File name:

SecuriteInfo.com.Win32.Malware-gen.27220.24133

Full analysis: https://app.any.run/tasks/32a8fc92-b990-4d8d-94a4-f2210e646814
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 16, 2024, 17:20:32
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

FF83471CE09EBBE0DA07D3001644B23C

SHA1:

672AA37F23B421E4AFBA46218735425F7ACC29C2

SHA256:

9E7BF4B2BD7F30EA9D9DCA6BC80D28C5B43202DF1477A4D46F695E096DCE17BA

SSDEEP:

49152:Z1y2RQpXlIrayMoYSbjhbMB/48C73hXWD05LyP/JAyRY3CfPqniuLwzJxxDeIImN:Zg2CVO1Mmue5azP/SFeynimyJvOm7PgA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Antivirus name has been found in the command line (generic signature)

      • findstr.exe (PID: 6584)
      • findstr.exe (PID: 6692)

    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 7020)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • SecuriteInfo.com.Win32.Malware-gen.27220.24133.exe (PID: 6416)
      • Optimum.pif (PID: 6800)
      • cmd.exe (PID: 6460)

    • Starts CMD.EXE for commands execution

      • SecuriteInfo.com.Win32.Malware-gen.27220.24133.exe (PID: 6416)
      • cmd.exe (PID: 6460)

    • Reads the date of Windows installation

      • SecuriteInfo.com.Win32.Malware-gen.27220.24133.exe (PID: 6416)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6460)

    • Get information on the list of running processes

      • cmd.exe (PID: 6460)

    • Reads security settings of Internet Explorer

      • SecuriteInfo.com.Win32.Malware-gen.27220.24133.exe (PID: 6416)

    • Executing commands from ".cmd" file

      • SecuriteInfo.com.Win32.Malware-gen.27220.24133.exe (PID: 6416)

    • Drops a file with a rarely used extension (PIF)

      • cmd.exe (PID: 6460)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6460)

    • Application launched itself

      • cmd.exe (PID: 6460)

    • Starts a Microsoft application from unusual location

      • RegAsm.exe (PID: 7020)
      • RegAsm.exe (PID: 7032)

    • The process creates files with name similar to system file names

      • Optimum.pif (PID: 6800)

    • Process drops legitimate windows executable

      • Optimum.pif (PID: 6800)

    • Executable content was dropped or overwritten

      • Optimum.pif (PID: 6800)
      • cmd.exe (PID: 6460)

    • The executable file from the user directory is run by the CMD process

      • Optimum.pif (PID: 6800)

    • Connects to unusual port

      • RegAsm.exe (PID: 7020)

  • INFO

    • Checks supported languages

      • SecuriteInfo.com.Win32.Malware-gen.27220.24133.exe (PID: 6416)
      • Optimum.pif (PID: 6800)
      • RegAsm.exe (PID: 7020)

    • Process checks computer location settings

      • SecuriteInfo.com.Win32.Malware-gen.27220.24133.exe (PID: 6416)

    • Create files in a temporary directory

      • SecuriteInfo.com.Win32.Malware-gen.27220.24133.exe (PID: 6416)
      • Optimum.pif (PID: 6800)

    • Reads the computer name

      • SecuriteInfo.com.Win32.Malware-gen.27220.24133.exe (PID: 6416)
      • Optimum.pif (PID: 6800)
      • RegAsm.exe (PID: 7020)

    • Reads mouse settings

      • Optimum.pif (PID: 6800)

    • Manual execution by a user

      • RegAsm.exe (PID: 7020)
      • RegAsm.exe (PID: 7032)

    • Creates files or folders in the user directory

      • RegAsm.exe (PID: 7020)

    • Reads the machine GUID from the registry

      • RegAsm.exe (PID: 7020)

    • Reads Environment values

      • RegAsm.exe (PID: 7020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:24 19:20:04+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 29696
InitializedDataSize: 489984
UninitializedDataSize: 16896
EntryPoint: 0x38af
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 2.196.9.15514
ProductVersionNumber: 2.196.9.15514
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: Data encryption and security
CompanyName: SecureLogic Systems
FileDescription: Data encryption and security
FileVersion: 2.0196.9.605338
LegalCopyright: Copyright © SecureLogic Systems 2022 All rights reserved.
LegalTrademarks: CipherSync is a trademark of SecureLogic Systems
ProductName: CipherSync
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
14
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start securiteinfo.com.win32.malware-gen.27220.24133.exe cmd.exe conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs optimum.pif choice.exe no specs regasm.exe no specs regasm.exe

Process information

PID
CMD
Path
Indicators
Parent process
6416"C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.27220.24133.exe" C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.27220.24133.exe
explorer.exe
User:
admin
Company:
SecureLogic Systems
Integrity Level:
MEDIUM
Description:
Data encryption and security
Exit code:
0
Version:
2.0196.9.605338
Modules
Images
c:\users\admin\appdata\local\temp\securiteinfo.com.win32.malware-gen.27220.24133.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6460"C:\Windows\System32\cmd.exe" /k move Surrey Surrey.cmd && Surrey.cmd && exitC:\Windows\SysWOW64\cmd.exe
SecuriteInfo.com.Win32.Malware-gen.27220.24133.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6476\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6568tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6584findstr /I "wrsa.exe opssvc.exe" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6684tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6692findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6740cmd /c md 719580C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6760findstr /V "copehebrewinquireinnocent" Corpus C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6780cmd /c copy /b ..\Utilize + ..\Verzeichnis + ..\Built + ..\Vessels + ..\Cradle + ..\Jaguar + ..\Comics + ..\Flux + ..\Liberal f C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
5 024
Read events
5 016
Write events
8
Delete events
0

Modification events

(PID) Process:(6416) SecuriteInfo.com.Win32.Malware-gen.27220.24133.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6416) SecuriteInfo.com.Win32.Malware-gen.27220.24133.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6416) SecuriteInfo.com.Win32.Malware-gen.27220.24133.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6416) SecuriteInfo.com.Win32.Malware-gen.27220.24133.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
2
Suspicious files
12
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
6780cmd.exeC:\Users\admin\AppData\Local\Temp\719580\fbinary
MD5:43CA848D3A9EE13623E355D9EE71B515
SHA256:3D4000A64C1B7BE8FCEFE59E8F39F1AE12EF1FCD9D30A39158F83B26EE189831
6416SecuriteInfo.com.Win32.Malware-gen.27220.24133.exeC:\Users\admin\AppData\Local\Temp\Comicsbinary
MD5:4A3AAB84DBFDAF25AE909AC736489F4B
SHA256:2CAA4849A4353CA50DFDBC860412E95B783FDCC7E60D8756C9B4BDF2915E1923
6416SecuriteInfo.com.Win32.Malware-gen.27220.24133.exeC:\Users\admin\AppData\Local\Temp\Fluxbinary
MD5:523FEA93BBF3F0B9DDD4D1A432B624C9
SHA256:F4E881EA8495C993E2F008E9B5FC082BC2CEA97812FE944DDA293F3B02FB60B0
6416SecuriteInfo.com.Win32.Malware-gen.27220.24133.exeC:\Users\admin\AppData\Local\Temp\Utilizebinary
MD5:4BB39F0BCE8A4F7B640BA76ECCCAF87B
SHA256:96AF995B201E5392293F2D7272B1C9A3F0EB671D62AEAFFFB4B0BBBFED0E3560
6460cmd.exeC:\Users\admin\AppData\Local\Temp\Surrey.cmdtext
MD5:721CDE52D197DA4629A6792103404E23
SHA256:66627EEF98FB038F1D22F620BC8D85430A442D08313602EB02F0B158B5471812
6416SecuriteInfo.com.Win32.Malware-gen.27220.24133.exeC:\Users\admin\AppData\Local\Temp\Vesselsbinary
MD5:D64EF3BBCCA2C221C0BCC85A7B6D5209
SHA256:C8C35545936FAA3B0E00AA1B907952E97FFFD9C1958045253863B4C2FAD7F295
6800Optimum.pifC:\Users\admin\AppData\Local\Temp\719580\RegAsm.exeexecutable
MD5:0AEA1B49AEDB6C7BF4805DD5054DC0F7
SHA256:BD02B877C14DDC1E2DB118F32730B73B2E5AE792A84AC48F28957BEAFF2B83F9
6416SecuriteInfo.com.Win32.Malware-gen.27220.24133.exeC:\Users\admin\AppData\Local\Temp\Corpusbinary
MD5:148FEBC94E0F8036A074350EF338B007
SHA256:849892BC358956EE263DB6CBDDD4A9CCA0E1564D6CAEFE44E2E998D559E610A0
6416SecuriteInfo.com.Win32.Malware-gen.27220.24133.exeC:\Users\admin\AppData\Local\Temp\Foldingbinary
MD5:67FF730B62D42030058393AB3F0DAFD1
SHA256:95D53427EF46FB44354A0253A611E342A30428101ACAF83215F5B21432AFBFF1
6416SecuriteInfo.com.Win32.Malware-gen.27220.24133.exeC:\Users\admin\AppData\Local\Temp\Jaguarbinary
MD5:FDADAC1C5944E618315F608AD2F02714
SHA256:49687025DCE701973B47FB6CABA71F1443471E64551F41967A6A3275CE1E93D5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
45
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3276
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7116
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
7088
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
752
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4788
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:138
whitelisted
4788
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5336
SearchApp.exe
104.126.37.128:443
www.bing.com
Akamai International B.V.
DE
unknown
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3276
svchost.exe
20.190.159.23:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.78
whitelisted
PdvZAJjtltegTAllAQLr.PdvZAJjtltegTAllAQLr
unknown
www.bing.com
  • 104.126.37.128
  • 104.126.37.131
  • 104.126.37.155
  • 104.126.37.137
  • 104.126.37.153
  • 104.126.37.160
  • 104.126.37.145
  • 104.126.37.144
  • 104.126.37.130
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.113.110.67
  • 40.115.3.253
whitelisted
login.live.com
  • 20.190.159.23
  • 40.126.31.73
  • 20.190.159.2
  • 40.126.31.71
  • 40.126.31.69
  • 20.190.159.73
  • 20.190.159.75
  • 20.190.159.0
whitelisted
th.bing.com
  • 2.23.209.160
  • 2.23.209.187
  • 2.23.209.181
  • 2.23.209.182
  • 2.23.209.177
  • 2.23.209.185
  • 2.23.209.179
  • 2.23.209.189
  • 2.23.209.176
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 20.114.59.183
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SecuriteInfo.com.Win32.Malware-gen.27220.24133