File name:

SecuriteInfo.com.Win32.MalwareX-gen.19911.19708.exe

Full analysis: https://app.any.run/tasks/25cf6b1b-368e-480a-939f-6c34970a188d
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 19:46:46
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
httpdebugger
tool
evasion
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

7E439C44D58BDE9C7875928494CE7D06

SHA1:

7D90D12D88550D41428163946B7AE90243E32B2E

SHA256:

26B066A997ECA3B7B08D08519474F5306E70139EC15852843D0F11DA4D39658F

SSDEEP:

12288:y1khp4RZ4yyNlBfNKaNqLsLFBYfbKdjUk4/EVjjFzucjYuszH422222E0:THBfNKaNqLsLPYfbKdjq/EVZ0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • InstallUtil.exe (PID: 6032)

    • Actions looks like stealing of personal data

      • InstallUtil.exe (PID: 6032)

  • SUSPICIOUS

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • InstallUtil.exe (PID: 6032)

    • Connects to FTP

      • InstallUtil.exe (PID: 6032)

  • INFO

    • Checks supported languages

      • SecuriteInfo.com.Win32.MalwareX-gen.19911.19708.exe (PID: 1280)
      • InstallUtil.exe (PID: 6032)

    • Reads the computer name

      • SecuriteInfo.com.Win32.MalwareX-gen.19911.19708.exe (PID: 1280)
      • InstallUtil.exe (PID: 6032)

    • Reads the machine GUID from the registry

      • SecuriteInfo.com.Win32.MalwareX-gen.19911.19708.exe (PID: 1280)
      • InstallUtil.exe (PID: 6032)

    • Disables trace logs

      • SecuriteInfo.com.Win32.MalwareX-gen.19911.19708.exe (PID: 1280)
      • InstallUtil.exe (PID: 6032)

    • Checks proxy server information

      • SecuriteInfo.com.Win32.MalwareX-gen.19911.19708.exe (PID: 1280)
      • InstallUtil.exe (PID: 6032)
      • slui.exe (PID: 1188)

    • Reads the software policy settings

      • SecuriteInfo.com.Win32.MalwareX-gen.19911.19708.exe (PID: 1280)
      • slui.exe (PID: 1188)

    • HTTPDEBUGGER has been detected

      • SecuriteInfo.com.Win32.MalwareX-gen.19911.19708.exe (PID: 1280)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:02:12 10:08:16+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 80
CodeSize: 698880
InitializedDataSize: 1536
UninitializedDataSize: -
EntryPoint: 0xac95e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 2.3.3.4
ProductVersionNumber: 2.3.3.4
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: FGC:AI33G@BF>D7E3
CompanyName: 9H5EB6CG4JG58F?8
FileDescription: A?=:<6J;2H878:>CA>I=6JC
FileVersion: 2.3.3.4
InternalName: emmmmmmslay.exe
LegalCopyright: Copyright © 1986 9H5EB6CG4JG58F?8
OriginalFileName: emmmmmmslay.exe
ProductName: A?=:<6J;2H878:>CA>I=6JC
ProductVersion: 2.3.3.4
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start securiteinfo.com.win32.malwarex-gen.19911.19708.exe installutil.exe slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1188C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1280"C:\Users\admin\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.19911.19708.exe" C:\Users\admin\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.19911.19708.exe
explorer.exe
User:
admin
Company:
9H5EB6CG4JG58F?8
Integrity Level:
MEDIUM
Description:
A?=:<6J;2H878:>CA>I=6JC
Exit code:
0
Version:
2.3.3.4
Modules
Images
c:\users\admin\desktop\securiteinfo.com.win32.malwarex-gen.19911.19708.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6032"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
SecuriteInfo.com.Win32.MalwareX-gen.19911.19708.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
.NET Framework installation utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
8 280
Read events
8 252
Write events
28
Delete events
0

Modification events

(PID) Process:(1280) SecuriteInfo.com.Win32.MalwareX-gen.19911.19708.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1280) SecuriteInfo.com.Win32.MalwareX-gen.19911.19708.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1280) SecuriteInfo.com.Win32.MalwareX-gen.19911.19708.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1280) SecuriteInfo.com.Win32.MalwareX-gen.19911.19708.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1280) SecuriteInfo.com.Win32.MalwareX-gen.19911.19708.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(1280) SecuriteInfo.com.Win32.MalwareX-gen.19911.19708.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(1280) SecuriteInfo.com.Win32.MalwareX-gen.19911.19708.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(1280) SecuriteInfo.com.Win32.MalwareX-gen.19911.19708.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1280) SecuriteInfo.com.Win32.MalwareX-gen.19911.19708.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1280) SecuriteInfo.com.Win32.MalwareX-gen.19911.19708.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SecuriteInfo_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
40
DNS requests
16
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4208
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4208
SIHClient.exe
GET
200
23.48.23.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
4208
SIHClient.exe
GET
200
23.48.23.176:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
4208
SIHClient.exe
GET
200
23.48.23.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4208
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4208
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4208
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
4208
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
6032
InstallUtil.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1280
SecuriteInfo.com.Win32.MalwareX-gen.19911.19708.exe
91.134.10.127:443
i.ibb.co
OVH SAS
FR
shared
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4208
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4208
SIHClient.exe
23.48.23.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4208
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4208
SIHClient.exe
52.165.164.15:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.142
whitelisted
i.ibb.co
  • 91.134.10.127
  • 91.134.9.159
  • 91.134.82.79
  • 91.134.9.160
  • 91.134.10.168
  • 91.134.10.182
shared
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
crl.microsoft.com
  • 23.48.23.176
  • 23.48.23.156
  • 23.48.23.143
  • 23.48.23.147
  • 23.48.23.173
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted

Threats

PID
Process
Class
Message
1280
SecuriteInfo.com.Win32.MalwareX-gen.19911.19708.exe
Not Suspicious Traffic
INFO [ANY.RUN] Image hosting service ImgBB
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
6032
InstallUtil.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
6032
InstallUtil.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SecuriteInfo.com.Win32.MalwareX-gen.19911.19708.exe