File name:

8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39

Full analysis: https://app.any.run/tasks/7bbe40ee-a2f9-4e30-8166-319dd9863c8c
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: March 25, 2025, 06:36:33
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
netreactor
agenttesla
stealer
ultravnc
rmm-tool
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

4327A1F7583B29310F313214CDF7CDA7

SHA1:

F28E00730C637D93359D11307F31F47F6BFFCE82

SHA256:

8905AC344216311BB18F31E3ACCB0D7FBE6B012C0C17D36003E7E7D277390C39

SSDEEP:

12288:BHyehvcfs3r7hYlkGKSdcfQQ34DzCPM0gRH4QSR+dFAuA5Bi1:BX0fs3vhikGKSi4QoDzCEPRY5+dCuCBc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • 8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe (PID: 6872)

    • AGENTTESLA has been detected (YARA)

      • 8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe (PID: 672)

    • Actions looks like stealing of personal data

      • 8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe (PID: 672)

    • Steals credentials from Web Browsers

      • 8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe (PID: 672)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe (PID: 6872)

    • Reads security settings of Internet Explorer

      • 8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe (PID: 6872)

    • Application launched itself

      • 8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe (PID: 6872)

    • Connects to SMTP port

      • 8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe (PID: 672)

  • INFO

    • .NET Reactor protector has been detected

      • 8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe (PID: 6872)

    • Reads the computer name

      • 8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe (PID: 6872)
      • 8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe (PID: 672)

    • Creates files or folders in the user directory

      • 8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe (PID: 6872)

    • Reads the machine GUID from the registry

      • 8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe (PID: 6872)
      • 8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe (PID: 672)

    • Checks supported languages

      • 8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe (PID: 6872)
      • 8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe (PID: 672)

    • Create files in a temporary directory

      • 8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe (PID: 6872)

    • Process checks computer location settings

      • 8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe (PID: 6872)

    • Reads the software policy settings

      • SIHClient.exe (PID: 5800)
      • slui.exe (PID: 7148)
      • 8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe (PID: 672)

    • Checks proxy server information

      • slui.exe (PID: 7148)

    • ULTRAVNC has been detected

      • 8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe (PID: 672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:10:11 01:04:27+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 656896
InitializedDataSize: 2560
UninitializedDataSize: -
EntryPoint: 0xa2476
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: ChiefMarley
FileDescription: Client-Tracker
FileVersion: 1.0.0.0
InternalName: DynamicPartitionerForIEnumerab.exe
LegalCopyright: Copyright ©ChiefMarley 2010
LegalTrademarks: -
OriginalFileName: DynamicPartitionerForIEnumerab.exe
ProductName: Client-Tracker
ProductVersion: 1.0.0.0
AssemblyVersion: 1.1.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe sihclient.exe schtasks.exe no specs conhost.exe no specs #AGENTTESLA 8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
672"C:\Users\admin\Desktop\8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe"C:\Users\admin\Desktop\8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe
8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe
User:
admin
Company:
ChiefMarley
Integrity Level:
MEDIUM
Description:
Client-Tracker
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
5800C:\WINDOWS\System32\sihclient.exe /cv bMPR+8NWlkKIQ6Iy4uX3LA.0.2C:\Windows\System32\SIHClient.exe
upfc.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
SIH Client
Exit code:
2149863430
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sihclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\sechost.dll
6184\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6344"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\swkJfqXKXdlOE" /XML "C:\Users\admin\AppData\Local\Temp\tmp7E84.tmp"C:\Windows\SysWOW64\schtasks.exe8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6872"C:\Users\admin\Desktop\8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe" C:\Users\admin\Desktop\8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe
explorer.exe
User:
admin
Company:
ChiefMarley
Integrity Level:
MEDIUM
Description:
Client-Tracker
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7148C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
8 949
Read events
8 949
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
20
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
5800SIHClient.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\434E65B61F9D3E2BD9941E4DFA4ED4BBbinary
MD5:42B034CF15D1D2196DD5E751F66D87EF
SHA256:569C861C501821488996A9F7CB4CEAEBAD46A02516AD48DE735309A1D5629833
5800SIHClient.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4C7F163ED126D5C3CB9457F68EC64E9Ebinary
MD5:0C1C4AC9177078DBF59AA8E18D4436BB
SHA256:35ADD4C4718BB396147B338B0D8040556118A5814C0C734E432D102A3300B8C2
5800SIHClient.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:8D20D94F43775E772E00BDB63E4E4ABA
SHA256:8ADD567B159AA3EA97B21BFDA7CD668900E682896D6FA031AB832021B6CBDFF4
5800SIHClient.exeC:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP2D08.tmpcompressed
MD5:1B6460EE0273E97C251F7A67F49ACDB4
SHA256:3158032BAC1A6D278CCC2B7D91E2FBC9F01BEABF9C75D500A7F161E69F2C5F4A
5800SIHClient.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9E94643DE99F5621BC288D045BEA85DDbinary
MD5:FC798E4683789DC074426837C276D1AD
SHA256:C1BFDF698099A744A7ACF4628EA25369E0B73F2F7ED51B62079926211DA67DB2
5800SIHClient.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4C7F163ED126D5C3CB9457F68EC64E9Ebinary
MD5:86F34FC42246191848AC8EF39460D753
SHA256:465C7291C75E8682B93FF28BDA234E493910FD20B8314F5D57DBA833C19C25A8
5800SIHClient.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8308086E5659ACD8D33846B02D52E737binary
MD5:32B53E819A875ED035D3976B5778ABB9
SHA256:14B8897067DCA7225014C41E7D9A380D90760BF75C133A31E02F937AE2223758
5800SIHClient.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:86BEC7A51419CF6F8277608E79B2B807
SHA256:1AE99C253A484A9CB6814FB52AFD40E347DFE2CD6273E50B245695B87C1BC6E5
5800SIHClient.exeC:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cabcompressed
MD5:ACD24F781C0C8F48A0BD86A0E9F2A154
SHA256:5C0A296B3574D170D69C90B092611646FE8991B8D103D412499DBE7BFDCCCC49
5800SIHClient.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\434E65B61F9D3E2BD9941E4DFA4ED4BBbinary
MD5:C56B95C040595AEC884DACD9EEBB3252
SHA256:E173A0E3395060338A550B8D5E01E99E1D5B3E83CDB7471CFDC9D2237AD54015
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
36
TCP/UDP connections
50
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.36:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
5800
SIHClient.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5800
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
POST
400
20.190.160.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
GET
200
20.223.36.55:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=310091&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20250325T063647Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=1ead5898ca23466c8e9d7d25a847cbee&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3968556&metered=false&nettype=ethernet&npid=sc-310091&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&rver=2&smBiosDm=DELL&stabedgever=122.0.2365.59&tl=2&tsu=1359085&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
binary
1.31 Kb
whitelisted
GET
200
20.223.36.55:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=280815&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20250325T063647Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=328ae0add77f47658646458e324a2ad9&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3968556&metered=false&nettype=ethernet&npid=sc-280815&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=122.0.2365.59&tl=2&tsu=1359085&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
binary
2.95 Kb
whitelisted
POST
200
20.190.160.131:443
https://login.live.com/RST2.srf
unknown
xml
1.35 Kb
whitelisted
POST
400
20.190.160.17:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.4:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
23.216.77.36:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6544
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1228
backgroundTaskHost.exe
20.199.58.43:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5800
SIHClient.exe
172.202.163.200:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 172.217.18.14
whitelisted
client.wns.windows.com
  • 40.113.110.67
  • 20.198.162.76
  • 20.197.71.89
whitelisted
crl.microsoft.com
  • 23.216.77.36
  • 23.216.77.20
  • 23.216.77.6
  • 2.16.164.120
  • 2.16.164.72
whitelisted
login.live.com
  • 20.190.159.64
  • 40.126.31.2
  • 20.190.159.129
  • 40.126.31.0
  • 20.190.159.130
  • 20.190.159.75
  • 20.190.159.0
  • 40.126.31.73
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
8905ac344216311bb18f31e3accb0d7fbe6b012c0c17d36003e7e7d277390c39