File name:

SecuriteInfo.com.Win32.Malware-gen.23594321.exe

Full analysis: https://app.any.run/tasks/a7628b8d-6250-4790-b68a-d839f0ea3fea
Verdict: Malicious activity
Threats:

Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.

Malware Trends Tracker     >>>
Analysis date: January 30, 2026, 14:14:44
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealc
stealer
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

C61120E11AA588B1D618AB1259FF691A

SHA1:

A7682BCE4ADFD67AF2B3962BE9A0DB1E9DE8E3D9

SHA256:

5DFD68940C695A01548C0F75B755629B32B9809304312AEDA3A9742A451012B4

SSDEEP:

98304:F6GavilIvoI2u7cVvyYqvKr6ePDfxmoHVHWGq2Fltfit/28AafGWIeYoVQGrOG0g:IpTn32kJjWND0z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • STEALC has been detected

      • HelpPane.exe (PID: 7496)

    • Connects to the CnC server

      • HelpPane.exe (PID: 7496)

    • STEALC has been detected (SURICATA)

      • HelpPane.exe (PID: 7496)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • SecuriteInfo.com.Win32.Malware-gen.23594321.exe (PID: 1068)
      • SecuriteInfo.com.Win32.Malware-gen.23594321.tmp (PID: 8396)
      • SecuriteInfo.com.Win32.Malware-gen.23594321.exe (PID: 7392)
      • SecuriteInfo.com.Win32.Malware-gen.23594321.tmp (PID: 7376)
      • FnHotkeyUtility.exe (PID: 9056)

    • Reads the Windows owner or organization settings

      • SecuriteInfo.com.Win32.Malware-gen.23594321.tmp (PID: 8396)
      • SecuriteInfo.com.Win32.Malware-gen.23594321.tmp (PID: 7376)

    • The process creates files with name similar to system file names

      • FnHotkeyUtility.exe (PID: 9056)

    • The process drops C-runtime libraries

      • SecuriteInfo.com.Win32.Malware-gen.23594321.tmp (PID: 7376)

    • Process drops legitimate windows executable

      • SecuriteInfo.com.Win32.Malware-gen.23594321.tmp (PID: 7376)

    • Starts CMD.EXE for commands execution

      • FnHotkeyUtility.exe (PID: 9056)

    • The executable file from the user directory is run by the CMD process

      • taskhost.exe (PID: 8052)

    • Contacting a server suspected of hosting an CnC

      • HelpPane.exe (PID: 7496)

    • The process executes via Task Scheduler

      • FnHotkeyUtility.exe (PID: 7552)
      • FnHotkeyUtility.exe (PID: 5200)

  • INFO

    • Reads the computer name

      • SecuriteInfo.com.Win32.Malware-gen.23594321.tmp (PID: 8396)
      • SecuriteInfo.com.Win32.Malware-gen.23594321.tmp (PID: 7376)
      • FnHotkeyUtility.exe (PID: 9056)
      • FnHotkeyUtility.exe (PID: 5200)
      • FnHotkeyUtility.exe (PID: 7552)

    • Create files in a temporary directory

      • SecuriteInfo.com.Win32.Malware-gen.23594321.exe (PID: 1068)
      • SecuriteInfo.com.Win32.Malware-gen.23594321.tmp (PID: 8396)
      • SecuriteInfo.com.Win32.Malware-gen.23594321.exe (PID: 7392)
      • SecuriteInfo.com.Win32.Malware-gen.23594321.tmp (PID: 7376)

    • Password parameter in command-line

      • SecuriteInfo.com.Win32.Malware-gen.23594321.tmp (PID: 8396)
      • SecuriteInfo.com.Win32.Malware-gen.23594321.exe (PID: 7392)

    • Checks supported languages

      • SecuriteInfo.com.Win32.Malware-gen.23594321.tmp (PID: 8396)
      • SecuriteInfo.com.Win32.Malware-gen.23594321.exe (PID: 1068)
      • SecuriteInfo.com.Win32.Malware-gen.23594321.exe (PID: 7392)
      • SecuriteInfo.com.Win32.Malware-gen.23594321.tmp (PID: 7376)
      • FnHotkeyUtility.exe (PID: 9056)
      • taskhost.exe (PID: 8052)
      • FnHotkeyUtility.exe (PID: 7552)
      • FnHotkeyUtility.exe (PID: 5200)

    • Reads security settings of Internet Explorer

      • SecuriteInfo.com.Win32.Malware-gen.23594321.tmp (PID: 8396)
      • HelpPane.exe (PID: 7496)

    • Process checks computer location settings

      • SecuriteInfo.com.Win32.Malware-gen.23594321.tmp (PID: 8396)

    • Creates files in the program directory

      • SecuriteInfo.com.Win32.Malware-gen.23594321.tmp (PID: 7376)

    • UPX packer has been detected

      • FnHotkeyUtility.exe (PID: 9056)

    • Checks proxy server information

      • HelpPane.exe (PID: 7496)
      • slui.exe (PID: 9184)

    • The sample compiled with chinese language support

      • SecuriteInfo.com.Win32.Malware-gen.23594321.tmp (PID: 7376)

    • The sample compiled with english language support

      • SecuriteInfo.com.Win32.Malware-gen.23594321.tmp (PID: 7376)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (65.1)
.exe | Win32 EXE PECompact compressed (generic) (24.6)
.dll | Win32 Dynamic Link Library (generic) (3.9)
.exe | Win32 Executable (generic) (2.6)
.exe | Win16/32 Executable Delphi generic (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:01:08 15:36:35+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 684032
InitializedDataSize: 143360
UninitializedDataSize: -
EntryPoint: 0xa7f98
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 5.60.5.0
ProductVersionNumber: 5.60.5.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Eon Pro Group Ltd
FileDescription: Nvidia cuda video decode api, version 566.24. nvidia video e
FileVersion: 5.60.5
LegalCopyright: Copyright © 2028 Eon Pro Group Ltd
OriginalFileName: martread+pat-br
ProductName: martread+pat-br
ProductVersion: 5.60.5
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
156
Monitored processes
14
Malicious processes
3
Suspicious processes
4

Behavior graph

Click at the process to see the details
start securiteinfo.com.win32.malware-gen.23594321.exe securiteinfo.com.win32.malware-gen.23594321.tmp securiteinfo.com.win32.malware-gen.23594321.exe securiteinfo.com.win32.malware-gen.23594321.tmp fnhotkeyutility.exe unsecapp.exe no specs unsecapp.exe no specs cmd.exe no specs conhost.exe no specs taskhost.exe no specs #STEALC helppane.exe slui.exe fnhotkeyutility.exe no specs fnhotkeyutility.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1068"C:\Users\admin\Desktop\SecuriteInfo.com.Win32.Malware-gen.23594321.exe" C:\Users\admin\Desktop\SecuriteInfo.com.Win32.Malware-gen.23594321.exe
explorer.exe
User:
admin
Company:
Eon Pro Group Ltd
Integrity Level:
MEDIUM
Description:
Nvidia cuda video decode api, version 566.24. nvidia video e
Exit code:
1
Version:
5.60.5
Modules
Images
c:\users\admin\desktop\securiteinfo.com.win32.malware-gen.23594321.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
4724\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5200"C:\ProgramData\9cde36b5-8801-40b4-8ab2-378a2730bd18\FnHotkeyUtility.exe" -EmbeddingC:\ProgramData\9cde36b5-8801-40b4-8ab2-378a2730bd18\FnHotkeyUtility.exesvchost.exe
User:
admin
Company:
Lenovo
Integrity Level:
MEDIUM
Description:
This utility controls special keyboard functions like hotkeys and function keys, on your Lenovo notebook.
Exit code:
0
Version:
2.0.16.17
Modules
Images
c:\programdata\9cde36b5-8801-40b4-8ab2-378a2730bd18\fnhotkeyutility.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\programdata\9cde36b5-8801-40b4-8ab2-378a2730bd18\spkvol.dll
c:\windows\system32\msvcp_win.dll
6756"cmd.exe" /c start "" C:\Users\admin\taskhost.exeC:\Windows\System32\cmd.exeFnHotkeyUtility.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
7376"C:\Users\admin\AppData\Local\Temp\is-3CS2R.tmp\SecuriteInfo.com.Win32.Malware-gen.23594321.tmp" /SL5="$130324,4880337,828416,C:\Users\admin\Desktop\SecuriteInfo.com.Win32.Malware-gen.23594321.exe" /VERYSILENT /PASSWORD=PLACEHOLDER_PASSWORDC:\Users\admin\AppData\Local\Temp\is-3CS2R.tmp\SecuriteInfo.com.Win32.Malware-gen.23594321.tmp
SecuriteInfo.com.Win32.Malware-gen.23594321.exe
User:
admin
Company:
Eon Pro Group Ltd
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-3cs2r.tmp\securiteinfo.com.win32.malware-gen.23594321.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
7392"C:\Users\admin\Desktop\SecuriteInfo.com.Win32.Malware-gen.23594321.exe" /VERYSILENT /PASSWORD=PLACEHOLDER_PASSWORDC:\Users\admin\Desktop\SecuriteInfo.com.Win32.Malware-gen.23594321.exe
SecuriteInfo.com.Win32.Malware-gen.23594321.tmp
User:
admin
Company:
Eon Pro Group Ltd
Integrity Level:
MEDIUM
Description:
Nvidia cuda video decode api, version 566.24. nvidia video e
Exit code:
0
Version:
5.60.5
Modules
Images
c:\users\admin\desktop\securiteinfo.com.win32.malware-gen.23594321.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
7496"C:\Windows\helpPane.exe"C:\Windows\HelpPane.exe
taskhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Help and Support
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\helppane.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7552"C:\ProgramData\9cde36b5-8801-40b4-8ab2-378a2730bd18\FnHotkeyUtility.exe" -EmbeddingC:\ProgramData\9cde36b5-8801-40b4-8ab2-378a2730bd18\FnHotkeyUtility.exesvchost.exe
User:
admin
Company:
Lenovo
Integrity Level:
MEDIUM
Description:
This utility controls special keyboard functions like hotkeys and function keys, on your Lenovo notebook.
Exit code:
0
Version:
2.0.16.17
Modules
Images
c:\programdata\9cde36b5-8801-40b4-8ab2-378a2730bd18\fnhotkeyutility.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\programdata\9cde36b5-8801-40b4-8ab2-378a2730bd18\spkvol.dll
8052C:\Users\admin\taskhost.exe C:\Users\admin\taskhost.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\taskhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
8396"C:\Users\admin\AppData\Local\Temp\is-76R0A.tmp\SecuriteInfo.com.Win32.Malware-gen.23594321.tmp" /SL5="$120324,4880337,828416,C:\Users\admin\Desktop\SecuriteInfo.com.Win32.Malware-gen.23594321.exe" C:\Users\admin\AppData\Local\Temp\is-76R0A.tmp\SecuriteInfo.com.Win32.Malware-gen.23594321.tmp
SecuriteInfo.com.Win32.Malware-gen.23594321.exe
User:
admin
Company:
Eon Pro Group Ltd
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
1
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-76r0a.tmp\securiteinfo.com.win32.malware-gen.23594321.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
Total events
5 505
Read events
4 725
Write events
780
Delete events
0

Modification events

(PID) Process:(9056) FnHotkeyUtility.exeKey:HKEY_CURRENT_USER\SOFTWARE\Lenovo\Hotkey\VID_1915&PID_eee0
Operation:writeName:Ex_31
Value:
0C0103000100
(PID) Process:(9056) FnHotkeyUtility.exeKey:HKEY_CURRENT_USER\SOFTWARE\Lenovo\Hotkey\VID_1915&PID_eee0
Operation:writeName:Ex_1A
Value:
0C0103000200
(PID) Process:(9056) FnHotkeyUtility.exeKey:HKEY_CURRENT_USER\SOFTWARE\Lenovo\Hotkey\VID_1915&PID_eee0
Operation:writeName:Ex_91
Value:
0C0103080000
(PID) Process:(9056) FnHotkeyUtility.exeKey:HKEY_CURRENT_USER\SOFTWARE\Lenovo\Hotkey\VID_1915&PID_eee0
Operation:writeName:05
Value:
0C0103004000
(PID) Process:(9056) FnHotkeyUtility.exeKey:HKEY_CURRENT_USER\SOFTWARE\Lenovo\Hotkey\VID_1915&PID_eee0
Operation:writeName:Ex_20
Value:
0C0103100001
(PID) Process:(9056) FnHotkeyUtility.exeKey:HKEY_CURRENT_USER\SOFTWARE\Lenovo\Hotkey\VID_1915&PID_eee0
Operation:writeName:Ex_25
Value:
0C0103100010
(PID) Process:(9056) FnHotkeyUtility.exeKey:HKEY_CURRENT_USER\SOFTWARE\Lenovo\Hotkey\VID_1915&PID_eee0
Operation:writeName:Ex_27
Value:
0C0103100012
(PID) Process:(9056) FnHotkeyUtility.exeKey:HKEY_CURRENT_USER\SOFTWARE\Lenovo\Hotkey\VID_1915&PID_eee0
Operation:writeName:Ex_1B
Value:
0C0103100018
(PID) Process:(9056) FnHotkeyUtility.exeKey:HKEY_CURRENT_USER\SOFTWARE\Lenovo\Hotkey\VID_1915&PID_eee0
Operation:writeName:Ex_99
Value:
0C010310002D
(PID) Process:(9056) FnHotkeyUtility.exeKey:HKEY_CURRENT_USER\SOFTWARE\Lenovo\Hotkey\VID_1915&PID_eee0
Operation:writeName:Ex_9A
Value:
0C010310002E
Executable files
17
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7392SecuriteInfo.com.Win32.Malware-gen.23594321.exeC:\Users\admin\AppData\Local\Temp\is-3CS2R.tmp\SecuriteInfo.com.Win32.Malware-gen.23594321.tmpexecutable
MD5:A1FAFB4891F774ED6B28FBB252248C52
SHA256:59453C9B443C47091A8002B6FE216D27DACCBD7F9D0D62882A97BC104EDBA508
1068SecuriteInfo.com.Win32.Malware-gen.23594321.exeC:\Users\admin\AppData\Local\Temp\is-76R0A.tmp\SecuriteInfo.com.Win32.Malware-gen.23594321.tmpexecutable
MD5:A1FAFB4891F774ED6B28FBB252248C52
SHA256:59453C9B443C47091A8002B6FE216D27DACCBD7F9D0D62882A97BC104EDBA508
7376SecuriteInfo.com.Win32.Malware-gen.23594321.tmpC:\ProgramData\9cde36b5-8801-40b4-8ab2-378a2730bd18\is-DNBF6.tmpexecutable
MD5:AC01B1EFE9BDD6C127BCB489765E935D
SHA256:2728E26AF764A64DD31F6DF20BAD9CE68F27A1C54628ABF7353A62F5E67A9DFF
7376SecuriteInfo.com.Win32.Malware-gen.23594321.tmpC:\ProgramData\9cde36b5-8801-40b4-8ab2-378a2730bd18\FnHotkeyUtility.exeexecutable
MD5:AC01B1EFE9BDD6C127BCB489765E935D
SHA256:2728E26AF764A64DD31F6DF20BAD9CE68F27A1C54628ABF7353A62F5E67A9DFF
7376SecuriteInfo.com.Win32.Malware-gen.23594321.tmpC:\ProgramData\9cde36b5-8801-40b4-8ab2-378a2730bd18\is-S2PEC.tmpexecutable
MD5:084F247502E6054ADA4A65A8935A4396
SHA256:A62F73B7CEF738EBD9963744665AA85772B428AEF214F07F8112FF3816B09241
7376SecuriteInfo.com.Win32.Malware-gen.23594321.tmpC:\ProgramData\9cde36b5-8801-40b4-8ab2-378a2730bd18\ludp.dllexecutable
MD5:084F247502E6054ADA4A65A8935A4396
SHA256:A62F73B7CEF738EBD9963744665AA85772B428AEF214F07F8112FF3816B09241
8396SecuriteInfo.com.Win32.Malware-gen.23594321.tmpC:\Users\admin\AppData\Local\Temp\is-A02GA.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
7376SecuriteInfo.com.Win32.Malware-gen.23594321.tmpC:\Users\admin\AppData\Local\Temp\is-A5TL6.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
7376SecuriteInfo.com.Win32.Malware-gen.23594321.tmpC:\ProgramData\9cde36b5-8801-40b4-8ab2-378a2730bd18\is-D6JSK.tmpexecutable
MD5:990A590EB079F420946FDE91975798B9
SHA256:A68A9AC35AA1E183FE3BD9E7144259631530DB07502112A339E5E1C8DCCC9A31
7376SecuriteInfo.com.Win32.Malware-gen.23594321.tmpC:\ProgramData\9cde36b5-8801-40b4-8ab2-378a2730bd18\vcruntime140_1.dllexecutable
MD5:F17586DB47571622455A6F57FECDDA53
SHA256:E30874CEAF6B8DFE72BA67E5C1F21027D79CB3A873A32EB12C5ED89BFA660D1F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
20
DNS requests
9
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7588
RUXIMICS.exe
GET
304
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/RUXIM?os=Windows&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3623&OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&FlightRing=Retail&AttrDataVer=186&App=RUXIM&AppVer=&DeviceFamily=Windows.Desktop
US
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
7588
RUXIMICS.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
7428
svchost.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
7428
svchost.exe
GET
200
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=0&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
text
5.66 Kb
whitelisted
5208
slui.exe
POST
500
128.24.231.64:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
7496
HelpPane.exe
POST
200
196.251.107.23:80
http://196.251.107.23/04ca1421433e0038.php
GB
text
72 b
unknown
3292
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
US
binary
814 b
whitelisted
POST
500
48.192.1.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
7588
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
6768
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7428
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2.16.241.219:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7588
RUXIMICS.exe
184.24.77.37:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
184.24.77.37:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
7428
svchost.exe
184.24.77.37:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.16.241.219
  • 2.16.241.216
  • 2.16.241.206
  • 2.16.241.205
  • 2.16.241.218
  • 2.16.241.221
  • 2.16.241.207
  • 2.16.241.212
  • 2.16.241.208
whitelisted
self.events.data.microsoft.com
  • 51.132.193.105
  • 52.182.143.215
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 184.24.77.37
  • 184.24.77.35
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
activation-v2.sls.microsoft.com
  • 128.24.231.64
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted

Threats

PID
Process
Class
Message
7496
HelpPane.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 42
7496
HelpPane.exe
Malware Command and Control Activity Detected
ET MALWARE StealC_V2 CnC Activity (POST)
7496
HelpPane.exe
Malware Command and Control Activity Detected
ET MALWARE StealC CnC Activity (POST)
7496
HelpPane.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Stealc stealer activity observed
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SecuriteInfo.com.Win32.Malware-gen.23594321.exe