File name:

VsTelemetry.7z

Full analysis: https://app.any.run/tasks/d7cb433f-a5b2-469b-a2ef-69b26f0cc987
Verdict: Malicious activity
Analysis date: June 27, 2022, 13:05:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
cobalt
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

0EFCEAECE847C3CBD141293AC42A11C9

SHA1:

0DD818A2AC5F9FED7D12317BC57C0B91E664556F

SHA256:

C4A4DC81ABC724D5A8C003746A095DB746CF3F83B64623144AAF2B20DAAF787F

SSDEEP:

6144:Xd5mlPjbXM3jxXIvtcBVMDbqpw8FtaYeu/wYX/+YfFlFZcyVdHEJ0eoHrBWHeW4V:tM4jx4vtcXaY/NlFZdVNEt26pzdo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 2940)

    • Application was dropped or rewritten from another process

      • safenotes.exe (PID: 2696)
      • safenotes.exe (PID: 1624)
      • safenotes.exe (PID: 1980)

    • Loads dropped or rewritten executable

      • safenotes.exe (PID: 2696)
      • safenotes.exe (PID: 1624)
      • Explorer.EXE (PID: 1376)
      • safenotes.exe (PID: 1980)

    • COBALT detected by memory dumps

      • esentutl.exe (PID: 2776)
      • esentutl.exe (PID: 2172)
      • esentutl.exe (PID: 3072)

  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 2940)
      • safenotes.exe (PID: 2696)
      • safenotes.exe (PID: 1624)
      • safenotes.exe (PID: 1980)
      • notepad++.exe (PID: 3664)

    • Reads the computer name

      • WinRAR.exe (PID: 2940)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2940)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2940)

  • INFO

    • Manual execution by user

      • safenotes.exe (PID: 2696)
      • safenotes.exe (PID: 1624)
      • taskmgr.exe (PID: 2988)
      • notepad++.exe (PID: 3664)

    • Reads the computer name

      • esentutl.exe (PID: 2776)
      • taskmgr.exe (PID: 2988)
      • esentutl.exe (PID: 2172)
      • esentutl.exe (PID: 3072)

    • Checks supported languages

      • esentutl.exe (PID: 2776)
      • taskmgr.exe (PID: 2988)
      • esentutl.exe (PID: 2172)
      • esentutl.exe (PID: 3072)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

CobalStrike

(PID) Process(2776) esentutl.exe
BeaconTypeHTTP
C2 (1)weather.decsal.com/service/weather/overview
BeaconTypeHTTPS
Port443
SleepTime63000
MaxGetSize1398439
Jitter30
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\chkdsk.exe
Spawnto_x64%windir%\sysnative\chkdsk.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark426352781
bStageCleanupTrue
bCFGCautionFalse
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
HttpPostUri/query/weather/location
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpGet_Metadata
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
SessionId (2)base64url
parameter: apikey
HttpPost_Metadata
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
SessionId (2)base64url
parameter: appid
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
bUsesCookies0000
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXTrue
bProcInject_UseRWXTrue
bProcInject_MinAllocSize0
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_AllocationMethodVirtualAllocEx
C2 (1)weather.decsal.com/service/weather/overview
BeaconTypeHTTPS
Port443
SleepTime63000
MaxGetSize1398439
Jitter30
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\chkdsk.exe
Spawnto_x64%windir%\sysnative\chkdsk.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark426352781
bStageCleanupTrue
bCFGCautionFalse
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
HttpPostUri/query/weather/location
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpGet_Metadata
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
SessionId (2)base64url
parameter: apikey
HttpPost_Metadata
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
SessionId (2)base64url
parameter: appid
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
bUsesCookies0000
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXTrue
bProcInject_UseRWXTrue
bProcInject_MinAllocSize0
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_AllocationMethodVirtualAllocEx
(PID) Process(2172) esentutl.exe
C2 (1)weather.decsal.com/service/weather/overview
BeaconTypeHTTPS
Port443
SleepTime63000
MaxGetSize1398439
Jitter30
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\chkdsk.exe
Spawnto_x64%windir%\sysnative\chkdsk.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark426352781
bStageCleanupTrue
bCFGCautionFalse
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
HttpPostUri/query/weather/location
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpGet_Metadata
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
SessionId (2)base64url
parameter: apikey
HttpPost_Metadata
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
SessionId (2)base64url
parameter: appid
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
bUsesCookies0000
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXTrue
bProcInject_UseRWXTrue
bProcInject_MinAllocSize0
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_AllocationMethodVirtualAllocEx
C2 (1)weather.decsal.com/service/weather/overview
BeaconTypeHTTPS
Port443
SleepTime63000
MaxGetSize1398439
Jitter30
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\chkdsk.exe
Spawnto_x64%windir%\sysnative\chkdsk.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark426352781
bStageCleanupTrue
bCFGCautionFalse
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
HttpPostUri/query/weather/location
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpGet_Metadata
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
SessionId (2)base64url
parameter: apikey
HttpPost_Metadata
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
SessionId (2)base64url
parameter: appid
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
bUsesCookies0000
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXTrue
bProcInject_UseRWXTrue
bProcInject_MinAllocSize0
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_AllocationMethodVirtualAllocEx
BeaconTypeHTTP
(PID) Process(3072) esentutl.exe
C2 (1)weather.decsal.com/service/weather/overview
BeaconTypeHTTPS
Port443
SleepTime63000
MaxGetSize1398439
Jitter30
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\chkdsk.exe
Spawnto_x64%windir%\sysnative\chkdsk.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark426352781
bStageCleanupTrue
bCFGCautionFalse
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
HttpPostUri/query/weather/location
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpGet_Metadata
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
SessionId (2)base64url
parameter: apikey
HttpPost_Metadata
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
SessionId (2)base64url
parameter: appid
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
bUsesCookies0000
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXTrue
bProcInject_UseRWXTrue
bProcInject_MinAllocSize0
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_AllocationMethodVirtualAllocEx
C2 (1)weather.decsal.com/service/weather/overview
BeaconTypeHTTPS
Port443
SleepTime63000
MaxGetSize1398439
Jitter30
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\chkdsk.exe
Spawnto_x64%windir%\sysnative\chkdsk.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark426352781
bStageCleanupTrue
bCFGCautionFalse
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
HttpPostUri/query/weather/location
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpGet_Metadata
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
SessionId (2)base64url
parameter: apikey
HttpPost_Metadata
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
SessionId (2)base64url
parameter: appid
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
bUsesCookies0000
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXTrue
bProcInject_UseRWXTrue
bProcInject_MinAllocSize0
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_AllocationMethodVirtualAllocEx
C2 (1)weather.decsal.com/service/weather/overview
BeaconTypeHTTPS
Port443
SleepTime63000
MaxGetSize1398439
Jitter30
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\chkdsk.exe
Spawnto_x64%windir%\sysnative\chkdsk.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark426352781
bStageCleanupTrue
bCFGCautionFalse
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
HttpPostUri/query/weather/location
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpGet_Metadata
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
SessionId (2)base64url
parameter: apikey
HttpPost_Metadata
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
SessionId (2)base64url
parameter: appid
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
bUsesCookies0000
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXTrue
bProcInject_UseRWXTrue
bProcInject_MinAllocSize0
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_AllocationMethodVirtualAllocEx
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
10
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe safenotes.exe no specs #COBALT esentutl.exe safenotes.exe no specs #COBALT esentutl.exe notepad++.exe taskmgr.exe no specs explorer.exe no specs safenotes.exe no specs #COBALT esentutl.exe

Process information

PID
CMD
Path
Indicators
Parent process
1376C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1624"C:\Users\admin\Desktop\VsTelemetry\safenotes.exe" C:\Users\admin\Desktop\VsTelemetry\safenotes.exeExplorer.EXE
User:
admin
Company:
Siber Systems
Integrity Level:
MEDIUM
Description:
RoboForm Safenote Editor
Exit code:
0
Version:
6-9-3
Modules
Images
c:\users\admin\desktop\vstelemetry\safenotes.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\vstelemetry\roboform.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\sechost.dll
1980"C:\Users\admin\Desktop\VsTelemetry\safenotes.exe" C:\Users\admin\Desktop\VsTelemetry\safenotes.exeExplorer.EXE
User:
admin
Company:
Siber Systems
Integrity Level:
MEDIUM
Description:
RoboForm Safenote Editor
Exit code:
0
Version:
6-9-3
Modules
Images
c:\users\admin\desktop\vstelemetry\safenotes.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\vstelemetry\roboform.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2172esentutl.exeC:\Windows\system32\esentutl.exe
safenotes.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\esentutl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wininet.dll
CobalStrike
(PID) Process(2172) esentutl.exe
C2 (1)weather.decsal.com/service/weather/overview
BeaconTypeHTTPS
Port443
SleepTime63000
MaxGetSize1398439
Jitter30
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\chkdsk.exe
Spawnto_x64%windir%\sysnative\chkdsk.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark426352781
bStageCleanupTrue
bCFGCautionFalse
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
HttpPostUri/query/weather/location
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpGet_Metadata
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
SessionId (2)base64url
parameter: apikey
HttpPost_Metadata
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
SessionId (2)base64url
parameter: appid
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
bUsesCookies0000
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXTrue
bProcInject_UseRWXTrue
bProcInject_MinAllocSize0
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_AllocationMethodVirtualAllocEx
(PID) Process(2172) esentutl.exe
C2 (1)weather.decsal.com/service/weather/overview
BeaconTypeHTTPS
Port443
SleepTime63000
MaxGetSize1398439
Jitter30
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\chkdsk.exe
Spawnto_x64%windir%\sysnative\chkdsk.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark426352781
bStageCleanupTrue
bCFGCautionFalse
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
HttpPostUri/query/weather/location
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpGet_Metadata
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
SessionId (2)base64url
parameter: apikey
HttpPost_Metadata
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
SessionId (2)base64url
parameter: appid
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
bUsesCookies0000
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXTrue
bProcInject_UseRWXTrue
bProcInject_MinAllocSize0
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_AllocationMethodVirtualAllocEx
(PID) Process(2172) esentutl.exe
BeaconTypeHTTP
2696"C:\Users\admin\Desktop\VsTelemetry\safenotes.exe" C:\Users\admin\Desktop\VsTelemetry\safenotes.exeExplorer.EXE
User:
admin
Company:
Siber Systems
Integrity Level:
MEDIUM
Description:
RoboForm Safenote Editor
Exit code:
0
Version:
6-9-3
Modules
Images
c:\users\admin\desktop\vstelemetry\safenotes.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\users\admin\desktop\vstelemetry\roboform.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2776esentutl.exeC:\Windows\system32\esentutl.exe
safenotes.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\esentutl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
CobalStrike
(PID) Process(2776) esentutl.exe
BeaconTypeHTTP
(PID) Process(2776) esentutl.exe
C2 (1)weather.decsal.com/service/weather/overview
BeaconTypeHTTPS
Port443
SleepTime63000
MaxGetSize1398439
Jitter30
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\chkdsk.exe
Spawnto_x64%windir%\sysnative\chkdsk.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark426352781
bStageCleanupTrue
bCFGCautionFalse
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
HttpPostUri/query/weather/location
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpGet_Metadata
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
SessionId (2)base64url
parameter: apikey
HttpPost_Metadata
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
SessionId (2)base64url
parameter: appid
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
bUsesCookies0000
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXTrue
bProcInject_UseRWXTrue
bProcInject_MinAllocSize0
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_AllocationMethodVirtualAllocEx
(PID) Process(2776) esentutl.exe
C2 (1)weather.decsal.com/service/weather/overview
BeaconTypeHTTPS
Port443
SleepTime63000
MaxGetSize1398439
Jitter30
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\chkdsk.exe
Spawnto_x64%windir%\sysnative\chkdsk.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark426352781
bStageCleanupTrue
bCFGCautionFalse
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
HttpPostUri/query/weather/location
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpGet_Metadata
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
SessionId (2)base64url
parameter: apikey
HttpPost_Metadata
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
SessionId (2)base64url
parameter: appid
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
bUsesCookies0000
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXTrue
bProcInject_UseRWXTrue
bProcInject_MinAllocSize0
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_AllocationMethodVirtualAllocEx
2940"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\VsTelemetry.7z"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
2988"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
3072esentutl.exeC:\Windows\system32\esentutl.exe
safenotes.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\esentutl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
CobalStrike
(PID) Process(3072) esentutl.exe
C2 (1)weather.decsal.com/service/weather/overview
BeaconTypeHTTPS
Port443
SleepTime63000
MaxGetSize1398439
Jitter30
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\chkdsk.exe
Spawnto_x64%windir%\sysnative\chkdsk.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark426352781
bStageCleanupTrue
bCFGCautionFalse
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
HttpPostUri/query/weather/location
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpGet_Metadata
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
SessionId (2)base64url
parameter: apikey
HttpPost_Metadata
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
SessionId (2)base64url
parameter: appid
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
bUsesCookies0000
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXTrue
bProcInject_UseRWXTrue
bProcInject_MinAllocSize0
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_AllocationMethodVirtualAllocEx
(PID) Process(3072) esentutl.exe
C2 (1)weather.decsal.com/service/weather/overview
BeaconTypeHTTPS
Port443
SleepTime63000
MaxGetSize1398439
Jitter30
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\chkdsk.exe
Spawnto_x64%windir%\sysnative\chkdsk.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark426352781
bStageCleanupTrue
bCFGCautionFalse
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
HttpPostUri/query/weather/location
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpGet_Metadata
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
SessionId (2)base64url
parameter: apikey
HttpPost_Metadata
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
SessionId (2)base64url
parameter: appid
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
bUsesCookies0000
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXTrue
bProcInject_UseRWXTrue
bProcInject_MinAllocSize0
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_AllocationMethodVirtualAllocEx
(PID) Process(3072) esentutl.exe
C2 (1)weather.decsal.com/service/weather/overview
BeaconTypeHTTPS
Port443
SleepTime63000
MaxGetSize1398439
Jitter30
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\chkdsk.exe
Spawnto_x64%windir%\sysnative\chkdsk.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark426352781
bStageCleanupTrue
bCFGCautionFalse
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
HttpPostUri/query/weather/location
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpGet_Metadata
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
SessionId (2)base64url
parameter: apikey
HttpPost_Metadata
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
SessionId (2)base64url
parameter: appid
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
bUsesCookies0000
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXTrue
bProcInject_UseRWXTrue
bProcInject_MinAllocSize0
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_AllocationMethodVirtualAllocEx
3664"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\VsTelemetry\Default\Default.manifest.json"C:\Program Files\Notepad++\notepad++.exe
Explorer.EXE
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.91
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
8 914
Read events
8 529
Write events
383
Delete events
2

Modification events

(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2940) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\VsTelemetry.7z
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
2
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2940.32007\VsTelemetry\Default\Default.manifest.jsontext
MD5:
SHA256:
2940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2940.32007\VsTelemetry\freshmp3binary
MD5:
SHA256:
2940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2940.32007\VsTelemetry\roboform.dllexecutable
MD5:
SHA256:
2940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2940.32007\VsTelemetry\safenotes.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2776
esentutl.exe
138.201.229.154:443
weather.decsal.com
Hetzner Online GmbH
DE
unknown
2172
esentutl.exe
138.201.229.154:443
weather.decsal.com
Hetzner Online GmbH
DE
unknown
3072
esentutl.exe
138.201.229.154:443
weather.decsal.com
Hetzner Online GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
weather.decsal.com
  • 138.201.229.154
unknown

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
VsTelemetry.7z