File name:

AWB9284730932.exe

Full analysis: https://app.any.run/tasks/3598d4f5-37ed-4759-ae90-2499715f8259
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 14:06:54
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
agenttesla
ultravnc
rmm-tool
smtp
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

820BEA4C415B6F6568CED99DA65D9846

SHA1:

1D3282D36CFD84CCCCE958F314797BF28FC49BCC

SHA256:

0877B04273E885323C7E6485E348E39E92157343A4991FFCF7619128040B0F5A

SSDEEP:

24576:TZI/a8TeqpYvsdVzwasvGllT4mw0oh9JfjVHj:TZI/a8TeqpYvsdVzwasGlJ4mw0oh9Jfl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • AWB9284730932.exe (PID: 5800)

    • Uses Task Scheduler to run other applications

      • AWB9284730932.exe (PID: 5800)

    • Changes the autorun value in the registry

      • RegSvcs.exe (PID: 6592)

    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 6592)

    • Steals credentials from Web Browsers

      • RegSvcs.exe (PID: 6592)

    • AGENTTESLA has been detected (YARA)

      • RegSvcs.exe (PID: 6592)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • AWB9284730932.exe (PID: 5800)

    • Executable content was dropped or overwritten

      • AWB9284730932.exe (PID: 5800)
      • RegSvcs.exe (PID: 6592)

    • Process drops legitimate windows executable

      • AWB9284730932.exe (PID: 5800)
      • RegSvcs.exe (PID: 6592)

    • Reads security settings of Internet Explorer

      • AWB9284730932.exe (PID: 5800)

    • Connects to SMTP port

      • RegSvcs.exe (PID: 6592)

  • INFO

    • Reads the computer name

      • AWB9284730932.exe (PID: 5800)

    • Checks supported languages

      • AWB9284730932.exe (PID: 5800)
      • RegSvcs.exe (PID: 6592)

    • Reads the machine GUID from the registry

      • AWB9284730932.exe (PID: 5800)

    • Creates files or folders in the user directory

      • AWB9284730932.exe (PID: 5800)
      • RegSvcs.exe (PID: 6592)

    • Create files in a temporary directory

      • AWB9284730932.exe (PID: 5800)

    • Reads the software policy settings

      • slui.exe (PID: 5352)
      • SIHClient.exe (PID: 5008)

    • The sample compiled with english language support

      • RegSvcs.exe (PID: 6592)

    • ULTRAVNC has been detected

      • RegSvcs.exe (PID: 6592)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AgentTesla

(PID) Process(6592) RegSvcs.exe
Protocolsmtp
Hostmail.azmaplast.com
Port587
Usernameinfo@azmaplast.com
PasswordQAZqaz123@@
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2076:12:17 18:29:12+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 701440
InitializedDataSize: 2560
UninitializedDataSize: -
EntryPoint: 0xad39a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: Microsoft Corporation
FileDescription: Compatibility Database
FileVersion: 1.0.0.0
InternalName: TyKt.exe
LegalCopyright: Copyright © Microsoft Corporation. All rights reserved.
LegalTrademarks: -
OriginalFileName: TyKt.exe
ProductName: Compatibility Database
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start awb9284730932.exe sihclient.exe schtasks.exe no specs conhost.exe no specs #AGENTTESLA regsvcs.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1328\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5008C:\WINDOWS\System32\sihclient.exe /cv QbfuvMi1FkOJm9oSOYY39Q.0.2C:\Windows\System32\SIHClient.exe
upfc.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
SIH Client
Exit code:
2149863430
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sihclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
5352C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5800"C:\Users\admin\Desktop\AWB9284730932.exe" C:\Users\admin\Desktop\AWB9284730932.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Compatibility Database
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\awb9284730932.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6592"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
AWB9284730932.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
AgentTesla
(PID) Process(6592) RegSvcs.exe
Protocolsmtp
Hostmail.azmaplast.com
Port587
Usernameinfo@azmaplast.com
PasswordQAZqaz123@@
6676"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FgNhgxffnuU" /XML "C:\Users\admin\AppData\Local\Temp\tmp2018.tmp"C:\Windows\SysWOW64\schtasks.exeAWB9284730932.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
8 714
Read events
8 712
Write events
2
Delete events
0

Modification events

(PID) Process:(6592) RegSvcs.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:boqXv
Value:
C:\Users\admin\AppData\Roaming\boqXv\boqXv.exe
(PID) Process:(6592) RegSvcs.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Operation:writeName:boqXv
Value:
020000000000000000000000
Executable files
2
Suspicious files
22
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
5008SIHClient.exeC:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cabcompressed
MD5:ACD24F781C0C8F48A0BD86A0E9F2A154
SHA256:5C0A296B3574D170D69C90B092611646FE8991B8D103D412499DBE7BFDCCCC49
6592RegSvcs.exeC:\Users\admin\AppData\Roaming\boqXv\boqXv.exeexecutable
MD5:6279D136310C22894F605938B4CB93D8
SHA256:FB7D514B3322810463655473D2D7C704D3405C1C9DD81F0D4D423518EF416987
5008SIHClient.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\434E65B61F9D3E2BD9941E4DFA4ED4BBbinary
MD5:C56B95C040595AEC884DACD9EEBB3252
SHA256:E173A0E3395060338A550B8D5E01E99E1D5B3E83CDB7471CFDC9D2237AD54015
5008SIHClient.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:E3264B123392F4C79BB7F5BD11D0F1E0
SHA256:360ED731B955738B8D5CDDAB0BB8B9FCF6761779CBB0DBE2DA4BBAC2EC3A6278
5008SIHClient.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEbinary
MD5:3B5E0BD6640456A749D9155E6C135727
SHA256:C362A3D2B661C6066A02FC169FAAA1976C2F6160DA5837C7E68B7E0F67B794ED
5008SIHClient.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4C7F163ED126D5C3CB9457F68EC64E9Ebinary
MD5:0C1C4AC9177078DBF59AA8E18D4436BB
SHA256:35ADD4C4718BB396147B338B0D8040556118A5814C0C734E432D102A3300B8C2
5008SIHClient.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:86BEC7A51419CF6F8277608E79B2B807
SHA256:1AE99C253A484A9CB6814FB52AFD40E347DFE2CD6273E50B245695B87C1BC6E5
5008SIHClient.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4C7F163ED126D5C3CB9457F68EC64E9Ebinary
MD5:E1C95F06FCF88DB8C03C98D22BD82B13
SHA256:17FCF2C55A2CA9C8C15567ADBBBF5614A682504863E0EA006FBAB73BDE070607
5008SIHClient.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEbinary
MD5:5EF4747AFEF479A33A66AF897739EB84
SHA256:55581FACE93504D3F8B453A4749266A420A0F1355F9EA463EB3CB14584BCCB91
5800AWB9284730932.exeC:\Users\admin\AppData\Roaming\FgNhgxffnuU.exeexecutable
MD5:820BEA4C415B6F6568CED99DA65D9846
SHA256:0877B04273E885323C7E6485E348E39E92157343A4991FFCF7619128040B0F5A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
52
DNS requests
17
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5008
SIHClient.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5008
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
5008
SIHClient.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5008
SIHClient.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
GET
200
20.12.23.50:443
https://slscr.update.microsoft.com/sls/ping
unknown
unknown
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
unknown
5008
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5008
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5008
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.160.66:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6272
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5008
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5008
SIHClient.exe
23.48.23.164:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5008
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5008
SIHClient.exe
13.85.23.206:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.174
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
login.live.com
  • 20.190.160.66
  • 40.126.32.76
  • 40.126.32.74
  • 40.126.32.134
  • 40.126.32.136
  • 40.126.32.68
  • 20.190.160.20
  • 20.190.160.3
whitelisted
arc.msn.com
  • 20.223.35.26
  • 20.223.36.55
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
crl.microsoft.com
  • 23.48.23.164
  • 23.48.23.166
  • 23.48.23.194
  • 23.48.23.177
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
mail.azmaplast.com
  • 193.141.65.39
malicious

Threats

PID
Process
Class
Message
6592
RegSvcs.exe
Misc activity
INFO [ANY.RUN] SMTP email client opens transfer with server (EHLO)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AWB9284730932.exe