Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 21:28
Behavioral task
behavioral1
Sample
2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe
Resource
win7-20240708-en
General
-
Target
2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe
-
Size
5.2MB
-
MD5
e47bd7181d56e9ddd9767ec24280e17e
-
SHA1
5f97b546c045ee0bc8bb200301dd3554e4ff9ece
-
SHA256
10b8f937fa5a8a7330af46da1b66d2345971560741562184ac6f662defee5702
-
SHA512
78c8ca91af266d7a2db9d4bc01553e505fee3a2d1fddc3e809e3fd0bf29572db6bff7844347b67bb49d7d460bfe36166726566cd358e5918db189be79a0089ef
-
SSDEEP
49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lj:RWWBibj56utgpPFotBER/mQ32lUP
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral2/files/0x00080000000235e9-5.dat cobalt_reflective_dll behavioral2/files/0x00070000000235ee-8.dat cobalt_reflective_dll behavioral2/files/0x00070000000235ed-10.dat cobalt_reflective_dll behavioral2/files/0x00070000000235f0-41.dat cobalt_reflective_dll behavioral2/files/0x00070000000235f2-47.dat cobalt_reflective_dll behavioral2/files/0x00070000000235f3-49.dat cobalt_reflective_dll behavioral2/files/0x00070000000235f1-34.dat cobalt_reflective_dll behavioral2/files/0x00070000000235ef-22.dat cobalt_reflective_dll behavioral2/files/0x00070000000235f4-53.dat cobalt_reflective_dll behavioral2/files/0x00080000000235ea-68.dat cobalt_reflective_dll behavioral2/files/0x00070000000235f7-70.dat cobalt_reflective_dll behavioral2/files/0x00070000000235f9-80.dat cobalt_reflective_dll behavioral2/files/0x00070000000235fc-103.dat cobalt_reflective_dll behavioral2/files/0x00070000000235fa-104.dat cobalt_reflective_dll behavioral2/files/0x00070000000235fb-114.dat cobalt_reflective_dll behavioral2/files/0x00070000000235fe-120.dat cobalt_reflective_dll behavioral2/files/0x00070000000235ff-122.dat cobalt_reflective_dll behavioral2/files/0x00070000000235fd-109.dat cobalt_reflective_dll behavioral2/files/0x00070000000235f8-90.dat cobalt_reflective_dll behavioral2/files/0x00070000000235f6-87.dat cobalt_reflective_dll behavioral2/files/0x00070000000235f5-76.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 45 IoCs
resource yara_rule behavioral2/memory/1720-36-0x00007FF7C4A10000-0x00007FF7C4D61000-memory.dmp xmrig behavioral2/memory/1976-45-0x00007FF6DE700000-0x00007FF6DEA51000-memory.dmp xmrig behavioral2/memory/1984-118-0x00007FF668C30000-0x00007FF668F81000-memory.dmp xmrig behavioral2/memory/4812-94-0x00007FF670590000-0x00007FF6708E1000-memory.dmp xmrig behavioral2/memory/2812-127-0x00007FF60B8C0000-0x00007FF60BC11000-memory.dmp xmrig behavioral2/memory/3732-136-0x00007FF74F890000-0x00007FF74FBE1000-memory.dmp xmrig behavioral2/memory/2544-135-0x00007FF798C70000-0x00007FF798FC1000-memory.dmp xmrig behavioral2/memory/3724-137-0x00007FF7368C0000-0x00007FF736C11000-memory.dmp xmrig behavioral2/memory/4044-134-0x00007FF613E50000-0x00007FF6141A1000-memory.dmp xmrig behavioral2/memory/3268-130-0x00007FF7D7810000-0x00007FF7D7B61000-memory.dmp xmrig behavioral2/memory/2344-128-0x00007FF6F2E50000-0x00007FF6F31A1000-memory.dmp xmrig behavioral2/memory/1100-133-0x00007FF7544C0000-0x00007FF754811000-memory.dmp xmrig behavioral2/memory/4588-131-0x00007FF7B9FC0000-0x00007FF7BA311000-memory.dmp xmrig behavioral2/memory/3732-126-0x00007FF74F890000-0x00007FF74FBE1000-memory.dmp xmrig behavioral2/memory/1956-138-0x00007FF6736A0000-0x00007FF6739F1000-memory.dmp xmrig behavioral2/memory/3952-142-0x00007FF694B60000-0x00007FF694EB1000-memory.dmp xmrig behavioral2/memory/1596-144-0x00007FF7FF110000-0x00007FF7FF461000-memory.dmp xmrig behavioral2/memory/3468-146-0x00007FF71EAD0000-0x00007FF71EE21000-memory.dmp xmrig behavioral2/memory/456-150-0x00007FF73ADF0000-0x00007FF73B141000-memory.dmp xmrig behavioral2/memory/2520-145-0x00007FF7E2DA0000-0x00007FF7E30F1000-memory.dmp xmrig behavioral2/memory/4908-141-0x00007FF76E710000-0x00007FF76EA61000-memory.dmp xmrig behavioral2/memory/1152-140-0x00007FF7973B0000-0x00007FF797701000-memory.dmp xmrig behavioral2/memory/3088-139-0x00007FF7A2780000-0x00007FF7A2AD1000-memory.dmp xmrig behavioral2/memory/3732-151-0x00007FF74F890000-0x00007FF74FBE1000-memory.dmp xmrig behavioral2/memory/2812-198-0x00007FF60B8C0000-0x00007FF60BC11000-memory.dmp xmrig behavioral2/memory/2344-199-0x00007FF6F2E50000-0x00007FF6F31A1000-memory.dmp xmrig behavioral2/memory/1720-203-0x00007FF7C4A10000-0x00007FF7C4D61000-memory.dmp xmrig behavioral2/memory/3268-202-0x00007FF7D7810000-0x00007FF7D7B61000-memory.dmp xmrig behavioral2/memory/4588-208-0x00007FF7B9FC0000-0x00007FF7BA311000-memory.dmp xmrig behavioral2/memory/4044-206-0x00007FF613E50000-0x00007FF6141A1000-memory.dmp xmrig behavioral2/memory/1100-211-0x00007FF7544C0000-0x00007FF754811000-memory.dmp xmrig behavioral2/memory/1976-210-0x00007FF6DE700000-0x00007FF6DEA51000-memory.dmp xmrig behavioral2/memory/2544-214-0x00007FF798C70000-0x00007FF798FC1000-memory.dmp xmrig behavioral2/memory/3088-216-0x00007FF7A2780000-0x00007FF7A2AD1000-memory.dmp xmrig behavioral2/memory/1152-218-0x00007FF7973B0000-0x00007FF797701000-memory.dmp xmrig behavioral2/memory/4908-224-0x00007FF76E710000-0x00007FF76EA61000-memory.dmp xmrig behavioral2/memory/3952-222-0x00007FF694B60000-0x00007FF694EB1000-memory.dmp xmrig behavioral2/memory/4812-221-0x00007FF670590000-0x00007FF6708E1000-memory.dmp xmrig behavioral2/memory/1956-228-0x00007FF6736A0000-0x00007FF6739F1000-memory.dmp xmrig behavioral2/memory/2520-238-0x00007FF7E2DA0000-0x00007FF7E30F1000-memory.dmp xmrig behavioral2/memory/1984-237-0x00007FF668C30000-0x00007FF668F81000-memory.dmp xmrig behavioral2/memory/3468-235-0x00007FF71EAD0000-0x00007FF71EE21000-memory.dmp xmrig behavioral2/memory/1596-233-0x00007FF7FF110000-0x00007FF7FF461000-memory.dmp xmrig behavioral2/memory/456-231-0x00007FF73ADF0000-0x00007FF73B141000-memory.dmp xmrig behavioral2/memory/3724-226-0x00007FF7368C0000-0x00007FF736C11000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2812 QBgxgzv.exe 2344 hTXsLiz.exe 1720 qhjtcrc.exe 3268 AHjMpGW.exe 4588 AgNrxgb.exe 1976 BDUJXLJ.exe 1100 jhGcwBm.exe 4044 sVIAweI.exe 2544 JJFyCkg.exe 3088 rypzvGD.exe 1152 BRskxnO.exe 3952 rAHOZuW.exe 4908 xaYwFuV.exe 4812 zLftRCy.exe 1596 LkEmJpz.exe 2520 xuaspev.exe 3468 kCGitLH.exe 3724 AHmeCrg.exe 1984 RphQpQP.exe 1956 ZoMrxAT.exe 456 jintMzA.exe -
resource yara_rule behavioral2/memory/3732-0-0x00007FF74F890000-0x00007FF74FBE1000-memory.dmp upx behavioral2/files/0x00080000000235e9-5.dat upx behavioral2/files/0x00070000000235ee-8.dat upx behavioral2/files/0x00070000000235ed-10.dat upx behavioral2/memory/1720-36-0x00007FF7C4A10000-0x00007FF7C4D61000-memory.dmp upx behavioral2/files/0x00070000000235f0-41.dat upx behavioral2/memory/4044-44-0x00007FF613E50000-0x00007FF6141A1000-memory.dmp upx behavioral2/files/0x00070000000235f2-47.dat upx behavioral2/files/0x00070000000235f3-49.dat upx behavioral2/memory/1100-46-0x00007FF7544C0000-0x00007FF754811000-memory.dmp upx behavioral2/memory/1976-45-0x00007FF6DE700000-0x00007FF6DEA51000-memory.dmp upx behavioral2/memory/4588-43-0x00007FF7B9FC0000-0x00007FF7BA311000-memory.dmp upx behavioral2/files/0x00070000000235f1-34.dat upx behavioral2/memory/3268-30-0x00007FF7D7810000-0x00007FF7D7B61000-memory.dmp upx behavioral2/files/0x00070000000235ef-22.dat upx behavioral2/memory/2344-18-0x00007FF6F2E50000-0x00007FF6F31A1000-memory.dmp upx behavioral2/memory/2812-9-0x00007FF60B8C0000-0x00007FF60BC11000-memory.dmp upx behavioral2/files/0x00070000000235f4-53.dat upx behavioral2/memory/2544-56-0x00007FF798C70000-0x00007FF798FC1000-memory.dmp upx behavioral2/files/0x00080000000235ea-68.dat upx behavioral2/files/0x00070000000235f7-70.dat upx behavioral2/files/0x00070000000235f9-80.dat upx behavioral2/files/0x00070000000235fc-103.dat upx behavioral2/files/0x00070000000235fa-104.dat upx behavioral2/files/0x00070000000235fb-114.dat upx behavioral2/files/0x00070000000235fe-120.dat upx behavioral2/files/0x00070000000235ff-122.dat upx behavioral2/memory/456-119-0x00007FF73ADF0000-0x00007FF73B141000-memory.dmp upx behavioral2/memory/1984-118-0x00007FF668C30000-0x00007FF668F81000-memory.dmp upx behavioral2/memory/3468-112-0x00007FF71EAD0000-0x00007FF71EE21000-memory.dmp upx behavioral2/files/0x00070000000235fd-109.dat upx behavioral2/memory/2520-101-0x00007FF7E2DA0000-0x00007FF7E30F1000-memory.dmp upx behavioral2/memory/1596-99-0x00007FF7FF110000-0x00007FF7FF461000-memory.dmp upx behavioral2/memory/4812-94-0x00007FF670590000-0x00007FF6708E1000-memory.dmp upx behavioral2/files/0x00070000000235f8-90.dat upx behavioral2/files/0x00070000000235f6-87.dat upx behavioral2/memory/4908-85-0x00007FF76E710000-0x00007FF76EA61000-memory.dmp upx behavioral2/files/0x00070000000235f5-76.dat upx behavioral2/memory/3952-74-0x00007FF694B60000-0x00007FF694EB1000-memory.dmp upx behavioral2/memory/1152-73-0x00007FF7973B0000-0x00007FF797701000-memory.dmp upx behavioral2/memory/3088-65-0x00007FF7A2780000-0x00007FF7A2AD1000-memory.dmp upx behavioral2/memory/2812-127-0x00007FF60B8C0000-0x00007FF60BC11000-memory.dmp upx behavioral2/memory/3732-136-0x00007FF74F890000-0x00007FF74FBE1000-memory.dmp upx behavioral2/memory/2544-135-0x00007FF798C70000-0x00007FF798FC1000-memory.dmp upx behavioral2/memory/3724-137-0x00007FF7368C0000-0x00007FF736C11000-memory.dmp upx behavioral2/memory/4044-134-0x00007FF613E50000-0x00007FF6141A1000-memory.dmp upx behavioral2/memory/3268-130-0x00007FF7D7810000-0x00007FF7D7B61000-memory.dmp upx behavioral2/memory/2344-128-0x00007FF6F2E50000-0x00007FF6F31A1000-memory.dmp upx behavioral2/memory/1100-133-0x00007FF7544C0000-0x00007FF754811000-memory.dmp upx behavioral2/memory/4588-131-0x00007FF7B9FC0000-0x00007FF7BA311000-memory.dmp upx behavioral2/memory/3732-126-0x00007FF74F890000-0x00007FF74FBE1000-memory.dmp upx behavioral2/memory/1956-138-0x00007FF6736A0000-0x00007FF6739F1000-memory.dmp upx behavioral2/memory/3952-142-0x00007FF694B60000-0x00007FF694EB1000-memory.dmp upx behavioral2/memory/1596-144-0x00007FF7FF110000-0x00007FF7FF461000-memory.dmp upx behavioral2/memory/3468-146-0x00007FF71EAD0000-0x00007FF71EE21000-memory.dmp upx behavioral2/memory/456-150-0x00007FF73ADF0000-0x00007FF73B141000-memory.dmp upx behavioral2/memory/2520-145-0x00007FF7E2DA0000-0x00007FF7E30F1000-memory.dmp upx behavioral2/memory/4908-141-0x00007FF76E710000-0x00007FF76EA61000-memory.dmp upx behavioral2/memory/1152-140-0x00007FF7973B0000-0x00007FF797701000-memory.dmp upx behavioral2/memory/3088-139-0x00007FF7A2780000-0x00007FF7A2AD1000-memory.dmp upx behavioral2/memory/3732-151-0x00007FF74F890000-0x00007FF74FBE1000-memory.dmp upx behavioral2/memory/2812-198-0x00007FF60B8C0000-0x00007FF60BC11000-memory.dmp upx behavioral2/memory/2344-199-0x00007FF6F2E50000-0x00007FF6F31A1000-memory.dmp upx behavioral2/memory/1720-203-0x00007FF7C4A10000-0x00007FF7C4D61000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\jhGcwBm.exe 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xaYwFuV.exe 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\zLftRCy.exe 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\LkEmJpz.exe 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\jintMzA.exe 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\hTXsLiz.exe 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AHjMpGW.exe 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AgNrxgb.exe 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\sVIAweI.exe 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BRskxnO.exe 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rAHOZuW.exe 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\AHmeCrg.exe 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\ZoMrxAT.exe 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\qhjtcrc.exe 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\xuaspev.exe 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\kCGitLH.exe 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\QBgxgzv.exe 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\JJFyCkg.exe 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\rypzvGD.exe 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\RphQpQP.exe 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe File created C:\Windows\System\BDUJXLJ.exe 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe Token: SeLockMemoryPrivilege 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3732 wrote to memory of 2812 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3732 wrote to memory of 2812 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 92 PID 3732 wrote to memory of 2344 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3732 wrote to memory of 2344 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 93 PID 3732 wrote to memory of 1720 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3732 wrote to memory of 1720 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 94 PID 3732 wrote to memory of 3268 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3732 wrote to memory of 3268 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 95 PID 3732 wrote to memory of 4588 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3732 wrote to memory of 4588 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 96 PID 3732 wrote to memory of 1976 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3732 wrote to memory of 1976 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 97 PID 3732 wrote to memory of 1100 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3732 wrote to memory of 1100 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 98 PID 3732 wrote to memory of 4044 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3732 wrote to memory of 4044 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 99 PID 3732 wrote to memory of 2544 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3732 wrote to memory of 2544 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 100 PID 3732 wrote to memory of 3088 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3732 wrote to memory of 3088 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 102 PID 3732 wrote to memory of 1152 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3732 wrote to memory of 1152 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 103 PID 3732 wrote to memory of 4908 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3732 wrote to memory of 4908 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 104 PID 3732 wrote to memory of 3952 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3732 wrote to memory of 3952 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 105 PID 3732 wrote to memory of 4812 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 3732 wrote to memory of 4812 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 106 PID 3732 wrote to memory of 1596 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 3732 wrote to memory of 1596 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 107 PID 3732 wrote to memory of 2520 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 3732 wrote to memory of 2520 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 108 PID 3732 wrote to memory of 3468 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 3732 wrote to memory of 3468 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 109 PID 3732 wrote to memory of 3724 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 110 PID 3732 wrote to memory of 3724 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 110 PID 3732 wrote to memory of 1984 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 111 PID 3732 wrote to memory of 1984 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 111 PID 3732 wrote to memory of 1956 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 112 PID 3732 wrote to memory of 1956 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 112 PID 3732 wrote to memory of 456 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 113 PID 3732 wrote to memory of 456 3732 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\System\QBgxgzv.exeC:\Windows\System\QBgxgzv.exe2⤵
- Executes dropped EXE
PID:2812
-
-
C:\Windows\System\hTXsLiz.exeC:\Windows\System\hTXsLiz.exe2⤵
- Executes dropped EXE
PID:2344
-
-
C:\Windows\System\qhjtcrc.exeC:\Windows\System\qhjtcrc.exe2⤵
- Executes dropped EXE
PID:1720
-
-
C:\Windows\System\AHjMpGW.exeC:\Windows\System\AHjMpGW.exe2⤵
- Executes dropped EXE
PID:3268
-
-
C:\Windows\System\AgNrxgb.exeC:\Windows\System\AgNrxgb.exe2⤵
- Executes dropped EXE
PID:4588
-
-
C:\Windows\System\BDUJXLJ.exeC:\Windows\System\BDUJXLJ.exe2⤵
- Executes dropped EXE
PID:1976
-
-
C:\Windows\System\jhGcwBm.exeC:\Windows\System\jhGcwBm.exe2⤵
- Executes dropped EXE
PID:1100
-
-
C:\Windows\System\sVIAweI.exeC:\Windows\System\sVIAweI.exe2⤵
- Executes dropped EXE
PID:4044
-
-
C:\Windows\System\JJFyCkg.exeC:\Windows\System\JJFyCkg.exe2⤵
- Executes dropped EXE
PID:2544
-
-
C:\Windows\System\rypzvGD.exeC:\Windows\System\rypzvGD.exe2⤵
- Executes dropped EXE
PID:3088
-
-
C:\Windows\System\BRskxnO.exeC:\Windows\System\BRskxnO.exe2⤵
- Executes dropped EXE
PID:1152
-
-
C:\Windows\System\xaYwFuV.exeC:\Windows\System\xaYwFuV.exe2⤵
- Executes dropped EXE
PID:4908
-
-
C:\Windows\System\rAHOZuW.exeC:\Windows\System\rAHOZuW.exe2⤵
- Executes dropped EXE
PID:3952
-
-
C:\Windows\System\zLftRCy.exeC:\Windows\System\zLftRCy.exe2⤵
- Executes dropped EXE
PID:4812
-
-
C:\Windows\System\LkEmJpz.exeC:\Windows\System\LkEmJpz.exe2⤵
- Executes dropped EXE
PID:1596
-
-
C:\Windows\System\xuaspev.exeC:\Windows\System\xuaspev.exe2⤵
- Executes dropped EXE
PID:2520
-
-
C:\Windows\System\kCGitLH.exeC:\Windows\System\kCGitLH.exe2⤵
- Executes dropped EXE
PID:3468
-
-
C:\Windows\System\AHmeCrg.exeC:\Windows\System\AHmeCrg.exe2⤵
- Executes dropped EXE
PID:3724
-
-
C:\Windows\System\RphQpQP.exeC:\Windows\System\RphQpQP.exe2⤵
- Executes dropped EXE
PID:1984
-
-
C:\Windows\System\ZoMrxAT.exeC:\Windows\System\ZoMrxAT.exe2⤵
- Executes dropped EXE
PID:1956
-
-
C:\Windows\System\jintMzA.exeC:\Windows\System\jintMzA.exe2⤵
- Executes dropped EXE
PID:456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4112,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:81⤵PID:4084
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD57d9fea9028b328a28a9b88d53b6546ce
SHA1b14047bb95a103dc4910aa103a232e671b7641e3
SHA256e35a0841c8152cfdec4b2258fa71f556de4d8dc82179cd704a7609f66ec934c7
SHA5122d00843198b2f6dffa3f9d61a9170dd62353f7a181614fdcaeef3a34b93a0f0993939b67a25e708fefc6fe3919d81d11aabf31ed9ab68eacc08066927d2f99c0
-
Filesize
5.2MB
MD58fbafda7e76943e614a80e252ae5fce5
SHA1c9860618aaa98c4568e9ebba4df46bcaad865cca
SHA256225dd6173e33576932cf4439a48880c223bbd3a5f3b3da5edcd714b3cf42901a
SHA5129a7f832aa841d7e8e21b0ec8babd5b0b436262b10cbdfdecf5c1445c203869a5402429ac145dbc80c209763482b7ba4027cc55a7b2b8a7bc29398a2a640cbc63
-
Filesize
5.2MB
MD52cdbd69048dd7f1236e41931748f8e9b
SHA1f07062fcb83213350b827326b4adc1609e596ed7
SHA256ab65e79a396fd0f670f5777e6e72da0cb396530e8a080fdbcdfeda6ebe3ff01d
SHA5126410039175bec05410ac7290bcf34cecefb5b82b4e10631a1775d1480d10e93a517b28221499ca12455aacca1fd879a446d0c69c4f964958dfbf5727240ec609
-
Filesize
5.2MB
MD50dc5541f6c238f45eb2b70ba03fa9ed9
SHA1c36840707aade436a2d0da24fd0b7509c5d038b3
SHA256cdbbb0b3012b008cf0f1de242322359a9f05d4a6dc3331fff9c0f568a4770fae
SHA5126f5928384a28a0d264a08d236b4a93d065d6e7ccaa3c7c98b48e411c18330aeb61b17dd6d6ea9cdfccba7b8316b706c5927cb998b1c7f487827e3990a346cbdb
-
Filesize
5.2MB
MD55e2a98f7fec85232b2bd915e92211070
SHA10448f702df880d0449e3ddb16516b802a4969b33
SHA256a471d656f7eb6e6cb41300ad0443d2c9148a8d1c21a95f2540d9bac1843df9ed
SHA512c2389bca6d51651e545dd884f9178071f95452060ea9114d3442658be53781705cc3bb9b27b943f6731e9d03b3e5ffaa3de1b79351ed927c2bf417dea2a71c6c
-
Filesize
5.2MB
MD561624e7e800e87a7ac632ec464dbf743
SHA1562817b329c4c7573689acd59d0ebe6b9c000d2c
SHA256f896edb9e98b9d2ca103963574d059b98ae2cbf19bd6e7a8f80a9cbbae4a7a81
SHA5125dc8a3e8f44f262e558d24e7b194e045c5bfb228637195840c6fa9d8516bf1a21b1636976ab1e2086b3bbb5114dab1919345edcb665adba09b81464060a5e45e
-
Filesize
5.2MB
MD5d58d9a0792dd53464ea7cc140616d6d9
SHA1a5c0d34fc335b39e72a8d42d1a710ff9053652ca
SHA256d7421c226eaea136f79dfb6c23fcf59608616f150893eec521ca82c4a24a4ef3
SHA512912063d6f40805058c453373e7eca9a83342512dcd28d1f7a13a194dc397cb4fec44a6db570b87399ac9100655dc86b0fbc4eaf4defc0f262f06e90351f0d33a
-
Filesize
5.2MB
MD57cb5357446f0bbca777558a7df9bcd98
SHA1cf023f4bc452b144877a47964426e0202a1f3e95
SHA256e5bdeee96b2f7a4cc4713f8cda4c1ad32b908e66e7e0126db83d9d0b8550ad8c
SHA51248220067a525686627c491f21e25691ac553d8ce262b72e5bd1fbae833024143e5b8ce3a55cc599a349d853468b27c4a9dbbef33e1170c11fca5c8900229d0e1
-
Filesize
5.2MB
MD5ec579c046b9b2c328e3bdf4928209da7
SHA153a6e7e81a06127743a60f5012458614695f8911
SHA256d075bd2d911bc1cbf17f0517da9c05c6a33c70a4d8b643f7e17c437b1e33c9ff
SHA51293f96b04ba24ef9f0cbd7f0b61f5192744ccf9e378b071cb6f39a6af9d9de6d3f7fa688130d394a33b9ef0714efb1bb03d1f950727356713b55c208ff8b4ad56
-
Filesize
5.2MB
MD5b39b3130069fa474556ae6689c3f17d1
SHA12423aea18ad2f4c8328b020676c060a40e974304
SHA2566c3f4b9039258087dbeaa9f5356e182bf9df408fa507991f624a56e018d1d10e
SHA512151469a2721fb7fc1310312d61118b4cbdf15c365dde482b6d25fc187bef3030a94c9b071790d3b9a79af0f8fa55115b76acf2283ddcd48c73a9e5a8c7ce1172
-
Filesize
5.2MB
MD58e445f23e9b03ff02a3b4d47b4c2842f
SHA14877028d7f55c750a37d5513d1228a5fa4fe4051
SHA2564ef2160515766d3888003e244bf0b44e9313c32d98186157f3b364df5887a48e
SHA5126aa10a03ea9cde29b5a0c0122c1a95f69396dbd1bd74325b5931e0845677202357ccbf28e60f844ed6e3569b8b4477b73699e3172789e089b3c98c75e8f2f9b6
-
Filesize
5.2MB
MD5529880b4e46db2ec8ce94e8b89d7fe61
SHA14cb151d82b7d06ee70dbd521afe8eda5cda79a2a
SHA2565a874ec7f1addb3b69ffcfa5194d028bfd73318af145221564de93ce56038ff0
SHA51257c8af3bae89b8960320b4979ba82cac4275b3781df534e20d1ec02710b657c0f9092eed259a58e1a64fe13d22d2e4be52db092b7022f89b3f8547896623b04c
-
Filesize
5.2MB
MD5305238969b1a4627680ce5a0737b1628
SHA10a16fbbf20af6f2b6202e6a4c3947f0956b9aafc
SHA256edc7bdfe8c2a7b58d16274d5f68d51d18634540a4da908cb577b17389d4672db
SHA512d649b983e3795f624a4a62a01099a47e408ec382eb3f6eea3a3e1a8a0d2a8c03ed29f4d683ed271ce3604ae18f561d8f624848a5da58fcdd6ae93112d1d27739
-
Filesize
5.2MB
MD5d92c30a17c81d84a6a7f7014c2df8fb7
SHA14059039e3eefed7135e45f682fca71f3cf61fb58
SHA256bbdfc550cf7e61bdd3500a8fdb63ca6ec0af5e8caf8c48601ab496f6324a1bd9
SHA51215905becc23762da9ebf41c41a1c52431ccc9907f0b51716f2d8a2834e476e4c3262ed762000bbff146f548aba4d9f32293d25a7458be24356ee3dbb44c3de9c
-
Filesize
5.2MB
MD5b0dcf62d5edde090ff74f12af8f0a6d5
SHA1119d4484b606091dbe70b679c84379b216d03fc6
SHA25687340dc127d669ae70b3806e1a1650cf9d401e67095dcd6eca209c51519f0c69
SHA512c5515faaa65b6333e5c3e919a947783b2bf42622f81e0c15c07b21d7f17b1fd1e21e773519d239104fd25bbbcd1c31399fade4ad3d6e7c53d39f40166015da0f
-
Filesize
5.2MB
MD51ea632188f9ed2ebd8d314c221618cb1
SHA19fac5f38f79332c3d4a23b4ac0d80f338c881748
SHA2569ad04e4180325b7a171ebad3bb3b775984db9dea4d7f3ea0a038be22a62d65a8
SHA5128a042207e7290dcb40e68951765be8c856e6c95c88b7a5b8fdfac5a8d0c2534deda649c1ca71886a2b17122e2ca86efcc4aeed3f757081fc3d319fe5c8ff0ed5
-
Filesize
5.2MB
MD5c7363edf941c2867932f092305c01a68
SHA168fe14071a6b578bbc43dbb05efc037e282e8ed9
SHA25664319e04fe14ca6167d518b00e113599beb4156fa0ebef8a71f82e7c3b48018c
SHA5125bfadcb2f82c271c467c2d2978639597c9d65af33dacf3cccfb3c320fae5f25f90e0bbde0627f2eb241e279f9a32fa0b304544f3a4f36de614d262e4f967e8ef
-
Filesize
5.2MB
MD51303a0c9822c5f8c873220f4e1055f78
SHA16f0ef8d8d718621a5d1f01a2bfe1b9e1bd1004ae
SHA256645277f5fb5ae5b72010532ab0c98d5dc10550f7744f5ab0f26f45d6b52c1193
SHA51238bf2cd57cae625ced60292d432d84d44485f5fa158876fd2b12a80caf9aca6e933e922ee0034dca748d9d3aa643316e8100d27b2938b3d275b7dc795b80f2e1
-
Filesize
5.2MB
MD518605f94e586782ec66b3528bdc9374a
SHA1fa74ac79df401a7e571549ca70f0fc61220a5061
SHA256d38e16b5b3aee1b03ff07ad982e4dbb5f5641e4ac5e3399e63477b09695c100e
SHA512a059520e84e836eadf12eb695914ab465113c7e69cf3a76237258c1ba61de94f7470cee093de887e8d5c49f8cba5ad9f1794385f6a8cd7626af6a1df4f945d39
-
Filesize
5.2MB
MD539455ce5f91a4b43bed4a5231760c48e
SHA1843800bc4acfe22738b0c57aa5160ec0f418b72a
SHA25660c5ece67143923d06ee2000b279ec83a7f0a27f54ddbe7e752e394e9c3d1156
SHA512a7e3551f96c2d8ec8a5c3cb803c1625e402970bfde090be69c809fcfd9b9fb36030e3850d7578d5500b6e2fb16abb251574d32b78b82e1e4d2f9cc508eb05baa
-
Filesize
5.2MB
MD52dc8220ddb092d1b0eb11e33d29b1fbc
SHA105fbb440fcadb56a04267e28d08674a63318b82e
SHA25635bd0ea876cc5022c086c6fa5ec1eee22f3054a15c89564a99e9bf33ca1bd23c
SHA5127505ee587c7000ccd68d0c82639f5831f2392528a25ac9f3d31d30df535f192ac7fe489933cb00e6f598da0aab3903360900fdb1e608205b78b9ba78acbec663