\VirtualStore\Windows\win.ini
text
MD5: d2a2412bddba16d60ec63bd9550d933f
SHA256: 79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a
2920
order no UOIMM20190830.bat
C:\Users\admin\AppData\Local\VirtualStore\Windows\win.ini
text
MD5: d2a2412bddba16d60ec63bd9550d933f
SHA256: 79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
2
Threats
3

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
3864 order no UOIMM20190830.bat 18.214.132.216:80 US shared
3864 order no UOIMM20190830.bat 198.54.122.60:587 Namecheap, Inc. US unknown

DNS requests

Domain IP Reputation
checkip.amazonaws.com 18.214.132.216
34.196.181.158
3.224.145.145
52.44.169.135
18.205.71.63
52.55.255.113
shared
mail.privateemail.com 198.54.122.60
shared

Threats

PID Process Class Message
3864 order no UOIMM20190830.bat A Network Trojan was detected MALWARE [PTsecurity] AgentTesla IP Check

2 ETPRO signatures available at the full report

Debug output strings

No debug info.