File name:

2025-06-21_86cda2825de5004944b19ef808150134_cobalt-strike_dosia_frostygoop_hijackloader_luca-stealer_poet-rat_quasar-rat

Full analysis: https://app.any.run/tasks/74967352-7e6c-404b-91f9-7ccd8610cbe6
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 07:52:07
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto
adware
tacticalrmm
rmm-tool
golang
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 7 sections
MD5:

86CDA2825DE5004944B19EF808150134

SHA1:

1F98FA2ABBCEAE4A125C829E6D44E74BE73AC7C6

SHA256:

297CCC323ED63CF6EA7BFC5F1F8797CD85185656A7CFF012262A3DA18777F599

SSDEEP:

98304:kUFz9DJpNS3w+aOhAlh1dh4ZSCTa1NYQau6qO:9Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ADWARE has been found (auto)

      • 2025-06-21_86cda2825de5004944b19ef808150134_cobalt-strike_dosia_frostygoop_hijackloader_luca-stealer_poet-rat_quasar-rat.exe (PID: 6672)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 2272)
      • cmd.exe (PID: 7056)
      • cmd.exe (PID: 5424)
      • net.exe (PID: 424)
      • net.exe (PID: 4476)
      • net.exe (PID: 6220)
      • cmd.exe (PID: 3584)
      • net.exe (PID: 5504)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-06-21_86cda2825de5004944b19ef808150134_cobalt-strike_dosia_frostygoop_hijackloader_luca-stealer_poet-rat_quasar-rat.exe (PID: 6672)
      • tacticalagent-v2.9.0-windows-amd64.exe (PID: 536)
      • tacticalagent-v2.9.0-windows-amd64.tmp (PID: 2964)

    • Reads the Windows owner or organization settings

      • tacticalagent-v2.9.0-windows-amd64.tmp (PID: 2964)

    • Starts CMD.EXE for commands execution

      • tacticalagent-v2.9.0-windows-amd64.tmp (PID: 2964)

    • Windows service management via SC.EXE

      • sc.exe (PID: 3964)
      • sc.exe (PID: 6828)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 5424)
      • cmd.exe (PID: 2272)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 5764)

    • Creates or modifies Windows services

      • tacticalrmm.exe (PID: 1472)
      • tacticalrmm.exe (PID: 3948)

  • INFO

    • Creates files in the program directory

      • 2025-06-21_86cda2825de5004944b19ef808150134_cobalt-strike_dosia_frostygoop_hijackloader_luca-stealer_poet-rat_quasar-rat.exe (PID: 6672)
      • tacticalagent-v2.9.0-windows-amd64.tmp (PID: 2964)
      • tacticalrmm.exe (PID: 3948)

    • Checks supported languages

      • 2025-06-21_86cda2825de5004944b19ef808150134_cobalt-strike_dosia_frostygoop_hijackloader_luca-stealer_poet-rat_quasar-rat.exe (PID: 6672)
      • tacticalagent-v2.9.0-windows-amd64.exe (PID: 536)
      • tacticalagent-v2.9.0-windows-amd64.tmp (PID: 2964)
      • tacticalrmm.exe (PID: 1472)
      • tacticalrmm.exe (PID: 3948)

    • The sample compiled with english language support

      • 2025-06-21_86cda2825de5004944b19ef808150134_cobalt-strike_dosia_frostygoop_hijackloader_luca-stealer_poet-rat_quasar-rat.exe (PID: 6672)
      • tacticalagent-v2.9.0-windows-amd64.tmp (PID: 2964)

    • Reads the computer name

      • 2025-06-21_86cda2825de5004944b19ef808150134_cobalt-strike_dosia_frostygoop_hijackloader_luca-stealer_poet-rat_quasar-rat.exe (PID: 6672)
      • tacticalagent-v2.9.0-windows-amd64.tmp (PID: 2964)
      • tacticalrmm.exe (PID: 1472)
      • tacticalrmm.exe (PID: 3948)

    • Reads the machine GUID from the registry

      • 2025-06-21_86cda2825de5004944b19ef808150134_cobalt-strike_dosia_frostygoop_hijackloader_luca-stealer_poet-rat_quasar-rat.exe (PID: 6672)
      • tacticalrmm.exe (PID: 3948)
      • tacticalrmm.exe (PID: 1472)

    • Reads the software policy settings

      • 2025-06-21_86cda2825de5004944b19ef808150134_cobalt-strike_dosia_frostygoop_hijackloader_luca-stealer_poet-rat_quasar-rat.exe (PID: 6672)
      • tacticalrmm.exe (PID: 1472)
      • slui.exe (PID: 2620)

    • Create files in a temporary directory

      • tacticalagent-v2.9.0-windows-amd64.exe (PID: 536)
      • tacticalagent-v2.9.0-windows-amd64.tmp (PID: 2964)

    • TACTICALRMM has been detected

      • cmd.exe (PID: 3636)
      • tacticalagent-v2.9.0-windows-amd64.tmp (PID: 2964)
      • conhost.exe (PID: 1028)
      • tacticalrmm.exe (PID: 3948)
      • 2025-06-21_86cda2825de5004944b19ef808150134_cobalt-strike_dosia_frostygoop_hijackloader_luca-stealer_poet-rat_quasar-rat.exe (PID: 6672)
      • tacticalrmm.exe (PID: 1472)

    • Creates a software uninstall entry

      • tacticalagent-v2.9.0-windows-amd64.tmp (PID: 2964)

    • Reads product name

      • tacticalrmm.exe (PID: 3948)
      • tacticalrmm.exe (PID: 1472)

    • Reads Environment values

      • tacticalrmm.exe (PID: 3948)
      • tacticalrmm.exe (PID: 1472)

    • Application based on Golang

      • 2025-06-21_86cda2825de5004944b19ef808150134_cobalt-strike_dosia_frostygoop_hijackloader_luca-stealer_poet-rat_quasar-rat.exe (PID: 6672)

    • Detects GO elliptic curve encryption (YARA)

      • 2025-06-21_86cda2825de5004944b19ef808150134_cobalt-strike_dosia_frostygoop_hijackloader_luca-stealer_poet-rat_quasar-rat.exe (PID: 6672)

    • Checks proxy server information

      • slui.exe (PID: 2620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware, No debug
PEType: PE32+
LinkerVersion: 3
CodeSize: 2520576
InitializedDataSize: 246784
UninitializedDataSize: -
EntryPoint: 0x66fe0
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows command line
FileVersionNumber: 2.0.4.0
ProductVersionNumber: 2.0.4.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: AmidaWare LLC
FileDescription: Tactical RMM Installer
FileVersion: v2.0.4.0
InternalName: rmm.exe
LegalCopyright: Copyright (c) 2022 AmidaWare LLC
OriginalFileName: installer.go
ProductName: Tactical RMM Installer
ProductVersion: v2.0.4.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
172
Monitored processes
37
Malicious processes
3
Suspicious processes
3

Behavior graph

Click at the process to see the details
start #ADWARE 2025-06-21_86cda2825de5004944b19ef808150134_cobalt-strike_dosia_frostygoop_hijackloader_luca-stealer_poet-rat_quasar-rat.exe conhost.exe no specs tacticalagent-v2.9.0-windows-amd64.exe tacticalagent-v2.9.0-windows-amd64.tmp cmd.exe no specs conhost.exe no specs ping.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs tacticalrmm.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs tacticalrmm.exe slui.exe 2025-06-21_86cda2825de5004944b19ef808150134_cobalt-strike_dosia_frostygoop_hijackloader_luca-stealer_poet-rat_quasar-rat.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
424net stop tacticalagentC:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
536C:\ProgramData\TacticalRMM\tacticalagent-v2.9.0-windows-amd64.exe /VERYSILENT /SUPPRESSMSGBOXESC:\ProgramData\TacticalRMM\tacticalagent-v2.9.0-windows-amd64.exe
2025-06-21_86cda2825de5004944b19ef808150134_cobalt-strike_dosia_frostygoop_hijackloader_luca-stealer_poet-rat_quasar-rat.exe
User:
admin
Company:
AmidaWare Inc
Integrity Level:
HIGH
Description:
Tactical RMM Agent Setup
Exit code:
0
Version:
2.9.0.0
Modules
Images
c:\programdata\tacticalrmm\tacticalagent-v2.9.0-windows-amd64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1028\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1180\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1352ping 127.0.0.1 -n 2 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1472"C:\Program Files\TacticalAgent\tacticalrmm.exe" -m install --api https://api.mfisherconsultsllc.com --client-id 1 --site-id 1 --agent-type server --auth 7f171d34a5f35f261bf3f40ee1a6238401c80d1da4759f27474b6f001f476143C:\Program Files\TacticalAgent\tacticalrmm.exe
2025-06-21_86cda2825de5004944b19ef808150134_cobalt-strike_dosia_frostygoop_hijackloader_luca-stealer_poet-rat_quasar-rat.exe
User:
admin
Company:
AmidaWare Inc
Integrity Level:
HIGH
Description:
Tactical RMM Agent
Exit code:
1
Version:
v2.9.0.0
Modules
Images
c:\program files\tacticalagent\tacticalrmm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1712\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-06-21_86cda2825de5004944b19ef808150134_cobalt-strike_dosia_frostygoop_hijackloader_luca-stealer_poet-rat_quasar-rat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2272"cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrpcC:\Windows\SysWOW64\cmd.exetacticalagent-v2.9.0-windows-amd64.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2324ping 127.0.0.1 -n 2 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2532\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
12 992
Read events
12 967
Write events
25
Delete events
0

Modification events

(PID) Process:(2964) tacticalagent-v2.9.0-windows-amd64.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.2.2
(PID) Process:(2964) tacticalagent-v2.9.0-windows-amd64.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\TacticalAgent
(PID) Process:(2964) tacticalagent-v2.9.0-windows-amd64.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\TacticalAgent\
(PID) Process:(2964) tacticalagent-v2.9.0-windows-amd64.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
(Default)
(PID) Process:(2964) tacticalagent-v2.9.0-windows-amd64.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(2964) tacticalagent-v2.9.0-windows-amd64.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:writeName:Inno Setup: Language
Value:
english
(PID) Process:(2964) tacticalagent-v2.9.0-windows-amd64.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:writeName:DisplayName
Value:
Tactical RMM Agent
(PID) Process:(2964) tacticalagent-v2.9.0-windows-amd64.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:writeName:DisplayIcon
Value:
C:\Program Files\TacticalAgent\tacticalrmm.exe
(PID) Process:(2964) tacticalagent-v2.9.0-windows-amd64.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:writeName:UninstallString
Value:
"C:\Program Files\TacticalAgent\unins000.exe"
(PID) Process:(2964) tacticalagent-v2.9.0-windows-amd64.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files\TacticalAgent\unins000.exe" /SILENT
Executable files
7
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2964tacticalagent-v2.9.0-windows-amd64.tmpC:\Users\admin\AppData\Local\Temp\is-QNNMD.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
66722025-06-21_86cda2825de5004944b19ef808150134_cobalt-strike_dosia_frostygoop_hijackloader_luca-stealer_poet-rat_quasar-rat.exeC:\ProgramData\TacticalRMM\tacticalagent-v2.9.0-windows-amd64.exeexecutable
MD5:E1001983E08A5FAE85959869C5F87C15
SHA256:ADD9564D2A983A8E257ED1EC3593118B5C0775668A73241FFE64C9F2CE590771
2964tacticalagent-v2.9.0-windows-amd64.tmpC:\Program Files\TacticalAgent\unins000.datbinary
MD5:D94144B644C8691216B62087C4F3A833
SHA256:EEF8F11088EB93B1E13A7025A610E968676F5DF2F44188D4DE8130202A62717B
2964tacticalagent-v2.9.0-windows-amd64.tmpC:\Program Files\TacticalAgent\is-L8QTQ.tmpexecutable
MD5:C266DDF11B15AEDED0BB27115B969ED7
SHA256:09B8E21734C0CAB5440CD62EC847A97DFEFC3D96DD9E656C40BB3CB55C1589DD
2964tacticalagent-v2.9.0-windows-amd64.tmpC:\Program Files\TacticalAgent\tacticalrmm.exeexecutable
MD5:C266DDF11B15AEDED0BB27115B969ED7
SHA256:09B8E21734C0CAB5440CD62EC847A97DFEFC3D96DD9E656C40BB3CB55C1589DD
2964tacticalagent-v2.9.0-windows-amd64.tmpC:\Users\admin\AppData\Local\Temp\Setup Log 2025-06-21 #001.txttext
MD5:1CCB688A82C7D8853465545547459BC0
SHA256:63A5AA97D45792305D0EE38DCE813B66BDA0D680527499F138D5482893DD6848
536tacticalagent-v2.9.0-windows-amd64.exeC:\Users\admin\AppData\Local\Temp\is-JKERG.tmp\tacticalagent-v2.9.0-windows-amd64.tmpexecutable
MD5:F7B0A85F1A18F9689015113AA1FA44EE
SHA256:CDF9A208A33E94C5BEC44A613A444AD9D7EDEA4735C0F42E894356EE5C079134
2964tacticalagent-v2.9.0-windows-amd64.tmpC:\Program Files\TacticalAgent\unins000.exeexecutable
MD5:231C790F354DE2EDAA9EE0A38CA3B9B1
SHA256:156765088D513FE8FC37F2865A25178FB8B79C0C868415E3C2354F96C0B66235
2964tacticalagent-v2.9.0-windows-amd64.tmpC:\Program Files\TacticalAgent\is-97R3P.tmpexecutable
MD5:231C790F354DE2EDAA9EE0A38CA3B9B1
SHA256:156765088D513FE8FC37F2865A25178FB8B79C0C868415E3C2354F96C0B66235
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
26
DNS requests
10
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
302
140.82.121.3:443
https://github.com/amidaware/rmmagent/releases/download/v2.9.0/tacticalagent-v2.9.0-windows-amd64.exe
unknown
1268
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2028
RUXIMICS.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2028
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
101.99.90.116:443
https://api.mfisherconsultsllc.com/api/v3/installer/
unknown
text
4 b
POST
400
101.99.90.116:443
https://api.mfisherconsultsllc.com/api/v3/installer/
unknown
text
111 b
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2028
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2028
RUXIMICS.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6672
2025-06-21_86cda2825de5004944b19ef808150134_cobalt-strike_dosia_frostygoop_hijackloader_luca-stealer_poet-rat_quasar-rat.exe
140.82.121.4:443
github.com
GITHUB
US
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
github.com
  • 140.82.121.4
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
objects.githubusercontent.com
  • 185.199.108.133
  • 185.199.111.133
  • 185.199.110.133
  • 185.199.109.133
whitelisted
api.mfisherconsultsllc.com
  • 101.99.90.116
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 51.116.253.169
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
Misc activity
ET INFO Request for EXE via GO HTTP Client
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
Misc activity
ET INFO EXE - Served Attached HTTP
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_86cda2825de5004944b19ef808150134_cobalt-strike_dosia_frostygoop_hijackloader_luca-stealer_poet-rat_quasar-rat