File name:

e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe

Full analysis: https://app.any.run/tasks/3f6e694b-58a3-433d-a3ec-7001d2726ef3
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 09:50:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
ultravnc
rmm-tool
netreactor
telegram
exfiltration
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

AE179D068CE492500918FE3DBB89937C

SHA1:

111E6585C6BBCFF761E6189DD7E4C727C4A58FBB

SHA256:

E2FC225386002B57C42556E10074FD77A0E462C1A49FA0E9639DCD22CC7A32FE

SSDEEP:

24576:qw7wCoYa6NIENMKh6UiKqRn5xX/b2ntBs1zm5P2g7:P7/Ha6NIENMKh6Ufq95xX/b2ntBs1zmR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe (PID: 5332)

    • Steals credentials from Web Browsers

      • e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe (PID: 5332)

    • AGENTTESLA has been detected (YARA)

      • e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe (PID: 5332)

  • SUSPICIOUS

    • Application launched itself

      • e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe (PID: 2960)

    • The process connected to a server suspected of theft

      • e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe (PID: 5332)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe (PID: 5332)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe (PID: 5332)

  • INFO

    • .NET Reactor protector has been detected

      • e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe (PID: 2960)

    • Reads the machine GUID from the registry

      • e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe (PID: 2960)
      • e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe (PID: 5332)

    • Reads the computer name

      • e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe (PID: 5332)
      • e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe (PID: 2960)

    • ULTRAVNC has been detected

      • e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe (PID: 5332)

    • Checks supported languages

      • e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe (PID: 2960)
      • e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe (PID: 5332)

    • Disables trace logs

      • e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe (PID: 5332)

    • Checks proxy server information

      • e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe (PID: 5332)

    • Reads the software policy settings

      • e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe (PID: 5332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(5332) e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe
Telegram-Tokens (1)6667703245:AAGbrmNQKFZwcHb4a3PN73HiRhI6009WsPc
Telegram-Info-Links
6667703245:AAGbrmNQKFZwcHb4a3PN73HiRhI6009WsPc
Get info about bothttps://api.telegram.org/bot6667703245:AAGbrmNQKFZwcHb4a3PN73HiRhI6009WsPc/getMe
Get incoming updateshttps://api.telegram.org/bot6667703245:AAGbrmNQKFZwcHb4a3PN73HiRhI6009WsPc/getUpdates
Get webhookhttps://api.telegram.org/bot6667703245:AAGbrmNQKFZwcHb4a3PN73HiRhI6009WsPc/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot6667703245:AAGbrmNQKFZwcHb4a3PN73HiRhI6009WsPc/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot6667703245:AAGbrmNQKFZwcHb4a3PN73HiRhI6009WsPc/deleteWebhook?drop_pending_updates=true
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2103:06:01 04:33:44+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 746496
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0xb83ce
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: Restorant
FileVersion: 1.0.0.0
InternalName: GRQg.exe
LegalCopyright: Copyright © 2022
LegalTrademarks: -
OriginalFileName: GRQg.exe
ProductName: Restorant
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe no specs sppextcomobj.exe no specs slui.exe no specs #AGENTTESLA e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe

Process information

PID
CMD
Path
Indicators
Parent process
660C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
2960"C:\Users\admin\AppData\Local\Temp\e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe" C:\Users\admin\AppData\Local\Temp\e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Restorant
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4000"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5332"C:\Users\admin\AppData\Local\Temp\e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe"C:\Users\admin\AppData\Local\Temp\e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe
e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Restorant
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
ims-api
(PID) Process(5332) e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe
Telegram-Tokens (1)6667703245:AAGbrmNQKFZwcHb4a3PN73HiRhI6009WsPc
Telegram-Info-Links
6667703245:AAGbrmNQKFZwcHb4a3PN73HiRhI6009WsPc
Get info about bothttps://api.telegram.org/bot6667703245:AAGbrmNQKFZwcHb4a3PN73HiRhI6009WsPc/getMe
Get incoming updateshttps://api.telegram.org/bot6667703245:AAGbrmNQKFZwcHb4a3PN73HiRhI6009WsPc/getUpdates
Get webhookhttps://api.telegram.org/bot6667703245:AAGbrmNQKFZwcHb4a3PN73HiRhI6009WsPc/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot6667703245:AAGbrmNQKFZwcHb4a3PN73HiRhI6009WsPc/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot6667703245:AAGbrmNQKFZwcHb4a3PN73HiRhI6009WsPc/deleteWebhook?drop_pending_updates=true
Total events
1 096
Read events
1 082
Write events
14
Delete events
0

Modification events

(PID) Process:(5332) e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5332) e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5332) e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5332) e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5332) e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5332) e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5332) e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(5332) e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5332) e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5332) e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
18
DNS requests
13
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1240
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1240
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6544
svchost.exe
20.190.159.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5332
e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe
149.154.167.220:443
api.telegram.org
Telegram Messenger Inc
GB
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.164.106
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.174
whitelisted
login.live.com
  • 20.190.159.71
  • 40.126.31.2
  • 20.190.159.2
  • 20.190.159.23
  • 20.190.159.4
  • 40.126.31.67
  • 40.126.31.131
  • 20.190.159.130
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
api.telegram.org
  • 149.154.167.220
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
5332
e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
5332
e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
5332
e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe
Successful Credential Theft Detected
STEALER [ANY.RUN] Attempt to exfiltrate via Telegram
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
e2fc225386002b57c42556e10074fd77a0e462c1a49fa0e9639dcd22cc7a32fe.exe