analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

VsTelemetry.7z

Full analysis: https://app.any.run/tasks/d7cb433f-a5b2-469b-a2ef-69b26f0cc987
Verdict: Malicious activity
Analysis date: June 27, 2022, 13:05:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
cobalt
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

0EFCEAECE847C3CBD141293AC42A11C9

SHA1:

0DD818A2AC5F9FED7D12317BC57C0B91E664556F

SHA256:

C4A4DC81ABC724D5A8C003746A095DB746CF3F83B64623144AAF2B20DAAF787F

SSDEEP:

6144:Xd5mlPjbXM3jxXIvtcBVMDbqpw8FtaYeu/wYX/+YfFlFZcyVdHEJ0eoHrBWHeW4V:tM4jx4vtcXaY/NlFZdVNEt26pzdo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 2940)

    • Application was dropped or rewritten from another process

      • safenotes.exe (PID: 2696)
      • safenotes.exe (PID: 1624)
      • safenotes.exe (PID: 1980)

    • COBALT detected by memory dumps

      • esentutl.exe (PID: 2776)
      • esentutl.exe (PID: 2172)
      • esentutl.exe (PID: 3072)

    • Loads dropped or rewritten executable

      • safenotes.exe (PID: 2696)
      • safenotes.exe (PID: 1624)
      • Explorer.EXE (PID: 1376)
      • safenotes.exe (PID: 1980)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 2940)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2940)

    • Checks supported languages

      • WinRAR.exe (PID: 2940)
      • safenotes.exe (PID: 2696)
      • safenotes.exe (PID: 1624)
      • notepad++.exe (PID: 3664)
      • safenotes.exe (PID: 1980)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2940)

  • INFO

    • Manual execution by user

      • safenotes.exe (PID: 2696)
      • safenotes.exe (PID: 1624)
      • notepad++.exe (PID: 3664)
      • taskmgr.exe (PID: 2988)

    • Checks supported languages

      • esentutl.exe (PID: 2776)
      • esentutl.exe (PID: 2172)
      • taskmgr.exe (PID: 2988)
      • esentutl.exe (PID: 3072)

    • Reads the computer name

      • esentutl.exe (PID: 2776)
      • esentutl.exe (PID: 2172)
      • taskmgr.exe (PID: 2988)
      • esentutl.exe (PID: 3072)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

CobalStrike

(PID) Process(2776) esentutl.exe
BeaconTypeHTTP
ProcInject_AllocationMethodVirtualAllocEx
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
bProcInject_MinAllocSize0
bProcInject_UseRWXTrue
bProcInject_StartRWXTrue
KillDate0-0-0
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Proxy_BehaviorUse IE settings
bUsesCookies0000
HttpPost_Metadata
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
SessionId (2)base64url
parameter: appid
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
HttpGet_Metadata
SessionId (2)base64url
parameter: apikey
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpPostUri/query/weather/location
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
bCFGCautionFalse
bStageCleanupTrue
Watermark426352781
HttpPostChunk0
HttpPost_VerbPOST
HttpGet_VerbGET
CryptoScheme0
Spawnto_x64%windir%\sysnative\chkdsk.exe
Spawnto_x86%windir%\syswow64\chkdsk.exe
SpawnTo00000000000000000000000000000000
DNS_strategy_fail_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_rotate_seconds-1
DNS_strategyround-robin
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
Jitter30
MaxGetSize1398439
SleepTime63000
Port443
BeaconTypeHTTPS
C2 (1)weather.decsal.com/service/weather/overview
ProcInject_AllocationMethodVirtualAllocEx
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
bProcInject_MinAllocSize0
bProcInject_UseRWXTrue
bProcInject_StartRWXTrue
KillDate0-0-0
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Proxy_BehaviorUse IE settings
bUsesCookies0000
HttpPost_Metadata
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
SessionId (2)base64url
parameter: appid
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
HttpGet_Metadata
SessionId (2)base64url
parameter: apikey
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpPostUri/query/weather/location
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
bCFGCautionFalse
bStageCleanupTrue
Watermark426352781
HttpPostChunk0
HttpPost_VerbPOST
HttpGet_VerbGET
CryptoScheme0
Spawnto_x64%windir%\sysnative\chkdsk.exe
Spawnto_x86%windir%\syswow64\chkdsk.exe
SpawnTo00000000000000000000000000000000
DNS_strategy_fail_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_rotate_seconds-1
DNS_strategyround-robin
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
Jitter30
MaxGetSize1398439
SleepTime63000
Port443
BeaconTypeHTTPS
C2 (1)weather.decsal.com/service/weather/overview
(PID) Process(2172) esentutl.exe
ProcInject_AllocationMethodVirtualAllocEx
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
bProcInject_MinAllocSize0
bProcInject_UseRWXTrue
bProcInject_StartRWXTrue
KillDate0-0-0
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Proxy_BehaviorUse IE settings
bUsesCookies0000
HttpPost_Metadata
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
SessionId (2)base64url
parameter: appid
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
HttpGet_Metadata
SessionId (2)base64url
parameter: apikey
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpPostUri/query/weather/location
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
bCFGCautionFalse
bStageCleanupTrue
Watermark426352781
HttpPostChunk0
HttpPost_VerbPOST
HttpGet_VerbGET
CryptoScheme0
Spawnto_x64%windir%\sysnative\chkdsk.exe
Spawnto_x86%windir%\syswow64\chkdsk.exe
SpawnTo00000000000000000000000000000000
DNS_strategy_fail_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_rotate_seconds-1
DNS_strategyround-robin
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
Jitter30
MaxGetSize1398439
SleepTime63000
Port443
BeaconTypeHTTPS
C2 (1)weather.decsal.com/service/weather/overview
ProcInject_AllocationMethodVirtualAllocEx
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
bProcInject_MinAllocSize0
bProcInject_UseRWXTrue
bProcInject_StartRWXTrue
KillDate0-0-0
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Proxy_BehaviorUse IE settings
bUsesCookies0000
HttpPost_Metadata
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
SessionId (2)base64url
parameter: appid
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
HttpGet_Metadata
SessionId (2)base64url
parameter: apikey
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpPostUri/query/weather/location
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
bCFGCautionFalse
bStageCleanupTrue
Watermark426352781
HttpPostChunk0
HttpPost_VerbPOST
HttpGet_VerbGET
CryptoScheme0
Spawnto_x64%windir%\sysnative\chkdsk.exe
Spawnto_x86%windir%\syswow64\chkdsk.exe
SpawnTo00000000000000000000000000000000
DNS_strategy_fail_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_rotate_seconds-1
DNS_strategyround-robin
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
Jitter30
MaxGetSize1398439
SleepTime63000
Port443
BeaconTypeHTTPS
C2 (1)weather.decsal.com/service/weather/overview
BeaconTypeHTTP
(PID) Process(3072) esentutl.exe
ProcInject_AllocationMethodVirtualAllocEx
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
bProcInject_MinAllocSize0
bProcInject_UseRWXTrue
bProcInject_StartRWXTrue
KillDate0-0-0
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Proxy_BehaviorUse IE settings
bUsesCookies0000
HttpPost_Metadata
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
SessionId (2)base64url
parameter: appid
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
HttpGet_Metadata
SessionId (2)base64url
parameter: apikey
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpPostUri/query/weather/location
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
bCFGCautionFalse
bStageCleanupTrue
Watermark426352781
HttpPostChunk0
HttpPost_VerbPOST
HttpGet_VerbGET
CryptoScheme0
Spawnto_x64%windir%\sysnative\chkdsk.exe
Spawnto_x86%windir%\syswow64\chkdsk.exe
SpawnTo00000000000000000000000000000000
DNS_strategy_fail_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_rotate_seconds-1
DNS_strategyround-robin
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
Jitter30
MaxGetSize1398439
SleepTime63000
Port443
BeaconTypeHTTPS
C2 (1)weather.decsal.com/service/weather/overview
ProcInject_AllocationMethodVirtualAllocEx
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
bProcInject_MinAllocSize0
bProcInject_UseRWXTrue
bProcInject_StartRWXTrue
KillDate0-0-0
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Proxy_BehaviorUse IE settings
bUsesCookies0000
HttpPost_Metadata
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
SessionId (2)base64url
parameter: appid
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
HttpGet_Metadata
SessionId (2)base64url
parameter: apikey
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpPostUri/query/weather/location
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
bCFGCautionFalse
bStageCleanupTrue
Watermark426352781
HttpPostChunk0
HttpPost_VerbPOST
HttpGet_VerbGET
CryptoScheme0
Spawnto_x64%windir%\sysnative\chkdsk.exe
Spawnto_x86%windir%\syswow64\chkdsk.exe
SpawnTo00000000000000000000000000000000
DNS_strategy_fail_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_rotate_seconds-1
DNS_strategyround-robin
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
Jitter30
MaxGetSize1398439
SleepTime63000
Port443
BeaconTypeHTTPS
C2 (1)weather.decsal.com/service/weather/overview
ProcInject_AllocationMethodVirtualAllocEx
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
bProcInject_MinAllocSize0
bProcInject_UseRWXTrue
bProcInject_StartRWXTrue
KillDate0-0-0
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Proxy_BehaviorUse IE settings
bUsesCookies0000
HttpPost_Metadata
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
SessionId (2)base64url
parameter: appid
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
HttpGet_Metadata
SessionId (2)base64url
parameter: apikey
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpPostUri/query/weather/location
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
bCFGCautionFalse
bStageCleanupTrue
Watermark426352781
HttpPostChunk0
HttpPost_VerbPOST
HttpGet_VerbGET
CryptoScheme0
Spawnto_x64%windir%\sysnative\chkdsk.exe
Spawnto_x86%windir%\syswow64\chkdsk.exe
SpawnTo00000000000000000000000000000000
DNS_strategy_fail_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_rotate_seconds-1
DNS_strategyround-robin
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
Jitter30
MaxGetSize1398439
SleepTime63000
Port443
BeaconTypeHTTPS
C2 (1)weather.decsal.com/service/weather/overview
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
10
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe safenotes.exe no specs #COBALT esentutl.exe safenotes.exe no specs #COBALT esentutl.exe notepad++.exe taskmgr.exe no specs explorer.exe no specs safenotes.exe no specs #COBALT esentutl.exe

Process information

PID
CMD
Path
Indicators
Parent process
2940"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\VsTelemetry.7z"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
2696"C:\Users\admin\Desktop\VsTelemetry\safenotes.exe" C:\Users\admin\Desktop\VsTelemetry\safenotes.exeExplorer.EXE
User:
admin
Company:
Siber Systems
Integrity Level:
MEDIUM
Description:
RoboForm Safenote Editor
Exit code:
0
Version:
6-9-3
Modules
Images
c:\users\admin\desktop\vstelemetry\safenotes.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\users\admin\desktop\vstelemetry\roboform.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2776esentutl.exeC:\Windows\system32\esentutl.exe
safenotes.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\esentutl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
CobalStrike
(PID) Process(2776) esentutl.exe
BeaconTypeHTTP
(PID) Process(2776) esentutl.exe
ProcInject_AllocationMethodVirtualAllocEx
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
bProcInject_MinAllocSize0
bProcInject_UseRWXTrue
bProcInject_StartRWXTrue
KillDate0-0-0
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Proxy_BehaviorUse IE settings
bUsesCookies0000
HttpPost_Metadata
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
SessionId (2)base64url
parameter: appid
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
HttpGet_Metadata
SessionId (2)base64url
parameter: apikey
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpPostUri/query/weather/location
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
bCFGCautionFalse
bStageCleanupTrue
Watermark426352781
HttpPostChunk0
HttpPost_VerbPOST
HttpGet_VerbGET
CryptoScheme0
Spawnto_x64%windir%\sysnative\chkdsk.exe
Spawnto_x86%windir%\syswow64\chkdsk.exe
SpawnTo00000000000000000000000000000000
DNS_strategy_fail_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_rotate_seconds-1
DNS_strategyround-robin
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
Jitter30
MaxGetSize1398439
SleepTime63000
Port443
BeaconTypeHTTPS
C2 (1)weather.decsal.com/service/weather/overview
(PID) Process(2776) esentutl.exe
ProcInject_AllocationMethodVirtualAllocEx
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
bProcInject_MinAllocSize0
bProcInject_UseRWXTrue
bProcInject_StartRWXTrue
KillDate0-0-0
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Proxy_BehaviorUse IE settings
bUsesCookies0000
HttpPost_Metadata
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
SessionId (2)base64url
parameter: appid
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
HttpGet_Metadata
SessionId (2)base64url
parameter: apikey
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpPostUri/query/weather/location
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
bCFGCautionFalse
bStageCleanupTrue
Watermark426352781
HttpPostChunk0
HttpPost_VerbPOST
HttpGet_VerbGET
CryptoScheme0
Spawnto_x64%windir%\sysnative\chkdsk.exe
Spawnto_x86%windir%\syswow64\chkdsk.exe
SpawnTo00000000000000000000000000000000
DNS_strategy_fail_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_rotate_seconds-1
DNS_strategyround-robin
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
Jitter30
MaxGetSize1398439
SleepTime63000
Port443
BeaconTypeHTTPS
C2 (1)weather.decsal.com/service/weather/overview
1624"C:\Users\admin\Desktop\VsTelemetry\safenotes.exe" C:\Users\admin\Desktop\VsTelemetry\safenotes.exeExplorer.EXE
User:
admin
Company:
Siber Systems
Integrity Level:
MEDIUM
Description:
RoboForm Safenote Editor
Exit code:
0
Version:
6-9-3
Modules
Images
c:\users\admin\desktop\vstelemetry\safenotes.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\vstelemetry\roboform.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\sechost.dll
2172esentutl.exeC:\Windows\system32\esentutl.exe
safenotes.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\esentutl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wininet.dll
CobalStrike
(PID) Process(2172) esentutl.exe
ProcInject_AllocationMethodVirtualAllocEx
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
bProcInject_MinAllocSize0
bProcInject_UseRWXTrue
bProcInject_StartRWXTrue
KillDate0-0-0
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Proxy_BehaviorUse IE settings
bUsesCookies0000
HttpPost_Metadata
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
SessionId (2)base64url
parameter: appid
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
HttpGet_Metadata
SessionId (2)base64url
parameter: apikey
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpPostUri/query/weather/location
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
bCFGCautionFalse
bStageCleanupTrue
Watermark426352781
HttpPostChunk0
HttpPost_VerbPOST
HttpGet_VerbGET
CryptoScheme0
Spawnto_x64%windir%\sysnative\chkdsk.exe
Spawnto_x86%windir%\syswow64\chkdsk.exe
SpawnTo00000000000000000000000000000000
DNS_strategy_fail_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_rotate_seconds-1
DNS_strategyround-robin
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
Jitter30
MaxGetSize1398439
SleepTime63000
Port443
BeaconTypeHTTPS
C2 (1)weather.decsal.com/service/weather/overview
(PID) Process(2172) esentutl.exe
ProcInject_AllocationMethodVirtualAllocEx
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
bProcInject_MinAllocSize0
bProcInject_UseRWXTrue
bProcInject_StartRWXTrue
KillDate0-0-0
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Proxy_BehaviorUse IE settings
bUsesCookies0000
HttpPost_Metadata
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
SessionId (2)base64url
parameter: appid
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
HttpGet_Metadata
SessionId (2)base64url
parameter: apikey
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpPostUri/query/weather/location
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
bCFGCautionFalse
bStageCleanupTrue
Watermark426352781
HttpPostChunk0
HttpPost_VerbPOST
HttpGet_VerbGET
CryptoScheme0
Spawnto_x64%windir%\sysnative\chkdsk.exe
Spawnto_x86%windir%\syswow64\chkdsk.exe
SpawnTo00000000000000000000000000000000
DNS_strategy_fail_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_rotate_seconds-1
DNS_strategyround-robin
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
Jitter30
MaxGetSize1398439
SleepTime63000
Port443
BeaconTypeHTTPS
C2 (1)weather.decsal.com/service/weather/overview
(PID) Process(2172) esentutl.exe
BeaconTypeHTTP
3664"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\VsTelemetry\Default\Default.manifest.json"C:\Program Files\Notepad++\notepad++.exe
Explorer.EXE
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Version:
7.91
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2988"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1376C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1980"C:\Users\admin\Desktop\VsTelemetry\safenotes.exe" C:\Users\admin\Desktop\VsTelemetry\safenotes.exeExplorer.EXE
User:
admin
Company:
Siber Systems
Integrity Level:
MEDIUM
Description:
RoboForm Safenote Editor
Exit code:
0
Version:
6-9-3
Modules
Images
c:\users\admin\desktop\vstelemetry\safenotes.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\vstelemetry\roboform.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3072esentutl.exeC:\Windows\system32\esentutl.exe
safenotes.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\esentutl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
CobalStrike
(PID) Process(3072) esentutl.exe
ProcInject_AllocationMethodVirtualAllocEx
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
bProcInject_MinAllocSize0
bProcInject_UseRWXTrue
bProcInject_StartRWXTrue
KillDate0-0-0
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Proxy_BehaviorUse IE settings
bUsesCookies0000
HttpPost_Metadata
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
SessionId (2)base64url
parameter: appid
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
HttpGet_Metadata
SessionId (2)base64url
parameter: apikey
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpPostUri/query/weather/location
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
bCFGCautionFalse
bStageCleanupTrue
Watermark426352781
HttpPostChunk0
HttpPost_VerbPOST
HttpGet_VerbGET
CryptoScheme0
Spawnto_x64%windir%\sysnative\chkdsk.exe
Spawnto_x86%windir%\syswow64\chkdsk.exe
SpawnTo00000000000000000000000000000000
DNS_strategy_fail_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_rotate_seconds-1
DNS_strategyround-robin
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
Jitter30
MaxGetSize1398439
SleepTime63000
Port443
BeaconTypeHTTPS
C2 (1)weather.decsal.com/service/weather/overview
(PID) Process(3072) esentutl.exe
ProcInject_AllocationMethodVirtualAllocEx
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
bProcInject_MinAllocSize0
bProcInject_UseRWXTrue
bProcInject_StartRWXTrue
KillDate0-0-0
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Proxy_BehaviorUse IE settings
bUsesCookies0000
HttpPost_Metadata
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
SessionId (2)base64url
parameter: appid
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
HttpGet_Metadata
SessionId (2)base64url
parameter: apikey
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpPostUri/query/weather/location
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
bCFGCautionFalse
bStageCleanupTrue
Watermark426352781
HttpPostChunk0
HttpPost_VerbPOST
HttpGet_VerbGET
CryptoScheme0
Spawnto_x64%windir%\sysnative\chkdsk.exe
Spawnto_x86%windir%\syswow64\chkdsk.exe
SpawnTo00000000000000000000000000000000
DNS_strategy_fail_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_rotate_seconds-1
DNS_strategyround-robin
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
Jitter30
MaxGetSize1398439
SleepTime63000
Port443
BeaconTypeHTTPS
C2 (1)weather.decsal.com/service/weather/overview
(PID) Process(3072) esentutl.exe
ProcInject_AllocationMethodVirtualAllocEx
ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
bProcInject_MinAllocSize0
bProcInject_UseRWXTrue
bProcInject_StartRWXTrue
KillDate0-0-0
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Proxy_BehaviorUse IE settings
bUsesCookies0000
HttpPost_Metadata
Output (4)base64
prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc...
append: "}}}}}
print
SessionId (2)base64url
parameter: appid
ConstHeaders (3)Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Connection: close
HttpGet_Metadata
SessionId (2)base64url
parameter: apikey
ConstHeaders (7)Content-Type: text/html;charset=UTF-8
Cache-Control: private, max-age=0
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip, deflate, br
Access-Control-Allow-Credentials: true
X-AS-SuppressSetCookie: 1
Connection: close
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode
HttpPostUri/query/weather/location
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
bCFGCautionFalse
bStageCleanupTrue
Watermark426352781
HttpPostChunk0
HttpPost_VerbPOST
HttpGet_VerbGET
CryptoScheme0
Spawnto_x64%windir%\sysnative\chkdsk.exe
Spawnto_x86%windir%\syswow64\chkdsk.exe
SpawnTo00000000000000000000000000000000
DNS_strategy_fail_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_rotate_seconds-1
DNS_strategyround-robin
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw 8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T YcM69oWvdzq7NcSWowIDAQAB -----END PUBLIC KEY-----
Jitter30
MaxGetSize1398439
SleepTime63000
Port443
BeaconTypeHTTPS
C2 (1)weather.decsal.com/service/weather/overview
Total events
8 914
Read events
8 529
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2940.32007\VsTelemetry\Default\Default.manifest.jsontext
MD5:6B08BF9656F21A1B74B2237F3FBCBDB9
SHA256:930D657EBB9B4D8D630C36F8FE29255F0EEF39669A1687B276BEFE060E3375F7
2940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2940.32007\VsTelemetry\safenotes.exeexecutable
MD5:CF58DFD4F667C695E38440D88BAA6BDF
SHA256:F38F2AA81501CC8DA1C18EE8681CEEAF43883F56BB58C11CAB2F258B111214E6
2940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2940.32007\VsTelemetry\roboform.dllexecutable
MD5:73990A2552C6A2B56E8AEC2FE78F2A66
SHA256:616A6EC793242BE50B2CB0A21BB6FE5D40134B5098BDC6B2D113C1C9A3199EFA
2940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2940.32007\VsTelemetry\freshmp3binary
MD5:F74122C82023591A7DFAC4446F321988
SHA256:B2C4B743CC4351F667638EE6024B29A04017BA42F90819861FAB541AFA8B98AE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2172
esentutl.exe
138.201.229.154:443
weather.decsal.com
Hetzner Online GmbH
DE
unknown
3072
esentutl.exe
138.201.229.154:443
weather.decsal.com
Hetzner Online GmbH
DE
unknown
2776
esentutl.exe
138.201.229.154:443
weather.decsal.com
Hetzner Online GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
weather.decsal.com
  • 138.201.229.154
unknown

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
VsTelemetry.7z