File name:

AWB9284730932.exe

Full analysis: https://app.any.run/tasks/3598d4f5-37ed-4759-ae90-2499715f8259
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 14:06:54
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
agenttesla
ultravnc
rmm-tool
smtp
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

820BEA4C415B6F6568CED99DA65D9846

SHA1:

1D3282D36CFD84CCCCE958F314797BF28FC49BCC

SHA256:

0877B04273E885323C7E6485E348E39E92157343A4991FFCF7619128040B0F5A

SSDEEP:

24576:TZI/a8TeqpYvsdVzwasvGllT4mw0oh9JfjVHj:TZI/a8TeqpYvsdVzwasGlJ4mw0oh9Jfl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • AWB9284730932.exe (PID: 5800)

    • Uses Task Scheduler to run other applications

      • AWB9284730932.exe (PID: 5800)

    • Steals credentials from Web Browsers

      • RegSvcs.exe (PID: 6592)

    • Changes the autorun value in the registry

      • RegSvcs.exe (PID: 6592)

    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 6592)

    • AGENTTESLA has been detected (YARA)

      • RegSvcs.exe (PID: 6592)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • AWB9284730932.exe (PID: 5800)

    • Executable content was dropped or overwritten

      • AWB9284730932.exe (PID: 5800)
      • RegSvcs.exe (PID: 6592)

    • Process drops legitimate windows executable

      • AWB9284730932.exe (PID: 5800)
      • RegSvcs.exe (PID: 6592)

    • Connects to SMTP port

      • RegSvcs.exe (PID: 6592)

    • Reads security settings of Internet Explorer

      • AWB9284730932.exe (PID: 5800)

  • INFO

    • Create files in a temporary directory

      • AWB9284730932.exe (PID: 5800)

    • Reads the machine GUID from the registry

      • AWB9284730932.exe (PID: 5800)

    • Reads the computer name

      • AWB9284730932.exe (PID: 5800)

    • Checks supported languages

      • AWB9284730932.exe (PID: 5800)
      • RegSvcs.exe (PID: 6592)

    • Creates files or folders in the user directory

      • AWB9284730932.exe (PID: 5800)
      • RegSvcs.exe (PID: 6592)

    • ULTRAVNC has been detected

      • RegSvcs.exe (PID: 6592)

    • Reads the software policy settings

      • slui.exe (PID: 5352)
      • SIHClient.exe (PID: 5008)

    • The sample compiled with english language support

      • RegSvcs.exe (PID: 6592)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AgentTesla

(PID) Process(6592) RegSvcs.exe
Protocolsmtp
Hostmail.azmaplast.com
Port587
Usernameinfo@azmaplast.com
PasswordQAZqaz123@@
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2076:12:17 18:29:12+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 701440
InitializedDataSize: 2560
UninitializedDataSize: -
EntryPoint: 0xad39a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: Microsoft Corporation
FileDescription: Compatibility Database
FileVersion: 1.0.0.0
InternalName: TyKt.exe
LegalCopyright: Copyright © Microsoft Corporation. All rights reserved.
LegalTrademarks: -
OriginalFileName: TyKt.exe
ProductName: Compatibility Database
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start awb9284730932.exe sihclient.exe schtasks.exe no specs conhost.exe no specs #AGENTTESLA regsvcs.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1328\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5008C:\WINDOWS\System32\sihclient.exe /cv QbfuvMi1FkOJm9oSOYY39Q.0.2C:\Windows\System32\SIHClient.exe
upfc.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
SIH Client
Exit code:
2149863430
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sihclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
5352C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5800"C:\Users\admin\Desktop\AWB9284730932.exe" C:\Users\admin\Desktop\AWB9284730932.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Compatibility Database
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\awb9284730932.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6592"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
AWB9284730932.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
AgentTesla
(PID) Process(6592) RegSvcs.exe
Protocolsmtp
Hostmail.azmaplast.com
Port587
Usernameinfo@azmaplast.com
PasswordQAZqaz123@@
6676"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FgNhgxffnuU" /XML "C:\Users\admin\AppData\Local\Temp\tmp2018.tmp"C:\Windows\SysWOW64\schtasks.exeAWB9284730932.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
8 714
Read events
8 712
Write events
2
Delete events
0

Modification events

(PID) Process:(6592) RegSvcs.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:boqXv
Value:
C:\Users\admin\AppData\Roaming\boqXv\boqXv.exe
(PID) Process:(6592) RegSvcs.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Operation:writeName:boqXv
Value:
020000000000000000000000
Executable files
2
Suspicious files
22
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
5008SIHClient.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:E3264B123392F4C79BB7F5BD11D0F1E0
SHA256:360ED731B955738B8D5CDDAB0BB8B9FCF6761779CBB0DBE2DA4BBAC2EC3A6278
5008SIHClient.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\434E65B61F9D3E2BD9941E4DFA4ED4BBbinary
MD5:F26450B497B8AB060849E7B769A33449
SHA256:17A96F568100161AEFA80213E17C7FA344DAD8D396BADD5845F05A12571B86A8
5008SIHClient.exeC:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cabcompressed
MD5:ACD24F781C0C8F48A0BD86A0E9F2A154
SHA256:5C0A296B3574D170D69C90B092611646FE8991B8D103D412499DBE7BFDCCCC49
5008SIHClient.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEbinary
MD5:5EF4747AFEF479A33A66AF897739EB84
SHA256:55581FACE93504D3F8B453A4749266A420A0F1355F9EA463EB3CB14584BCCB91
5008SIHClient.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\434E65B61F9D3E2BD9941E4DFA4ED4BBbinary
MD5:C56B95C040595AEC884DACD9EEBB3252
SHA256:E173A0E3395060338A550B8D5E01E99E1D5B3E83CDB7471CFDC9D2237AD54015
5800AWB9284730932.exeC:\Users\admin\AppData\Roaming\FgNhgxffnuU.exeexecutable
MD5:820BEA4C415B6F6568CED99DA65D9846
SHA256:0877B04273E885323C7E6485E348E39E92157343A4991FFCF7619128040B0F5A
5008SIHClient.exeC:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP317D.tmpcompressed
MD5:1B6460EE0273E97C251F7A67F49ACDB4
SHA256:3158032BAC1A6D278CCC2B7D91E2FBC9F01BEABF9C75D500A7F161E69F2C5F4A
6592RegSvcs.exeC:\Users\admin\AppData\Roaming\boqXv\boqXv.exeexecutable
MD5:6279D136310C22894F605938B4CB93D8
SHA256:FB7D514B3322810463655473D2D7C704D3405C1C9DD81F0D4D423518EF416987
5008SIHClient.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEbinary
MD5:3B5E0BD6640456A749D9155E6C135727
SHA256:C362A3D2B661C6066A02FC169FAAA1976C2F6160DA5837C7E68B7E0F67B794ED
5008SIHClient.exeC:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9E94643DE99F5621BC288D045BEA85DDbinary
MD5:84077EEB5DFD4DDCC1B3C0097C95E859
SHA256:CD1C8F4B92B60072003584FE1446D22B65D24F7161FA8E2E7FBDD82C75C8A70F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
52
DNS requests
17
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
5008
SIHClient.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5008
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5008
SIHClient.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5008
SIHClient.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5008
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
5008
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5008
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
POST
400
20.190.160.131:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
whitelisted
GET
200
20.223.35.26:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=88000045&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20250324T140714Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=0d1b1e74f88d4afa8273e7ae55001d95&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3967566&metered=false&nettype=ethernet&npid=sc-88000045&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=122.0.2365.59&tl=2&tsu=1358096&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
binary
2.95 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.160.66:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6272
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5008
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5008
SIHClient.exe
23.48.23.164:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5008
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5008
SIHClient.exe
13.85.23.206:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.174
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
login.live.com
  • 20.190.160.66
  • 40.126.32.76
  • 40.126.32.74
  • 40.126.32.134
  • 40.126.32.136
  • 40.126.32.68
  • 20.190.160.20
  • 20.190.160.3
whitelisted
arc.msn.com
  • 20.223.35.26
  • 20.223.36.55
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
crl.microsoft.com
  • 23.48.23.164
  • 23.48.23.166
  • 23.48.23.194
  • 23.48.23.177
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
mail.azmaplast.com
  • 193.141.65.39
malicious

Threats

PID
Process
Class
Message
6592
RegSvcs.exe
Misc activity
INFO [ANY.RUN] SMTP email client opens transfer with server (EHLO)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AWB9284730932.exe