| File name: | RDPAccessorV4.exe |
| Full analysis: | https://app.any.run/tasks/191ae40b-7fb2-4123-b3de-38d5218d2904 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | June 20, 2024, 14:58:59 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 56A579CB88EB4BB93A45B163AB9825D8 |
| SHA1: | 5C47A2FBA8F9CA7AA9490C76E291A9B2E54C011E |
| SHA256: | C477B037E8FE3AB68B4C1DA6F9BFE01E9EA818A5B4F94ED9E2757E25035BE06D |
| SSDEEP: | 98304:sQI0Qwo+UmrVkoMFhtRJ90BaZi/f11Osg1I9NL0wpGgSoE1F01IcHm28RbAHkQ8r:+Jf8qEsy03ml4TxiDC1SqOCjTsZ |
MALICIOUS
Drops the executable file immediately after the start
- RDPAccessorV4.exe (PID: 3332)
- RDPAccessorV4.exe (PID: 3824)
Steals credentials from Web Browsers
- Stepasha.exe (PID: 3264)
Actions looks like stealing of personal data
- Stepasha.exe (PID: 3264)
Steals credentials
- Stepasha.exe (PID: 3264)
- WinRAR.exe (PID: 2128)
SUSPICIOUS
Reads security settings of Internet Explorer
- RDPAccessorV4.exe (PID: 3332)
Reads the Internet Settings
- RDPAccessorV4.exe (PID: 3332)
- Stepasha.exe (PID: 3264)
Executable content was dropped or overwritten
- RDPAccessorV4.exe (PID: 3332)
- RDPAccessorV4.exe (PID: 3824)
Reads browser cookies
- Stepasha.exe (PID: 3264)
Loads DLL from Mozilla Firefox
- Stepasha.exe (PID: 3264)
Start notepad (likely ransomware note)
- WinRAR.exe (PID: 2128)
Checks for external IP
- Stepasha.exe (PID: 3264)
Process communicates with Telegram (possibly using it as an attacker's C2 server)
- Stepasha.exe (PID: 3264)
Reads settings of System Certificates
- Stepasha.exe (PID: 3264)
INFO
Checks supported languages
- RDPAccessorV4.exe (PID: 3332)
- Stepasha.exe (PID: 3264)
- MotherRussia.exe (PID: 3412)
- RDPAccessorV4.exe (PID: 3824)
- MotherRussia.exe (PID: 840)
Reads the computer name
- RDPAccessorV4.exe (PID: 3332)
- Stepasha.exe (PID: 3264)
- MotherRussia.exe (PID: 3412)
- MotherRussia.exe (PID: 840)
- RDPAccessorV4.exe (PID: 3824)
Create files in a temporary directory
- RDPAccessorV4.exe (PID: 3332)
- Stepasha.exe (PID: 3264)
- RDPAccessorV4.exe (PID: 3824)
Reads the machine GUID from the registry
- RDPAccessorV4.exe (PID: 3332)
- Stepasha.exe (PID: 3264)
- MotherRussia.exe (PID: 3412)
- MotherRussia.exe (PID: 840)
- RDPAccessorV4.exe (PID: 3824)
Disables trace logs
- Stepasha.exe (PID: 3264)
Reads Environment values
- Stepasha.exe (PID: 3264)
Manual execution by a user
- chrome.exe (PID: 3096)
- WinRAR.exe (PID: 2128)
- explorer.exe (PID: 2860)
- MotherRussia.exe (PID: 840)
- RDPAccessorV4.exe (PID: 3824)
- iexplore.exe (PID: 2264)
Reads CPU info
- Stepasha.exe (PID: 3264)
Reads the software policy settings
- Stepasha.exe (PID: 3264)
Drops the executable file immediately after the start
- chrome.exe (PID: 2860)
Creates files or folders in the user directory
- Stepasha.exe (PID: 3264)
Executable content was dropped or overwritten
- chrome.exe (PID: 2860)
Application launched itself
- iexplore.exe (PID: 2264)
- chrome.exe (PID: 3096)
Reads Microsoft Office registry keys
- chrome.exe (PID: 2672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (45.1) |
|---|---|---|
| .exe | | | Win32 Executable MS Visual C++ (generic) (19.2) |
| .exe | | | Win64 Executable (generic) (17) |
| .scr | | | Windows screen saver (8) |
| .dll | | | Win32 Dynamic Link Library (generic) (4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:06:08 13:28:16+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 11 |
| CodeSize: | 9217024 |
| InitializedDataSize: | 174592 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x8cc21e |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| FileDescription: | |
| FileVersion: | 0.0.0.0 |
| InternalName: | payload.exe |
| LegalCopyright: | |
| OriginalFileName: | payload.exe |
| ProductVersion: | 0.0.0.0 |
| AssemblyVersion: | 0.0.0.0 |
Total processes
75
Monitored processes
35
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 660 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=3848 --field-trial-handle=1128,i,1188657322712856800,8820499554135455899,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 840 | "C:\Users\admin\AppData\Local\Temp\MotherRussia.exe" | C:\Users\admin\AppData\Local\Temp\MotherRussia.exe | — | explorer.exe | |||||||||||
User: admin Company: [ RDP-ACCESSOR V4 ] - [ by k3rnel-dev ] Integrity Level: MEDIUM Description: [ RDP-ACCESSOR V4 ] - [ by k3rnel-dev ] Version: 3.3.0.1 Modules
| |||||||||||||||
| 1020 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=3812 --field-trial-handle=1128,i,1188657322712856800,8820499554135455899,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 1672 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=3740 --field-trial-handle=1128,i,1188657322712856800,8820499554135455899,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 1852 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1996 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=3868 --field-trial-handle=1128,i,1188657322712856800,8820499554135455899,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 2008 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1304 --field-trial-handle=1128,i,1188657322712856800,8820499554135455899,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Version: 109.0.5414.120 Modules
| |||||||||||||||
| 2128 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\DE[06-20-2024]-181.214.173.105-admin.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 2196 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1436 --field-trial-handle=1128,i,1188657322712856800,8820499554135455899,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Version: 109.0.5414.120 Modules
| |||||||||||||||
| 2260 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3752 --field-trial-handle=1128,i,1188657322712856800,8820499554135455899,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
Total events
43 427
Read events
43 064
Write events
321
Delete events
42
Modification events
| (PID) Process: | (3332) RDPAccessorV4.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3332) RDPAccessorV4.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3332) RDPAccessorV4.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3332) RDPAccessorV4.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3264) Stepasha.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stepasha_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (3264) Stepasha.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stepasha_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (3264) Stepasha.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stepasha_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (3264) Stepasha.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stepasha_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (3264) Stepasha.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stepasha_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (3264) Stepasha.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stepasha_RASAPI32 |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
Executable files
6
Suspicious files
101
Text files
33
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3264 | Stepasha.exe | C:\Users\admin\AppData\Local\Temp\tmpEC31.tmp.tmpdb | — | |
MD5:— | SHA256:— | |||
| 3096 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF52b9b.TMP | — | |
MD5:— | SHA256:— | |||
| 3096 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 3332 | RDPAccessorV4.exe | C:\Users\admin\AppData\Local\Temp\Stepasha.exe | executable | |
MD5:365BF209A1D5EB01EB38586C51F47817 | SHA256:BB72A4C76034BD0B757B6A1E0C8265868563D11271A22D4AE26CB9FE3584A07D | |||
| 3264 | Stepasha.exe | C:\Users\admin\AppData\Local\Temp\tmpEC32.tmp.dat | sqlite | |
MD5:F47EB60CDF981C17722D0CE740129927 | SHA256:0210071DF12CA42D70DCB679926668AE072264705AC139A24F94BBC5A129DD8F | |||
| 3264 | Stepasha.exe | C:\Users\admin\AppData\Local\Temp\tmpED2D.tmp.dat | binary | |
MD5:52E51471E9281235323F633CD0DEA56C | SHA256:147F3137B387FE4FBE3215B7864568404580A799D031009FE9C718F4C2EF87D0 | |||
| 3332 | RDPAccessorV4.exe | C:\Users\admin\AppData\Local\Temp\MotherRussia.exe | executable | |
MD5:08C3CB87AA0BF981A3503C116A952B04 | SHA256:AE25ED76F7AA901495537C2600BF149F6A56A42F28DC8FC9C6ED6C802CE0422E | |||
| 3264 | Stepasha.exe | C:\Users\admin\AppData\Local\44_23\Passwords.txt | text | |
MD5:A37DD22710F86F9D5C6809086C5A4AB6 | SHA256:185E064F80DD71863EE5E1B224ECC21EC30B9CFBF0BC24891AFDB1CB8A05A29B | |||
| 3264 | Stepasha.exe | C:\Users\admin\AppData\Local\Temp\tmpED7D.tmp.tmpdb | binary | |
MD5:23D08A78BC908C0B29E9800D3D5614E7 | SHA256:F6BD7DF5DFAE9FD88811A807DBA14085E00C1B5A6D7CC3D06CC68F6015363D59 | |||
| 3264 | Stepasha.exe | C:\Users\admin\AppData\Local\Temp\tmpED5D.tmp.dat | sqlite | |
MD5:F47EB60CDF981C17722D0CE740129927 | SHA256:0210071DF12CA42D70DCB679926668AE072264705AC139A24F94BBC5A129DD8F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
34
DNS requests
38
Threats
9
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3264 | Stepasha.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/xml/ | unknown | — | — | unknown |
844 | svchost.exe | GET | 206 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/k4ldha5kevpu7qn7k4s3mznvgu_4.10.2710.0/oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win32_ad2kbvs6jks3au5dsxn7cqflsiiq.crx3 | unknown | — | — | unknown |
844 | svchost.exe | GET | 206 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/k4ldha5kevpu7qn7k4s3mznvgu_4.10.2710.0/oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win32_ad2kbvs6jks3au5dsxn7cqflsiiq.crx3 | unknown | — | — | unknown |
844 | svchost.exe | GET | 206 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/k4ldha5kevpu7qn7k4s3mznvgu_4.10.2710.0/oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win32_ad2kbvs6jks3au5dsxn7cqflsiiq.crx3 | unknown | — | — | unknown |
1372 | svchost.exe | GET | 304 | 95.101.63.90:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33 | unknown | — | — | unknown |
1372 | svchost.exe | GET | 200 | 96.17.66.27:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
1372 | svchost.exe | GET | 200 | 95.101.63.66:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
1060 | svchost.exe | GET | 304 | 95.101.63.90:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8f69642324cc87bd | unknown | — | — | unknown |
844 | svchost.exe | HEAD | 200 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/k4ldha5kevpu7qn7k4s3mznvgu_4.10.2710.0/oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win32_ad2kbvs6jks3au5dsxn7cqflsiiq.crx3 | unknown | — | — | unknown |
844 | svchost.exe | GET | 206 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/k4ldha5kevpu7qn7k4s3mznvgu_4.10.2710.0/oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win32_ad2kbvs6jks3au5dsxn7cqflsiiq.crx3 | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1372 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1060 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3264 | Stepasha.exe | 208.95.112.1:80 | ip-api.com | TUT-AS | US | unknown |
3096 | chrome.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
1372 | svchost.exe | 95.101.63.90:80 | ctldl.windowsupdate.com | Akamai International B.V. | GB | unknown |
3476 | chrome.exe | 142.250.181.227:443 | clientservices.googleapis.com | GOOGLE | US | whitelisted |
1372 | svchost.exe | 95.101.63.66:80 | crl.microsoft.com | Akamai International B.V. | GB | unknown |
3476 | chrome.exe | 142.251.31.84:443 | accounts.google.com | GOOGLE | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
ip-api.com |
| shared |
settings-win.data.microsoft.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
accounts.google.com |
| shared |
www.microsoft.com |
| whitelisted |
www.google.com |
| whitelisted |
api.telegram.org |
| shared |
update.googleapis.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3264 | Stepasha.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup ip-api.com |
3264 | Stepasha.exe | Misc activity | ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) |
1060 | svchost.exe | Misc activity | ET HUNTING Telegram API Domain in DNS Lookup |
3264 | Stepasha.exe | Misc activity | ET HUNTING Telegram API Certificate Observed |
3476 | chrome.exe | Misc activity | ET INFO Public File Sharing Service Domain in DNS Lookup (bashupload .com) |
3476 | chrome.exe | Misc activity | ET INFO Public File Sharing Service Domain in DNS Lookup (bashupload .com) |
3476 | chrome.exe | Misc activity | ET INFO Observed Public File Sharing Service Domain (bashupload .com in TLS SNI) |
3476 | chrome.exe | Misc activity | ET INFO Observed Public File Sharing Service Domain (bashupload .com in TLS SNI) |
3476 | chrome.exe | Misc activity | ET INFO Observed Public File Sharing Service Domain (bashupload .com in TLS SNI) |