File name:

7457d2acc46d71706667c94471b6fbf591eb22cab87df4d9744dc584430ec050

Full analysis: https://app.any.run/tasks/4e8717df-7d61-4b16-b140-a3d5737a91aa
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: September 05, 2025, 22:26:31
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
ultravnc
rmm-tool
agenttesla
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

1864FBCF19AC3BE6C93D0CCBCAEF15AA

SHA1:

0C8C905A109FCE7E1ACEA310EA2A0C33BD878CD0

SHA256:

7457D2ACC46D71706667C94471B6FBF591EB22CAB87DF4D9744DC584430EC050

SSDEEP:

24576:yV/omROEhlp827z6itSu/vtda7fyEhmnN81Yor29uP50iawAEa:yV/omROEhlpX7z6itSu/v/a7JhmnN81j

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 3956)

    • Steals credentials from Web Browsers

      • RegSvcs.exe (PID: 3956)

    • AGENTTESLA has been detected (YARA)

      • RegSvcs.exe (PID: 3956)

  • SUSPICIOUS

    • Connects to SMTP port

      • RegSvcs.exe (PID: 3956)

  • INFO

    • Checks supported languages

      • 7457d2acc46d71706667c94471b6fbf591eb22cab87df4d9744dc584430ec050.exe (PID: 3788)
      • RegSvcs.exe (PID: 3956)

    • Create files in a temporary directory

      • 7457d2acc46d71706667c94471b6fbf591eb22cab87df4d9744dc584430ec050.exe (PID: 3788)

    • The sample compiled with english language support

      • 7457d2acc46d71706667c94471b6fbf591eb22cab87df4d9744dc584430ec050.exe (PID: 3788)

    • Reads mouse settings

      • 7457d2acc46d71706667c94471b6fbf591eb22cab87df4d9744dc584430ec050.exe (PID: 3788)

    • Reads Environment values

      • RegSvcs.exe (PID: 3956)

    • Reads the machine GUID from the registry

      • RegSvcs.exe (PID: 3956)

    • Reads the computer name

      • RegSvcs.exe (PID: 3956)

    • ULTRAVNC has been detected

      • RegSvcs.exe (PID: 3956)

    • Reads the software policy settings

      • RegSvcs.exe (PID: 3956)
      • slui.exe (PID: 2524)

    • Checks proxy server information

      • slui.exe (PID: 2524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AgentTesla

(PID) Process(3956) RegSvcs.exe
Protocolsmtp
Hostmail.gunsaldi.com
Port587
Usernamemail@gunsaldi.com
PasswordSodFSPhJQJxbA4Tn
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (43.5)
.exe | Win32 EXE Yoda's Crypter (42.7)
.exe | Win32 Executable (generic) (7.2)
.exe | Generic Win/DOS Executable (3.2)
.exe | DOS Executable Generic (3.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:08:26 23:08:34+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 380928
InitializedDataSize: 217088
UninitializedDataSize: 770048
EntryPoint: 0x119650
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 7457d2acc46d71706667c94471b6fbf591eb22cab87df4d9744dc584430ec050.exe no specs #AGENTTESLA regsvcs.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2524C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3788"C:\Users\admin\AppData\Local\Temp\7457d2acc46d71706667c94471b6fbf591eb22cab87df4d9744dc584430ec050.exe" C:\Users\admin\AppData\Local\Temp\7457d2acc46d71706667c94471b6fbf591eb22cab87df4d9744dc584430ec050.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\7457d2acc46d71706667c94471b6fbf591eb22cab87df4d9744dc584430ec050.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3956"C:\Users\admin\AppData\Local\Temp\7457d2acc46d71706667c94471b6fbf591eb22cab87df4d9744dc584430ec050.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
7457d2acc46d71706667c94471b6fbf591eb22cab87df4d9744dc584430ec050.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
AgentTesla
(PID) Process(3956) RegSvcs.exe
Protocolsmtp
Hostmail.gunsaldi.com
Port587
Usernamemail@gunsaldi.com
PasswordSodFSPhJQJxbA4Tn
Total events
4 545
Read events
4 545
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
37887457d2acc46d71706667c94471b6fbf591eb22cab87df4d9744dc584430ec050.exeC:\Users\admin\AppData\Local\Temp\Vevinebinary
MD5:7AFE52679A8BC41F163A6DB58D46360F
SHA256:9CB03F2A0E2DBE69909BCE809A4A20D8B404528117B7A783581B3E06D197E5C8
37887457d2acc46d71706667c94471b6fbf591eb22cab87df4d9744dc584430ec050.exeC:\Users\admin\AppData\Local\Temp\autCAFC.tmpbinary
MD5:2B49E4D84B55178501A9E5F69E6F7E20
SHA256:6E1A610EB3223296141564C76F5C0E61AB0E6091FF0B2C291F0D5FDC530284F5
37887457d2acc46d71706667c94471b6fbf591eb22cab87df4d9744dc584430ec050.exeC:\Users\admin\AppData\Local\Temp\autCC54.tmpbinary
MD5:C7E70433443B50D796C1C7017B7186B7
SHA256:82FB0093E880CC4C12C1865B6726A6BC2AE680FBB9717B27297D96C59B36C9E6
37887457d2acc46d71706667c94471b6fbf591eb22cab87df4d9744dc584430ec050.exeC:\Users\admin\AppData\Local\Temp\extrorsalbinary
MD5:D0636C3DC2698FCF88DD24D9B53D2730
SHA256:238FF405A87BD3595AC91B125479993F238D5F12B289ECC2B6CE5553475ED3BA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
25
DNS requests
20
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6216
svchost.exe
GET
200
23.196.96.159:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
1268
svchost.exe
GET
200
23.196.102.181:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
6160
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
NL
binary
419 b
whitelisted
2940
svchost.exe
GET
200
23.3.109.48:80
http://x1.c.lencr.org/
DE
binary
734 b
whitelisted
6160
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
NL
binary
407 b
whitelisted
1268
svchost.exe
GET
200
2.23.173.51:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DK
binary
825 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1300
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3956
RegSvcs.exe
31.222.235.198:587
mail.gunsaldi.com
NETH LLC
UA
unknown
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
2.23.173.51:80
crl.microsoft.com
Akamai International B.V.
DK
whitelisted
1268
svchost.exe
23.196.102.181:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
6216
svchost.exe
20.190.160.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 216.58.212.174
whitelisted
mail.gunsaldi.com
  • 31.222.235.198
unknown
crl.microsoft.com
  • 2.23.173.51
  • 2.23.173.59
whitelisted
www.microsoft.com
  • 23.196.102.181
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.160.4
  • 20.190.160.66
  • 20.190.160.22
  • 20.190.160.131
  • 40.126.32.72
  • 20.190.160.2
  • 40.126.32.76
  • 20.190.160.65
whitelisted
ocsp.digicert.com
  • 23.196.96.159
whitelisted
slscr.update.microsoft.com
  • 20.165.94.63
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
self.events.data.microsoft.com
  • 20.189.173.24
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
7457d2acc46d71706667c94471b6fbf591eb22cab87df4d9744dc584430ec050