File name:

SecuriteInfo.com.Script.SNH-gen.27752.2674.exe

Full analysis: https://app.any.run/tasks/87546f69-dd1d-4d3c-8457-7483307a4448
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 04, 2025, 11:32:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
autoit
github
loader
auto-reg
rat
njrat
bladabindi
auto-startup
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

B377E953CB655C1A33F555BEB0C9CF89

SHA1:

CB84077E3DE0D88D0EFC44DF224E866F8C382FD8

SHA256:

1FA98E07EDEF331F77ABCD331EBE00D4B45E50A027743A990B634BE991FA8C7A

SSDEEP:

24576:xP7nSRL1LzT0fqokR/CgREAVVgEU1NiiAiJA2Z0GaXKqR68gS4SV6aVJNkIU8BZl:RzSRL1LzTOkR/CgREAVVgEU1NiiAiJAj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NjRAT is detected

      • server.exe (PID: 2416)

    • Changes the autorun value in the registry

      • server.exe (PID: 2416)

    • Create files in the Startup directory

      • server.exe (PID: 2416)

    • NJRAT has been detected (YARA)

      • server.exe (PID: 2416)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • SecuriteInfo.com.Script.SNH-gen.27752.2674.exe (PID: 2600)
      • Svchost.exe (PID: 7316)

    • There is functionality for taking screenshot (YARA)

      • SecuriteInfo.com.Script.SNH-gen.27752.2674.exe (PID: 2600)

    • The process creates files with name similar to system file names

      • SecuriteInfo.com.Script.SNH-gen.27752.2674.exe (PID: 2600)

    • Executable content was dropped or overwritten

      • SecuriteInfo.com.Script.SNH-gen.27752.2674.exe (PID: 2600)
      • Svchost.exe (PID: 7316)
      • server.exe (PID: 2416)

    • Starts itself from another location

      • Svchost.exe (PID: 7316)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • server.exe (PID: 2416)

    • Connects to unusual port

      • server.exe (PID: 2416)

  • INFO

    • The sample compiled with english language support

      • SecuriteInfo.com.Script.SNH-gen.27752.2674.exe (PID: 2600)

    • Reads mouse settings

      • SecuriteInfo.com.Script.SNH-gen.27752.2674.exe (PID: 2600)

    • Checks supported languages

      • SecuriteInfo.com.Script.SNH-gen.27752.2674.exe (PID: 2600)
      • Svchost.exe (PID: 7316)
      • server.exe (PID: 2416)
      • server.exe (PID: 516)

    • Checks proxy server information

      • SecuriteInfo.com.Script.SNH-gen.27752.2674.exe (PID: 2600)
      • slui.exe (PID: 4980)

    • Reads the computer name

      • SecuriteInfo.com.Script.SNH-gen.27752.2674.exe (PID: 2600)
      • Svchost.exe (PID: 7316)
      • server.exe (PID: 2416)
      • server.exe (PID: 516)

    • Reads the software policy settings

      • SecuriteInfo.com.Script.SNH-gen.27752.2674.exe (PID: 2600)
      • slui.exe (PID: 4980)

    • The process uses AutoIt

      • SecuriteInfo.com.Script.SNH-gen.27752.2674.exe (PID: 2600)

    • Reads the machine GUID from the registry

      • SecuriteInfo.com.Script.SNH-gen.27752.2674.exe (PID: 2600)
      • server.exe (PID: 2416)

    • Creates files or folders in the user directory

      • SecuriteInfo.com.Script.SNH-gen.27752.2674.exe (PID: 2600)
      • server.exe (PID: 2416)

    • Create files in a temporary directory

      • SecuriteInfo.com.Script.SNH-gen.27752.2674.exe (PID: 2600)
      • Svchost.exe (PID: 7316)

    • Process checks computer location settings

      • Svchost.exe (PID: 7316)

    • Launching a file from a Registry key

      • server.exe (PID: 2416)

    • Launching a file from the Startup directory

      • server.exe (PID: 2416)

    • Manual execution by a user

      • server.exe (PID: 516)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

NjRat

(PID) Process(2416) server.exe
C289.156.24.108
Ports1738
Botnetdengbengboum
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\2df8aa737da989b11c40fab081247708
Splitter|'|'|
Version0.7d
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:01:08 16:11:45+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 573440
InitializedDataSize: 286720
UninitializedDataSize: -
EntryPoint: 0x26bf7
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start securiteinfo.com.script.snh-gen.27752.2674.exe svchost.exe #NJRAT server.exe netsh.exe no specs conhost.exe no specs server.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
516"C:\Users\admin\AppData\Local\Temp\server.exe" ..C:\Users\admin\AppData\Local\Temp\server.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\server.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
1128\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2416"C:\Users\admin\AppData\Local\Temp\server.exe" C:\Users\admin\AppData\Local\Temp\server.exe
Svchost.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\server.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
NjRat
(PID) Process(2416) server.exe
C289.156.24.108
Ports1738
Botnetdengbengboum
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\2df8aa737da989b11c40fab081247708
Splitter|'|'|
Version0.7d
2600"C:\Users\admin\Desktop\SecuriteInfo.com.Script.SNH-gen.27752.2674.exe" C:\Users\admin\Desktop\SecuriteInfo.com.Script.SNH-gen.27752.2674.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\securiteinfo.com.script.snh-gen.27752.2674.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
4980C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7316C:\Users\admin\AppData\Local\Temp\Svchost.exeC:\Users\admin\AppData\Local\Temp\Svchost.exe
SecuriteInfo.com.Script.SNH-gen.27752.2674.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7980netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\server.exe" "server.exe" ENABLEC:\Windows\SysWOW64\netsh.exeserver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
8 420
Read events
8 286
Write events
134
Delete events
0

Modification events

(PID) Process:(2600) SecuriteInfo.com.Script.SNH-gen.27752.2674.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2600) SecuriteInfo.com.Script.SNH-gen.27752.2674.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2600) SecuriteInfo.com.Script.SNH-gen.27752.2674.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2416) server.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:SEE_MASK_NOZONECHECKS
Value:
1
(PID) Process:(2416) server.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:2df8aa737da989b11c40fab081247708
Value:
"C:\Users\admin\AppData\Local\Temp\server.exe" ..
(PID) Process:(2416) server.exeKey:HKEY_CURRENT_USER\SOFTWARE\2df8aa737da989b11c40fab081247708
Operation:writeName:[kl]
Value:
Executable files
4
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2600SecuriteInfo.com.Script.SNH-gen.27752.2674.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\bengbengtmort_Final[1].exeexecutable
MD5:915C9C0811AFE2125AAC5D2C70306576
SHA256:3F80635264950E46B965426C9741A1EAF02169C0B93236FCEA4F426CAF8B29D6
7316Svchost.exeC:\Users\admin\AppData\Local\Temp\server.exeexecutable
MD5:915C9C0811AFE2125AAC5D2C70306576
SHA256:3F80635264950E46B965426C9741A1EAF02169C0B93236FCEA4F426CAF8B29D6
2416server.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2df8aa737da989b11c40fab081247708.exeexecutable
MD5:915C9C0811AFE2125AAC5D2C70306576
SHA256:3F80635264950E46B965426C9741A1EAF02169C0B93236FCEA4F426CAF8B29D6
2600SecuriteInfo.com.Script.SNH-gen.27752.2674.exeC:\Users\admin\AppData\Local\Temp\Svchost.exeexecutable
MD5:915C9C0811AFE2125AAC5D2C70306576
SHA256:3F80635264950E46B965426C9741A1EAF02169C0B93236FCEA4F426CAF8B29D6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
50
DNS requests
19
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5604
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
40.126.32.138:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5604
svchost.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
302
140.82.121.4:443
https://github.com/supfrezze/jtebez/raw/master/bengbengtmort_Final.exe
unknown
GET
200
140.82.121.4:443
https://raw.githubusercontent.com/supfrezze/jtebez/master/bengbengtmort_Final.exe
unknown
executable
23.5 Kb
whitelisted
POST
200
20.190.160.14:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
POST
200
20.190.160.5:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
200
40.126.32.74:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
200
20.190.160.2:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
8020
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5604
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5604
svchost.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5604
svchost.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
5496
MoUsoCoreWorker.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
6544
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2600
SecuriteInfo.com.Script.SNH-gen.27752.2674.exe
140.82.121.3:443
github.com
GITHUB
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
  • 23.48.23.181
  • 23.48.23.180
  • 23.48.23.139
  • 23.48.23.177
  • 23.48.23.176
  • 23.48.23.190
  • 23.48.23.140
  • 23.48.23.192
  • 23.48.23.138
whitelisted
www.microsoft.com
  • 23.219.150.101
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
login.live.com
  • 20.190.159.2
  • 40.126.31.71
  • 20.190.159.73
  • 40.126.31.69
  • 20.190.159.75
  • 20.190.159.129
  • 20.190.159.130
  • 20.190.159.71
whitelisted
github.com
  • 140.82.121.3
whitelisted
raw.githubusercontent.com
  • 185.199.109.133
  • 185.199.111.133
  • 185.199.110.133
  • 185.199.108.133
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO AutoIt User Agent Executable Request
Potential Corporate Privacy Violation
ET INFO Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Potential Corporate Privacy Violation
ET INFO Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Misc activity
ET HUNTING EXE Downloaded from Github
Misc activity
ET INFO AutoIt User Agent Executable Request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SecuriteInfo.com.Script.SNH-gen.27752.2674.exe