File name: | VsTelemetry.7z |
Full analysis: | https://app.any.run/tasks/d7cb433f-a5b2-469b-a2ef-69b26f0cc987 |
Verdict: | Malicious activity |
Analysis date: | June 27, 2022, 13:05:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-7z-compressed |
File info: | 7-zip archive data, version 0.4 |
MD5: | 0EFCEAECE847C3CBD141293AC42A11C9 |
SHA1: | 0DD818A2AC5F9FED7D12317BC57C0B91E664556F |
SHA256: | C4A4DC81ABC724D5A8C003746A095DB746CF3F83B64623144AAF2B20DAAF787F |
SSDEEP: | 6144:Xd5mlPjbXM3jxXIvtcBVMDbqpw8FtaYeu/wYX/+YfFlFZcyVdHEJ0eoHrBWHeW4V:tM4jx4vtcXaY/NlFZdVNEt26pzdo |
.7z | | | 7-Zip compressed archive (v0.4) (57.1) |
---|---|---|
.7z | | | 7-Zip compressed archive (gen) (42.8) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2940 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\VsTelemetry.7z" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
2696 | "C:\Users\admin\Desktop\VsTelemetry\safenotes.exe" | C:\Users\admin\Desktop\VsTelemetry\safenotes.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Siber Systems Integrity Level: MEDIUM Description: RoboForm Safenote Editor Exit code: 0 Version: 6-9-3 Modules
| |||||||||||||||
2776 | esentutl.exe | C:\Windows\system32\esentutl.exe | safenotes.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extensible Storage Engine Utilities for Microsoft(R) Windows(R) Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
CobalStrike(PID) Process(2776) esentutl.exe BeaconTypeHTTP (PID) Process(2776) esentutl.exe ProcInject_AllocationMethodVirtualAllocEx ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81 ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000... ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000... bProcInject_MinAllocSize0 bProcInject_UseRWXTrue bProcInject_StartRWXTrue KillDate0-0-0 smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Proxy_BehaviorUse IE settings bUsesCookies0000 HttpPost_Metadata Output (4)base64 prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc... append: "}}}}} print SessionId (2)base64url parameter: appid ConstHeaders (3)Cache-Control: private, max-age=0 Content-Type: application/json; charset=utf-8 Connection: close HttpGet_Metadata SessionId (2)base64url parameter: apikey ConstHeaders (7)Content-Type: text/html;charset=UTF-8 Cache-Control: private, max-age=0 Content-Type: application/json; charset=utf-8 Content-Encoding: gzip, deflate, br Access-Control-Allow-Credentials: true X-AS-SuppressSetCookie: 1 Connection: close Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode HttpPostUri/query/weather/location UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36 bCFGCautionFalse bStageCleanupTrue Watermark426352781 HttpPostChunk0 HttpPost_VerbPOST HttpGet_VerbGET CryptoScheme0 Spawnto_x64%windir%\sysnative\chkdsk.exe Spawnto_x86%windir%\syswow64\chkdsk.exe SpawnTo00000000000000000000000000000000 DNS_strategy_fail_seconds-1 DNS_strategy_fail_x-1 DNS_strategy_rotate_seconds-1 DNS_strategyround-robin PublicKey-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj
wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw
8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T
YcM69oWvdzq7NcSWowIDAQAB
-----END PUBLIC KEY----- Jitter30 MaxGetSize1398439 SleepTime63000 Port443 BeaconTypeHTTPS C2 (1)weather.decsal.com/service/weather/overview (PID) Process(2776) esentutl.exe ProcInject_AllocationMethodVirtualAllocEx ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81 ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000... ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000... bProcInject_MinAllocSize0 bProcInject_UseRWXTrue bProcInject_StartRWXTrue KillDate0-0-0 smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Proxy_BehaviorUse IE settings bUsesCookies0000 HttpPost_Metadata Output (4)base64 prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc... append: "}}}}} print SessionId (2)base64url parameter: appid ConstHeaders (3)Cache-Control: private, max-age=0 Content-Type: application/json; charset=utf-8 Connection: close HttpGet_Metadata SessionId (2)base64url parameter: apikey ConstHeaders (7)Content-Type: text/html;charset=UTF-8 Cache-Control: private, max-age=0 Content-Type: application/json; charset=utf-8 Content-Encoding: gzip, deflate, br Access-Control-Allow-Credentials: true X-AS-SuppressSetCookie: 1 Connection: close Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode HttpPostUri/query/weather/location UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36 bCFGCautionFalse bStageCleanupTrue Watermark426352781 HttpPostChunk0 HttpPost_VerbPOST HttpGet_VerbGET CryptoScheme0 Spawnto_x64%windir%\sysnative\chkdsk.exe Spawnto_x86%windir%\syswow64\chkdsk.exe SpawnTo00000000000000000000000000000000 DNS_strategy_fail_seconds-1 DNS_strategy_fail_x-1 DNS_strategy_rotate_seconds-1 DNS_strategyround-robin PublicKey-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj
wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw
8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T
YcM69oWvdzq7NcSWowIDAQAB
-----END PUBLIC KEY----- Jitter30 MaxGetSize1398439 SleepTime63000 Port443 BeaconTypeHTTPS C2 (1)weather.decsal.com/service/weather/overview | |||||||||||||||
1624 | "C:\Users\admin\Desktop\VsTelemetry\safenotes.exe" | C:\Users\admin\Desktop\VsTelemetry\safenotes.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Siber Systems Integrity Level: MEDIUM Description: RoboForm Safenote Editor Exit code: 0 Version: 6-9-3 Modules
| |||||||||||||||
2172 | esentutl.exe | C:\Windows\system32\esentutl.exe | safenotes.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extensible Storage Engine Utilities for Microsoft(R) Windows(R) Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
CobalStrike(PID) Process(2172) esentutl.exe ProcInject_AllocationMethodVirtualAllocEx ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81 ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000... ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000... bProcInject_MinAllocSize0 bProcInject_UseRWXTrue bProcInject_StartRWXTrue KillDate0-0-0 smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Proxy_BehaviorUse IE settings bUsesCookies0000 HttpPost_Metadata Output (4)base64 prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc... append: "}}}}} print SessionId (2)base64url parameter: appid ConstHeaders (3)Cache-Control: private, max-age=0 Content-Type: application/json; charset=utf-8 Connection: close HttpGet_Metadata SessionId (2)base64url parameter: apikey ConstHeaders (7)Content-Type: text/html;charset=UTF-8 Cache-Control: private, max-age=0 Content-Type: application/json; charset=utf-8 Content-Encoding: gzip, deflate, br Access-Control-Allow-Credentials: true X-AS-SuppressSetCookie: 1 Connection: close Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode HttpPostUri/query/weather/location UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36 bCFGCautionFalse bStageCleanupTrue Watermark426352781 HttpPostChunk0 HttpPost_VerbPOST HttpGet_VerbGET CryptoScheme0 Spawnto_x64%windir%\sysnative\chkdsk.exe Spawnto_x86%windir%\syswow64\chkdsk.exe SpawnTo00000000000000000000000000000000 DNS_strategy_fail_seconds-1 DNS_strategy_fail_x-1 DNS_strategy_rotate_seconds-1 DNS_strategyround-robin PublicKey-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj
wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw
8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T
YcM69oWvdzq7NcSWowIDAQAB
-----END PUBLIC KEY----- Jitter30 MaxGetSize1398439 SleepTime63000 Port443 BeaconTypeHTTPS C2 (1)weather.decsal.com/service/weather/overview (PID) Process(2172) esentutl.exe ProcInject_AllocationMethodVirtualAllocEx ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81 ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000... ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000... bProcInject_MinAllocSize0 bProcInject_UseRWXTrue bProcInject_StartRWXTrue KillDate0-0-0 smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Proxy_BehaviorUse IE settings bUsesCookies0000 HttpPost_Metadata Output (4)base64 prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc... append: "}}}}} print SessionId (2)base64url parameter: appid ConstHeaders (3)Cache-Control: private, max-age=0 Content-Type: application/json; charset=utf-8 Connection: close HttpGet_Metadata SessionId (2)base64url parameter: apikey ConstHeaders (7)Content-Type: text/html;charset=UTF-8 Cache-Control: private, max-age=0 Content-Type: application/json; charset=utf-8 Content-Encoding: gzip, deflate, br Access-Control-Allow-Credentials: true X-AS-SuppressSetCookie: 1 Connection: close Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode HttpPostUri/query/weather/location UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36 bCFGCautionFalse bStageCleanupTrue Watermark426352781 HttpPostChunk0 HttpPost_VerbPOST HttpGet_VerbGET CryptoScheme0 Spawnto_x64%windir%\sysnative\chkdsk.exe Spawnto_x86%windir%\syswow64\chkdsk.exe SpawnTo00000000000000000000000000000000 DNS_strategy_fail_seconds-1 DNS_strategy_fail_x-1 DNS_strategy_rotate_seconds-1 DNS_strategyround-robin PublicKey-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj
wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw
8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T
YcM69oWvdzq7NcSWowIDAQAB
-----END PUBLIC KEY----- Jitter30 MaxGetSize1398439 SleepTime63000 Port443 BeaconTypeHTTPS C2 (1)weather.decsal.com/service/weather/overview (PID) Process(2172) esentutl.exe BeaconTypeHTTP | |||||||||||||||
3664 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\VsTelemetry\Default\Default.manifest.json" | C:\Program Files\Notepad++\notepad++.exe | Explorer.EXE | ||||||||||||
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Version: 7.91 Modules
| |||||||||||||||
2988 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1376 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | — | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1980 | "C:\Users\admin\Desktop\VsTelemetry\safenotes.exe" | C:\Users\admin\Desktop\VsTelemetry\safenotes.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Siber Systems Integrity Level: MEDIUM Description: RoboForm Safenote Editor Exit code: 0 Version: 6-9-3 Modules
| |||||||||||||||
3072 | esentutl.exe | C:\Windows\system32\esentutl.exe | safenotes.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extensible Storage Engine Utilities for Microsoft(R) Windows(R) Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
CobalStrike(PID) Process(3072) esentutl.exe ProcInject_AllocationMethodVirtualAllocEx ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81 ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000... ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000... bProcInject_MinAllocSize0 bProcInject_UseRWXTrue bProcInject_StartRWXTrue KillDate0-0-0 smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Proxy_BehaviorUse IE settings bUsesCookies0000 HttpPost_Metadata Output (4)base64 prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc... append: "}}}}} print SessionId (2)base64url parameter: appid ConstHeaders (3)Cache-Control: private, max-age=0 Content-Type: application/json; charset=utf-8 Connection: close HttpGet_Metadata SessionId (2)base64url parameter: apikey ConstHeaders (7)Content-Type: text/html;charset=UTF-8 Cache-Control: private, max-age=0 Content-Type: application/json; charset=utf-8 Content-Encoding: gzip, deflate, br Access-Control-Allow-Credentials: true X-AS-SuppressSetCookie: 1 Connection: close Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode HttpPostUri/query/weather/location UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36 bCFGCautionFalse bStageCleanupTrue Watermark426352781 HttpPostChunk0 HttpPost_VerbPOST HttpGet_VerbGET CryptoScheme0 Spawnto_x64%windir%\sysnative\chkdsk.exe Spawnto_x86%windir%\syswow64\chkdsk.exe SpawnTo00000000000000000000000000000000 DNS_strategy_fail_seconds-1 DNS_strategy_fail_x-1 DNS_strategy_rotate_seconds-1 DNS_strategyround-robin PublicKey-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj
wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw
8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T
YcM69oWvdzq7NcSWowIDAQAB
-----END PUBLIC KEY----- Jitter30 MaxGetSize1398439 SleepTime63000 Port443 BeaconTypeHTTPS C2 (1)weather.decsal.com/service/weather/overview (PID) Process(3072) esentutl.exe ProcInject_AllocationMethodVirtualAllocEx ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81 ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000... ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000... bProcInject_MinAllocSize0 bProcInject_UseRWXTrue bProcInject_StartRWXTrue KillDate0-0-0 smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Proxy_BehaviorUse IE settings bUsesCookies0000 HttpPost_Metadata Output (4)base64 prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc... append: "}}}}} print SessionId (2)base64url parameter: appid ConstHeaders (3)Cache-Control: private, max-age=0 Content-Type: application/json; charset=utf-8 Connection: close HttpGet_Metadata SessionId (2)base64url parameter: apikey ConstHeaders (7)Content-Type: text/html;charset=UTF-8 Cache-Control: private, max-age=0 Content-Type: application/json; charset=utf-8 Content-Encoding: gzip, deflate, br Access-Control-Allow-Credentials: true X-AS-SuppressSetCookie: 1 Connection: close Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode HttpPostUri/query/weather/location UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36 bCFGCautionFalse bStageCleanupTrue Watermark426352781 HttpPostChunk0 HttpPost_VerbPOST HttpGet_VerbGET CryptoScheme0 Spawnto_x64%windir%\sysnative\chkdsk.exe Spawnto_x86%windir%\syswow64\chkdsk.exe SpawnTo00000000000000000000000000000000 DNS_strategy_fail_seconds-1 DNS_strategy_fail_x-1 DNS_strategy_rotate_seconds-1 DNS_strategyround-robin PublicKey-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj
wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw
8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T
YcM69oWvdzq7NcSWowIDAQAB
-----END PUBLIC KEY----- Jitter30 MaxGetSize1398439 SleepTime63000 Port443 BeaconTypeHTTPS C2 (1)weather.decsal.com/service/weather/overview (PID) Process(3072) esentutl.exe ProcInject_AllocationMethodVirtualAllocEx ProcInject_Stuba49f5445f01a9f3240eea9e46ee66c81 ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000... ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000... bProcInject_MinAllocSize0 bProcInject_UseRWXTrue bProcInject_StartRWXTrue KillDate0-0-0 smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Proxy_BehaviorUse IE settings bUsesCookies0000 HttpPost_Metadata Output (4)base64 prepend: {"data":{"geoip":{"geo":{"continent":"Europe","country":"Belgium","city":"Brussels","province":"","postal_code":null},"isp":{"isp":"Proximus Pickx","organization":"Proximus Pickx","autonomous_system_organization":"Proximus Pickx"},"ip_hash":null},"userIdentify":{"identity":{"identify":{"idc... append: "}}}}} print SessionId (2)base64url parameter: appid ConstHeaders (3)Cache-Control: private, max-age=0 Content-Type: application/json; charset=utf-8 Connection: close HttpGet_Metadata SessionId (2)base64url parameter: apikey ConstHeaders (7)Content-Type: text/html;charset=UTF-8 Cache-Control: private, max-age=0 Content-Type: application/json; charset=utf-8 Content-Encoding: gzip, deflate, br Access-Control-Allow-Credentials: true X-AS-SuppressSetCookie: 1 Connection: close Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 329 bytes from the beginning, Base64 decode HttpPostUri/query/weather/location UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36 bCFGCautionFalse bStageCleanupTrue Watermark426352781 HttpPostChunk0 HttpPost_VerbPOST HttpGet_VerbGET CryptoScheme0 Spawnto_x64%windir%\sysnative\chkdsk.exe Spawnto_x86%windir%\syswow64\chkdsk.exe SpawnTo00000000000000000000000000000000 DNS_strategy_fail_seconds-1 DNS_strategy_fail_x-1 DNS_strategy_rotate_seconds-1 DNS_strategyround-robin PublicKey-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeEefdtfw8mHFxKGPRAznFoiRj
wjokrmfJ1k43jfM1acX58Ct13CMHgM/zk5ow4154dcXo/ZH+h14d3onTCSGzBcLw
8XSbIFQkhGCkxSub4GQt8zYCZZZqSNa3TfIu4uhpdxTSkJiLCdk04ZZkO/ARr24T
YcM69oWvdzq7NcSWowIDAQAB
-----END PUBLIC KEY----- Jitter30 MaxGetSize1398439 SleepTime63000 Port443 BeaconTypeHTTPS C2 (1)weather.decsal.com/service/weather/overview |
PID | Process | Filename | Type | |
---|---|---|---|---|
2940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2940.32007\VsTelemetry\Default\Default.manifest.json | text | |
MD5:6B08BF9656F21A1B74B2237F3FBCBDB9 | SHA256:930D657EBB9B4D8D630C36F8FE29255F0EEF39669A1687B276BEFE060E3375F7 | |||
2940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2940.32007\VsTelemetry\safenotes.exe | executable | |
MD5:CF58DFD4F667C695E38440D88BAA6BDF | SHA256:F38F2AA81501CC8DA1C18EE8681CEEAF43883F56BB58C11CAB2F258B111214E6 | |||
2940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2940.32007\VsTelemetry\roboform.dll | executable | |
MD5:73990A2552C6A2B56E8AEC2FE78F2A66 | SHA256:616A6EC793242BE50B2CB0A21BB6FE5D40134B5098BDC6B2D113C1C9A3199EFA | |||
2940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2940.32007\VsTelemetry\freshmp3 | binary | |
MD5:F74122C82023591A7DFAC4446F321988 | SHA256:B2C4B743CC4351F667638EE6024B29A04017BA42F90819861FAB541AFA8B98AE |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2172 | esentutl.exe | 138.201.229.154:443 | weather.decsal.com | Hetzner Online GmbH | DE | unknown |
3072 | esentutl.exe | 138.201.229.154:443 | weather.decsal.com | Hetzner Online GmbH | DE | unknown |
2776 | esentutl.exe | 138.201.229.154:443 | weather.decsal.com | Hetzner Online GmbH | DE | unknown |
Domain | IP | Reputation |
---|---|---|
weather.decsal.com |
| unknown |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
|