File name:

agent.exe

Full analysis: https://app.any.run/tasks/a5ae52de-a7e9-47d3-b7d8-a7bc611991bc
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 15, 2026, 07:26:15
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
sainbox
rat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 10 sections
MD5:

9F71F6051DE2164B377C51DD8185C7AE

SHA1:

339BF5D2385101C3BBC45BBBDE22A1E21DA41CC6

SHA256:

22F8C286DBB6B5467BF5C35372E0EA1151958CC8EC9D37BF1DE6240EA9714F68

SSDEEP:

49152:+SZAnAqV+mHUWRHNIPrY0w5YTnOqRQnCTnOqRQnCTnOqRQnCTnOqRQnCTnOqRQnw:VqV+mHU/r

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SAINBOX has been detected

      • agent.exe (PID: 2000)
      • agent.exe (PID: 572)
      • netsyncmon.exe (PID: 3416)
      • netsyncmon.exe (PID: 4624)

    • Changes the login/logoff helper path in the registry

      • agent.exe (PID: 572)
      • netsyncmon.exe (PID: 3416)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • agent.exe (PID: 2000)
      • netsyncmon.exe (PID: 3416)

    • Executable content was dropped or overwritten

      • netsyncmon.exe (PID: 3416)
      • agent.exe (PID: 572)

    • Application launched itself

      • agent.exe (PID: 2000)

    • Starts itself from another location

      • agent.exe (PID: 572)

    • Executes as Windows Service

      • netsyncmon.exe (PID: 3416)

  • INFO

    • Reads the machine GUID from the registry

      • agent.exe (PID: 2000)
      • agent.exe (PID: 572)
      • netsyncmon.exe (PID: 3416)
      • netsyncmon.exe (PID: 4624)

    • Reads security settings of Internet Explorer

      • agent.exe (PID: 2000)
      • netsyncmon.exe (PID: 3416)

    • Reads the computer name

      • agent.exe (PID: 2000)
      • agent.exe (PID: 572)
      • netsyncmon.exe (PID: 3416)
      • netsyncmon.exe (PID: 4624)

    • Checks supported languages

      • agent.exe (PID: 2000)
      • agent.exe (PID: 572)
      • netsyncmon.exe (PID: 3416)
      • netsyncmon.exe (PID: 4624)

    • Process checks computer location settings

      • agent.exe (PID: 2000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2026:05:15 07:25:53+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.46
CodeSize: 930816
InitializedDataSize: 10989568
UninitializedDataSize: 8704
EntryPoint: 0x1420
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #SAINBOX agent.exe no specs #SAINBOX agent.exe #SAINBOX netsyncmon.exe no specs #SAINBOX netsyncmon.exe mountvol.exe no specs conhost.exe no specs mountvol.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
572"C:\Users\admin\AppData\Local\Temp\agent.exe" C:\Users\admin\AppData\Local\Temp\agent.exe
agent.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\agent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2000"C:\Users\admin\AppData\Local\Temp\agent.exe" C:\Users\admin\AppData\Local\Temp\agent.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\agent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3416C:\WINDOWS\system32\netsyncmon.exeC:\Windows\System32\netsyncmon.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\windows\system32\netsyncmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
4624"C:\WINDOWS\system32\netsyncmon.exe"C:\Windows\System32\netsyncmon.exe
agent.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\system32\netsyncmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4684\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exemountvol.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7348\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exemountvol.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7604"C:\Windows\System32\mountvol.exe" Z: /SC:\Windows\System32\mountvol.exenetsyncmon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Mount Volume Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mountvol.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
7972"C:\Windows\System32\mountvol.exe" Z: /DC:\Windows\System32\mountvol.exenetsyncmon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Mount Volume Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mountvol.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
Total events
1 111
Read events
1 102
Write events
8
Delete events
1

Modification events

(PID) Process:(572) agent.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Operation:delete keyName:(default)
Value:
(PID) Process:(572) agent.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Shell
Value:
explorer.exe
(PID) Process:(3416) netsyncmon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Operation:writeName:GlobalFlag
Value:
512
(PID) Process:(3416) netsyncmon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\explorer.exe
Operation:writeName:ReportingMode
Value:
1
(PID) Process:(3416) netsyncmon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\explorer.exe
Operation:writeName:MonitorProcess
Value:
C:\WINDOWS\system32\netsyncmon.exe
(PID) Process:(3416) netsyncmon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Shell
Value:
explorer.exe,"C:\WINDOWS\system32\netsyncmon.exe"
(PID) Process:(3416) netsyncmon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A2B3C4D}
Operation:writeName:s
Value:
System Security Host
(PID) Process:(3416) netsyncmon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A2B3C4D}
Operation:writeName:m
Value:
Global\netsyncmon.exe
(PID) Process:(3416) netsyncmon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A2B3C4D}
Operation:writeName:i
Value:
1
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3416netsyncmon.exe\\?\Volume{2f5c5e71-85a9-11eb-90a8-9a9b76358421}\EFI\Microsoft\Boot\winsec.datexecutable
MD5:9F71F6051DE2164B377C51DD8185C7AE
SHA256:22F8C286DBB6B5467BF5C35372E0EA1151958CC8EC9D37BF1DE6240EA9714F68
572agent.exeC:\Windows\System32\netsyncmon.exeexecutable
MD5:9F71F6051DE2164B377C51DD8185C7AE
SHA256:22F8C286DBB6B5467BF5C35372E0EA1151958CC8EC9D37BF1DE6240EA9714F68
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
26
DNS requests
16
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5316
svchost.exe
POST
400
40.126.31.1:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
5316
svchost.exe
POST
400
40.126.31.1:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
5316
svchost.exe
GET
200
23.11.40.157:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
NL
binary
471 b
whitelisted
5316
svchost.exe
POST
200
40.126.31.1:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
whitelisted
5316
svchost.exe
POST
400
40.126.31.1:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
48.209.138.189:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
US
text
7.04 Kb
whitelisted
5316
svchost.exe
POST
400
40.126.31.1:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
5316
svchost.exe
POST
400
40.126.31.1:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
202 b
whitelisted
5584
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
5584
svchost.exe
GET
200
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=0&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
text
5.84 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
Not routed
whitelisted
5276
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
128.24.231.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5584
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
5584
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5584
svchost.exe
2.16.241.12:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5584
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
3428
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
48.209.138.189:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
activation-v2.sls.microsoft.com
  • 128.24.231.64
whitelisted
google.com
  • 142.251.20.100
  • 142.251.20.138
  • 142.251.20.113
  • 142.251.20.139
  • 142.251.20.102
  • 142.251.20.101
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 48.209.138.189
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.31.1
  • 40.126.31.69
  • 20.190.159.128
  • 20.190.159.131
  • 40.126.31.0
  • 40.126.31.3
  • 20.190.159.0
  • 20.190.159.68
whitelisted
ocsp.digicert.com
  • 23.11.40.157
whitelisted
self.events.data.microsoft.com
  • 20.189.173.27
  • 20.189.173.10
whitelisted
officeclient.microsoft.com
  • 52.110.17.11
  • 52.110.17.64
  • 52.110.17.62
  • 52.110.17.15
whitelisted

Threats

PID
Process
Class
Message
5584
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
agent.exe