File name:

SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe

Full analysis: https://app.any.run/tasks/5ca0f4a1-8721-4473-926b-984d71cf5d1e
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: May 23, 2025, 19:30:54
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
aurotun
stealer
evasion
amsi-bypass
api-base64
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

DAAC389E4F6F4306095E83638DF0E01C

SHA1:

82B5390AFF9153677C1ABEC055C2F873C0012F2B

SHA256:

2A1525FC0681878ED37AF44324F5BBCBEF0D32B5790CC755C0645621BA681D5A

SSDEEP:

98304:hgc9iCfQPyciRLvF5FSQwYzJqwlUWAXBN9WP9lhX/3NH4FELQ8jg0Pt/wDNA/FGo:osdScAeDgfLXk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe (PID: 7860)

    • Changes Windows Defender settings

      • SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe (PID: 7860)

    • AUROTUN mutex has been found

      • SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe (PID: 7860)

    • Connects to the CnC server

      • SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe (PID: 7860)

    • AUROTUN has been detected (YARA)

      • SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe (PID: 7860)

  • SUSPICIOUS

    • Script adds exclusion path to Windows Defender

      • SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe (PID: 7860)

    • Starts POWERSHELL.EXE for commands execution

      • SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe (PID: 7860)

    • Executable content was dropped or overwritten

      • SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe (PID: 7860)

    • Potential Corporate Privacy Violation

      • SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe (PID: 7860)

    • Checks for external IP

      • SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe (PID: 7860)

    • Possibly patching Antimalware Scan Interface function (YARA)

      • SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe (PID: 7860)

  • INFO

    • Reads the machine GUID from the registry

      • SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe (PID: 7540)
      • SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe (PID: 7860)

    • Reads the computer name

      • SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe (PID: 7540)
      • SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe (PID: 7860)

    • Checks transactions between databases Windows and Oracle

      • SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe (PID: 7540)

    • Checks supported languages

      • SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe (PID: 7860)
      • SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe (PID: 7540)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 7788)

    • Process checks computer location settings

      • SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe (PID: 7860)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7880)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7880)

    • Potential dynamic function import (Base64 Encoded 'GetProcAddress')

      • SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe (PID: 7860)

    • Potential access to remote process (Base64 Encoded 'OpenProcess')

      • SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe (PID: 7860)

    • Potential library load (Base64 Encoded 'LoadLibrary')

      • SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe (PID: 7860)

    • Checks proxy server information

      • slui.exe (PID: 1532)

    • Reads the software policy settings

      • slui.exe (PID: 1532)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:23 15:32:57+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.44
CodeSize: 698880
InitializedDataSize: 5620736
UninitializedDataSize: -
EntryPoint: 0x7d664
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start securiteinfo.com.win64.malwarex-gen.15377.29374.exe no specs CMSTPLUA no specs Color Management no specs #AUROTUN securiteinfo.com.win64.malwarex-gen.15377.29374.exe powershell.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1532C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7540"C:\Users\admin\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe" C:\Users\admin\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\securiteinfo.com.win64.malwarex-gen.15377.29374.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7684C:\WINDOWS\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
7788C:\WINDOWS\system32\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
7860"C:\Users\admin\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe" C:\Users\admin\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe
dllhost.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\securiteinfo.com.win64.malwarex-gen.15377.29374.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
7880powershell.exe Add-MpPreference -ExclusionPath "C:\WINDOWS\system32\Hueta.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7888\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
9 597
Read events
9 595
Write events
1
Delete events
1

Modification events

(PID) Process:(7684) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\Calibration
Operation:writeName:DisplayCalibrator
Value:
C:\Users\admin\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe
(PID) Process:(7684) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\Calibration
Operation:delete valueName:DisplayCalibrator
Value:
C:\Users\admin\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe
Executable files
1
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7880powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ojkra2wm.hqc.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7880powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_45awo1qz.3zk.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7860SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exeC:\Windows\System32\Hueta.exeexecutable
MD5:345902E5B15C595096B67D7CC9AFA0E1
SHA256:D09C89ED44176A65696AA1FB02285E79C4DE57A8F359EC5C40E6219908651ECF
7880powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:247427E95626F1433C76C1F1D95194C2
SHA256:DE38516238CB345314289B0294BFE88DEC85670C2737D09F56F175133BC7E119
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
54
DNS requests
17
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6392
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.160.22:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
6392
RUXIMICS.exe
GET
200
23.48.23.141:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
400
20.190.160.14:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.22:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.66:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.32.133:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.32.76:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.32.74:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6392
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6392
RUXIMICS.exe
23.48.23.141:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6392
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6544
svchost.exe
20.190.160.5:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7860
SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe
196.251.83.202:443
SC
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
crl.microsoft.com
  • 23.48.23.141
  • 23.48.23.161
  • 23.48.23.154
  • 23.48.23.145
  • 23.48.23.144
  • 23.48.23.160
  • 23.48.23.153
  • 23.48.23.158
  • 23.48.23.162
  • 23.48.23.186
  • 23.48.23.183
  • 23.48.23.181
  • 23.48.23.179
  • 23.48.23.185
  • 23.48.23.177
  • 23.48.23.175
  • 23.48.23.184
  • 23.48.23.176
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
login.live.com
  • 20.190.160.5
  • 40.126.32.134
  • 40.126.32.76
  • 20.190.160.132
  • 20.190.160.22
  • 20.190.160.17
  • 20.190.160.67
  • 20.190.160.128
whitelisted
api.ipify.org
  • 172.67.74.152
  • 104.26.12.205
  • 104.26.13.205
shared
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
7860
SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 43
7860
SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe
Potential Corporate Privacy Violation
ET INFO Possible IP Check api.ipify.org
7860
SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
7860
SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe
A Network Trojan was detected
ET MALWARE Aurotun Stealer CnC Checkin
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SecuriteInfo.com.Win64.MalwareX-gen.15377.29374.exe